While a vulnerability does exist in the latest Windows client and server platforms with Aero enabled, actually getting exploit code to work and performing successful attacks are not likely to happen. Microsoft downplayed the risk users of Windows 7 64-bit, Windows Server 2008 R2 for 64-bit systems and Windows Server 2008 R2 Itanium systems were exposed to, indicating that the new zero-day, for which details had been disclosed in the wild, was extremely hard to exploit. At the same time, the Redmond company underlined that it was not aware of any attacks targeting the flaw, or of exploit code capable of reaching execution.
Jerry Bryant, group manager, Response Communications, Microsoft, revealed that the new security hole resided in the Windows Canonical Display Driver (cdd.dll). Microsoft has already published Security Advisory 2028859, informing customers of the issue and offering advice on how to stay protected until a patch is offered.
“We are not aware of any customer impact at this time. Our current investigation shows that if exploited, the vulnerability could cause the affected system to stop responding and restart. Code execution, while possible in theory, would be very difficult due to memory randomization both in kernel memory and via Address Space Layout Randomization (ASLR). As a result, we are assigning this issue an Exploitability Index rating of ‘3,’ as we feel the development of reliable exploit code is not likely,” Bryant told pctipsbox.
Customers can turn to Security Advisory 2028859 in order to access the workarounds detailed by Microsoft that will help them protect their systems against potential exploits. Obviously, disabling Windows Aero will render any exploits useless. The zero-day only affects Windows systems with Aero enabled. In this context, customers running Windows Server 2008 R2 enjoy an extra mitigation, as Aero is not switched on by default, and the platform doesn’t feature Aero-capable graphics drivers.
“Microsoft is currently working to develop a security update to address this vulnerability and will release the update once testing is complete. In the meantime, customers can help protect themselves against potential threats by disabling Windows Aero. With Windows Aero disabled, the path by which cdd.dll can be exploited is bypassed. Please see the advisory for more information on disabling Windows Aero,” Bryant added.