Jump to content

Google Reveals Windows Flaw That Gives Access To Kernel Memory, As Microsoft Didn't Fix It


Recommended Posts

For the past few months, Google has been notoriously revealing flaws in other companies' software, especially Microsoft. Last month, it discovered a "crazy bad" vulnerability in Windows, and in November 2016, it disclosed a potential exploit in the operating system just 10 days after telling Microsoft, for which it received a lot of backlash. There have been numerous other similar incidents as well.

Now, the company has disclosed yet another security flaw in Windows which allows access to kernel memory.




The exploit was reported back in March 2017 as a part of Google's Project Zero program - which not only discloses bugs in other companies' software but in Google's own as well - and was actually fixed in June's Patch Tuesday, according to Microsoft. This fix was delivered after Microsoft requested an extension past Google's standard 90-day deadline. However, Google now states that the issue wasn't fixed correctly, and as such, the bug has been made public again. According to the company, Microsoft has confirmed this as well.


The vulnerability allows anyone to access kernel memory. The nt!NtNotifyChangeDirectoryFile system call in Windows reportedly allows people in user-mode to view and access uninitialized pool memory due to output structure alignment holes. Google demonstrates that:

--- cut ---

00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................

00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ................

--- cut ---

Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a list of FILE_NOTIFY_INFORMATION structures [1]. If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the end of the FileName string and the beginning of the adjacent FILE_NOTIFY_INFORMATION structure, if that string is of an odd length (and therefore not 4-byte aligned).

The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region [...]

Google claims that repeatedly triggering the vulnerability allows locally authenticated attackers to "defeat certain exploit mitigations (kernel ASLR)" and to read other portions of the kernel address space.

Google says that Microsoft has informed it that the vulnerability can be reproduced on machines running on Windows 7 through Windows 10. A fix is expected in next month's Patch Tuesday or in August. Until then, the severity of the exploit has been marked as "Medium".



Link to comment
Share on other sites

  • Replies 1
  • Views 489
  • Created
  • Last Reply

So much for Microsoft patches/updates and the most secure (ROTFLMAO) Windows OS ever.  If Microsoft can't even patch their own software correctly what sense is there in even applying the updates.  The June updates were junk and we were told by a Microsoft rep not to install them that they would release new updates on 27 June, which we still haven't received.  Susan Bradley published that information about a week after the updates originally were released which was too late for most people.  I wouldn't blame Google for ratting out Microsoft.  If Microsoft can't get its act together then it needs to go away.  Which it may anyway since they have started to embrace Linux more in the last 6 months.  Can you imagine Windows running on top of FreeBSD or a version of Linux (Debian?) like MacOSX, which is on FreeBSD.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...