UPDATE – Microsoft this week patched a vulnerability in the FASTFAT driver that interacts with FAT32 disk partitions, closing a privilege escalation and code execution hole in Windows Server 2003, Windows Vista and Windows Server 2008.
But what about Windows 7 and up versions of the OS, you may be asking? Granted, newer Windows releases lean toward NTFS as the file system format, but FAT32 is still an available option in all supported versions. Would newer versions be vulnerable too?
As it turns out, according to researchers at BeyondTrust, Microsoft had already silently patched what turned out to be MS14-063 in Windows 7, Windows 8 and 8.1, and apparently left older versions exposed for at least five years. That means well-resourced attackers have had quite a window of opportunity available to them to exploit what turns out to be a noteworthy memory corruption issue.
The vulnerability picks up additional significance in that it can be most easily exploited via USB drives, which are often formatted for FAT32. Should an attacker manage to load a malicious FAT file onto a USB stick and get someone to use the removable drive, they’d be able to exploit the bug.
“In the FAT format, you can rewrite parts of it that lead to memory corruption so that when you stick a USB in a computer regardless of whether it’s locked, you can corrupt memory and execute code,” said BeyondTrust chief technology officer Marc Maiffret. “It’s a nasty bug. There’s a bit of nuance here in that it’s not a USB vulnerability, but if you were going to deliver a corrupted FAT file, you would do it through USB.”
Microsoft refused a request to comment on this story. Microsoft patched the vulnerability, CVE-2014-4115, this week after it was reported privately by Cisco researcher Marcin Noga.
Maiffret goes through the process BeyondTrust researchers went through in comparing an unpatched version of fastfat.sys on Windows Server 2003r2 to the patched one released this week in order to locate the problem code. The lingering question, however, was why was Windows 7 immune? Doing a quick comparison there, he found what was likely the same fix, however, this one was signed in 2009.
“The worry is that Cisco found the vulnerability and responsibly reported it to Microsoft and it was fixed. From the research side, there’s no comparison [in resources] to some governments and defense contractors looking at these vulnerabilities. There’s always the worry that it’s been there for many years and should have been taken care of.”
This isn’t the first time Maiffret has done research in this area. In 2006 at Black Hat Europe while at eEye, Maiffret and colleagues Steve Manzuik and Andre Protas presented about similar silent fixes in Microsoft products.
Maiffret urges enterprises running Windows to push resources toward running the latest major release from Microsoft, whether it’s Windows, Office or Internet Explorer. To back that up, Maiffret shared research that showed that for much of 2013 and part of 2014, 30 percent of vulnerabilities in Windows 7, IE10 and/or Office 2010 were exploited, compared to five percent of vulnerabilities in Windows 8, IE11 and Office 2013.
“It is so important for security people to understand when protecting a Windows environment that one of the single best things you can do to measurably improve your security is simply making sure you are running the latest major released versions of Microsoft software,” Maiffret said. “Windows 8 vs. 7 and XP; Office 2013 vs. 2010; IE 11 vs. 10/9/8 etc… These upgrades are not simply IT line item budgets but equally security ones.”
This article was updated at 6:15 p.m. ET to reflect that Microsoft refused to comment.