Video Screencast Help
Security Response

The CSRSS Bug and Vista

Created: 05 Jan 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:53:46 GMT
Peter Ferrie's picture
0 0 Votes
Login to vote

With the public advisoryby Determina about a double-free bug in a CSRSS message function, theimmediate question was: does it really affect Vista? The short answeris "yes, but not reliably." Arbitrary code execution is possible, butrequires a great deal of luck, though a denial-of-service is definitelypossible.

Why the fuss? Simply put, successful exploitation of the bug allowseven the most restricted user-mode application to elevate itsprivileges to the System level. From there, the kernel is accessibleeven on Vista. Even without entering the kernel, System-levelprivileges allow almost complete control of the system, so thepossibilities are limited only by the imagination.

Of course, that the bug isn't reliable on Vista doesn't mean thateveryone can relax. The bug does affect earlier versions of Windows,where arbitrary code execution is far easier to achieve. Is it likelyto be exploited? Oh yes. Not such a happy New Year.