The MessageBox Vulnerability to Rain on Vista's Parade

Windows Vista is but hours away from its commercial release. And as the Microsoft countdown for the operating system approaches zero, the Redmond Company will debut the celebration  for the customer release of Windows Vista and the 2007 Office System. But one minor aspect will cloud Microsoft's otherwise clear sky, and even rain on Vista's parade. […]

Windows Vista is but hours away from its commercial release. And as the Microsoft countdown for the operating system approaches zero, the Redmond Company will debut the celebration  for the customer release of Windows Vista and the 2007 Office System. But one minor aspect will cloud Microsoft's otherwise clear sky, and even rain on Vista's parade.

It is a vulnerability discovered in December. According to McAfee's timeline that is keeping track of the evolution of the MessageBox vulnerability, on December 20, 2006, the exploit code has been released. The immediate result of a successful exploit is a denial of service attack. The vulnerability impacts Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista and allows for elevation of privileges and DoS attacks, and has received a threat rating of medium from McAfee.

Then on 20 and 21 December, technical exploitation information and general information related to the vulnerability has been publicly disclosed. On December 22, 2006, Microsoft, via the Security response center, has confirmed the vulnerability and the fact that Windows Vista is affected. Towards the end of 2006, on December 29 and 31, proof of concept for the MessageBox vulnerability has been released. And then... nothing.

Microsoft failed to address the vulnerability related to the Client Server Run-Time Subsystem in the January 2007 Monthly Security Bulletin Release. “The Microsoft Windows MessageBox API allows for messages to be sent by non-interactive services to the Windows Client/Server Runtime Server Subsystem (CSRSS) to alert of an error. A vulnerability exists in Microsoft Windows Client/Server Runtime Server Subsystem (CSRSS) that may allow for a local denial of service or privilege escalation. The flaw lies in processing of specially-crafted LPC requests which begin with a "\??\" or contain a "Device" ANSI string, sent by the MessageBox function. Code execution resulting from successful exploitation would be at SYSTEM level,” reads McAfee's description of the MessageBox.

softpedia

Microsoft, Windows Vista, MesageBox+Vulnerability