MoKB Hums Along with New Windows Kernel Flaw

The Nov. 6 entry -- titled Microsoft Windows kernel GDI local privilege escalation -- is particularly interesting, not for what it exposes, but for the way Microsoft handled the initial disclosure from Cesar Cerrudo, CEO of Argeniss Information Security, a well-respected research outfit in Argentina.

Cerrudo, who once told the story of a "dumb patch" from Microsoft, said he reported the kernel issue to Redmond on Oct. 22, 2004, more than two years ago, but it remains unpatched in Windows 2000 and Windows XP.

However, the bug was fixed in Windows Server 2003 and Windows Vista, suggesting it was not considered serious enough to roll outside of a security update. Members of Microsoft's security response team have repeatedly told me that flaw reports get prioritized and many reported bugs get fixed in future OS or service pack releases.

Here's how Cerrudo describes the flaw on the MoKB release page:

Microsoft Windows GDI Kernel data structures are mapped on a global shared memory section that is created automatically on any windows process that uses GDI objects (process with a GUI, etc.), this section is mapped as read-only, but any process can re-map it as read-write (by default this kernel shared section has read, write, execute permissions), thus processes can write to this section overwriting the GDI kernel data structures, causing a denial of service (BSoD)/ crashing Windows. If certain selected data structures are overwritten with specific data it is possible to perform arbitrary code excecution.

Sounds rather serious although these privilege escalation issues typically get downplayed. Now that the exploit code is publicly available, it would be interesting to see if Microsoft sees it fit to reprioritize.

Or will they wait to be burned by an code execution flaw that was mistakenly treated as a low-priority denial-of-service issue?