Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2028859)

[leofelix]

CDD.dll vulnerability: Difficult to exploit (Microsoft Security & Rsearch)

Today we released security advisory 2028859 notifying customers of a vulnerability in cdd.dll. We wanted to share more information about the public disclosure, exploitability, attack vectors, and workarounds here to help you understand the risk posed by this publicly-disclosed vulnerability.

Exploitability

In fact, exploiting this issue for code execution would be tricky. The attacker controls the content, size, and part of the destination of a memory overwrite. However, the attacker does not control the source pointer, so it is very difficult to exploit. With Address Space Layout Randomization (ASLR), it becomes even more difficult. So this one is likely to remain a potential denial-of-service vulnerability and less likely to result in code execution.

Attack Vectors

Since becoming aware of the forum discussions, we have been looking for ways to hit this vulnerability with Microsoft software. So far, we haven’t found a remote vector. We’re still looking and meanwhile managed to hit the vulnerable code by executing a specially-crafted program on a machine in the following configuration:

* Windows 7 X64 machine
* WDDM 1.1 capable video card (DirectX 10, DirectX 10.1, DirectX 11)
* Aero glass theme enabled

Therefore, a malicious attacker able to logon locally to a vulnerable machine matching the above criteria could run a malicious executable to trigger this issue. Users of third-party image viewers may be vulnerable to this issue when viewing an untrusted image with a third-party image viewer locally on the machine.

Workaround

If you are concerned about this vulnerability, please temporarily disable the Aero glass theme on vulnerable Windows 7 X64 machines (Aero is not enabled in Windows Server 2008 R2). The advisory lists the steps to help you do so. You can safely re-enable the Aero desktop theme when the security update becomes available.

Source


Microsoft Security Advisory (2028859)

[hellnoire]

I thought by Canonical, you meant Ubuntu... That was a rather interesting look on my face of "Linux is now a virus?"

[leofelix]

LOL, I was waiting for your reply indeed:-)

[edit to add] there is no exploit, even if an Heap Spraying attack could seriosly damage a x64 Windows 7