Windows Aero flaw in 64-bit Windows 7 and Server 2008 R2

Quinton Healy 19 May, 2010 at 3:17pm ET Article published in Tech

Microsoft yesterday released a Security Advisory warning users of a fatal flaw in a base driver essential to the operation of the 64-bit editions of Windows 7 and Windows Server 2008 R2.

Dubbed the “Canonical Display Driver,” the driver is used to run Aero, the glitzy user interface found in these OSes.

“The Canonical Display Driver is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing… If exploited, it would likely cause the affected system to stop responding and restart,” said Microsoft’s Jerry Bryant in a blog update.

“Code execution, while possible in theory, would be very difficult due to memory randomization both in kernel memory and via Address Space Layout Randomization (ASLR). Additionally, this vulnerability only affects Windows systems if they have the Aero theme installed; Aero is not switched on by default in Windows Server 2008 R2, nor does 2008 R2 include Aero-capable graphics drivers by default.”

Bryant went on to indicate that flaw probably isn’t a big deal, noting that Microsoft has awarded it a vulnerability rating of 3, lowest on the exploit scale. Further, there don’t seem to be any public exploits that target this particular flaw.

For now, if you are concerned with this breach, disable Windows Aero and wait for Microsoft to release a patch, likely arriving on June 8.

Comments

20 May 2010 ~ 10:43am QCH For Corp. IT folks, this is a worry. Hopefully Microsoft comes out with a patch in time for the June cycle.
20 May 2010 ~ 11:04am Snarkasm If you're running their Server offerings, you shouldn't be running Aero anyway (why bother?), and what companies are running Win7 x64 machines for their employees already? I wanna work there.
20 May 2010 ~ 11:24am _k We have one and should end up with a couple more by the end of the month. Our servers are still 2003.
20 May 2010 ~ 11:31am QCH We JUST approved limited rollout of Win7. There are almost 50 systems in our production domain. As for the Server 2008 R2 and Aero Glass. We have a few custom systems that run Server 2008 due to software requirements and are used by users daily. They run Aero.
20 May 2010 ~ 8:09pm sgoldman

QCH wrote:

We JUST approved limited rollout of Win7. There are almost 50 systems in our production domain. As for the Server 2008 R2 and Aero Glass. We have a few custom systems that run Server 2008 due to software requirements and are used by users daily. They run Aero.

I'm sorry to hear that.

I have a little over 50 systems in our domain as well. We have not gone to Windows 7 expressly for reasons such as this. You never know what may crop up in a new OS. Windows 7 is a great operating system, arguably one of the best they've come out with. To say it's an improvement over Vista is the understatement of the year. But it pays to wait.

We are currently testing 2008 to be deployed shortly in our environment but that's just for the new Group Policy Preferences, no worries about Aero there.
20 May 2010 ~ 10:31pm QCH We held off Vista because it sucks but we have a 5 year licensing agreement. We cannot wait specially with all the advantages Windows 7 offers for security and easy of deployment. This kind of problem/vulnerability is still being found in WinXP. WinXP will be coming to "End-of-life" before we know it.
21 May 2010 ~ 2:39am aussiebear WinXP SP3 is still going to be supported by Microsoft (Extended Support phase) until 8th April 2014.

It gives us just under 4 years to port all our applications to Red Hat Linux. (We're already 84% there!)
21 May 2010 ~ 9:01am sgoldman @GCH: If you have a license agreement that's moving you in that direction, I can certainly understand. As for XP's EOL, I'm not worried about that coming before we move everything over to Windows 7. We just won't be on that list of early adopters.
21 May 2010 ~ 11:46am QCH This place has always followed the "Wait until SP1 before even thinking allowing it in the Domain." The cost of deployment of WinXP is what is driving us. To maintain the old WinXP image with the multiple HALs and drivers and all that... a pain.

Windows 7 allows SCCM to deploy it and the maintenance of the "image" is so much less. We should be able to reduce the time and effort of deployment thus helping our Desktop Support group and their 2-3 week backlog. We could really start wiping and reinstalling in under a 1/2 day.

Troubleshooting stupid OS or application problems can be reduced, just wipe and reload. With WinXP, we are still seeing a full day turn around since each system must be visited. Win7 deployment can be done remotely. Maximize our staff... We'll take the little bumps in road from a 1 yr old OS instead of a ton of big bumps with keeping XP around.