Intel issued an important security patch Monday for a vulnerability that could allow hackers to execute arbitrary code on targeted systems running Windows 7. The bug, located in Intel’s HD graphics Windows kernel driver, leaves affected systems open to a local privilege escalation attacks that could give criminals the ability take control of targeted systems.
Specifically impacted, according to Intel, are users of Intel Graphics Driver for Microsoft Windows prior to March 28, 2016. Intel describes the flaw as one which, if exploited, “would directly impact the confidentiality, integrity or availability of user’s data or processing resources.”
Intel has issued a patch for the bug. The vulnerability is tied to a NT Virtual DOS Machine (NTVDM) subsystem component within Windows that allows computers to support legacy applications. Most seriously impacted are users of Windows 7, still the most dominant version of Windows with 49 percent of computers running the OS, according to Net MarketShare data.
The vulnerability (CVE-2016-5647) was discovered by Cisco Talos researcher Piotr Bania, who privately disclosed to Intel on July 3. Intel issued a patch for the vulnerability on July 10. Cisco Talos publicly disclosed the vulnerability on Monday.
“This vulnerability can be triggered by sending a specially crafted D3DKMTEscape request to the Intel HD Graphics driver, resulting in a NULL dereference,” according to a Cisco Talos technical description of the bug.
Cisco Talos said that Windows 8 and Windows 10 systems are also impacted, in that an attacker could crash (denial of service) those system, but would not be able to execute arbitrary code as with Windows 7 systems and prior versions of Windows.
“To achieve arbitrary code execution, an adversary would need the ability to allocate or map the NULL page in Windows. When a NULL dereference occurs in kernel space, the user-mode application that caused a context switch is still mapped in lower memory. An attacker can take advantage of this and map the NULL page before triggering the vulnerability to control the contents of the dereference. In this case, the user-controlled value could be a function pointer and lead to arbitrary code execution,” according to Cisco Talos.
Cisco Talos said that with Windows 7 and earlier, “it is possible to allocate or map the NULL page through the use of the NTVDM subsystem.” The NTVDM, a Windows service that helps run older programs, was removed starting with Windows 8 in attempt to mitigate local EoP attacks. However, Cisco Talos note that Intel’s remedy to fix NTVDM is not foolproof, and another driver could possibly be manipulated into placing user controlled data at the NULL page.
