Intel HD Graphics vulnerability enables arbitrary code execution in Windows 7 and earlier

A vulnerability in Intel's HD Graphics processors can lead to arbitrary code execution on machines running Windows 7 and earlier, and computer crashes in machines operating on Windows 8 and up.
A vulnerability in Intel's HD Graphics processors can lead to arbitrary code execution on machines running Windows 7 and earlier, and computer crashes in machines operating on Windows 8 and up.

A vulnerability in the Windows kernel driver that operates Intel's HD Graphics integrated graphics processor could allow a bad actor to either perform an arbitrary code execution or crash the affected device.

Designated as CVE-2016-5647 or TALOS-2016-0087, the flaw specifically resides in the driver's D3DKMTEscape function, which allows programs to communicate and exchange data with the display miniport driver. According to a blog post from Cisco's Talos research division, an attacker sending a maliciously crafted request to the Intel HD Graphics driver can trigger a null dereference within the kernel space. The bad actor can then seize control of the contents of the dereference, which sometimes contains values or pointers that lead to an arbitrary code execution in Windows 7 and earlier versions.

Windows 8 and later are not affected as severely, due to certain programming upgrades designed to mitigate against these kind of attacks. However, updating a machine's operating system is still not a perfect solution because the computer can still crash from the exploit, resulting in a denial of service.

Fortunately, Talos has noted that exploitation of the flaw is “limited to local context, such as a user executing a binary designed to exploit a system affected by TALOS-2016-0087.”

Even though the threat normally requires local access to be exploited, “It is possible that the user can be convinced into running that executable either by receiving the executable in an email message or downloading it from a website,” Earl Carter, security research engineer, Cisco Talos, noted in an email interview with SCMagazine.com. “But the execution still needs to be initiated on the local system.”

Cisco initially notified Intel of the vulnerability in March 2016.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS