SYSRET 64-bit OS Privilege Escalation Vulnerability On Intel CPU Hardware

CERT reported that:

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

That last bit is the piece that should concern you. Microsoft responded with one of this month’s Patch Tuesday updates (thanks to Patrick Lownds for the link).  MS12-042 fixes this issue and is distributed through the normal Windows Updates catalogue.

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating factors for user mode scheduler memory corruption vulnerability:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
  • Systems with AMD or ARM-based CPUs are not affected by this vulnerability.

Update your servers, including Hyper-V hosts with this update.  System Center 2012 VMM will automate this for you if you have it and configured the updates feature.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.