MS09-065
Threat LevelDamageDistribution

Effects 

MS09-065 is not categorized as virus, worm, Trojan or backdoor. It is a group of critical vulnerabilities in the Windows Kernel-Mode Drivers on Windows Server 2008/Vista/2003/XP/2000 computers, which allows arbitrary code to be remotely executed in the vulnerable computer and to gain local privilege escalation.

The kernel is the core of the operating system and provides basic services for all other parts of the operating system. Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem.

The addressed vulnerabilities are:

• Win32k NULL Pointer Dereferencing vulnerability: this elevation of privilege vulnerability occurs because the Widows kernel does not properly validate an argument passed to a system call.
• Win32k Insufficient Data Validation vulnerability: this elevation of privilege vulnerability occurs because the Windows kernel-mode drivers do not properly validate input passed from user mode through the kernel component of GDI. GDI (Graphics Device Interface) allows applications to use graphics and formatted text on the video display and the printer.
  
  These two vulnerabilities allow to gain unauthorized privileges on a computer or network. An example of privilege elevation would be an unprivileged user who could manage to be added to the Administrator's group. In such case, the hacker could take complete control of the system: create, modify or delete files, install programs, create new user accounts, etc.
  
  They are usually exploited by running a specially crafted program in the vulnerable computer. In order to do so, a hacker must be able to log on locally to the system.
• Win32k EOT Parsing vulnerability: this remote code execution vulnerability occurs because the Windows kernel-mode drivers do not properly parse font code when building a table of directory entries.
  
  If exploited successfully, MS09-065 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user. If this user had administrator rights, the hacker could take complete control of the system: create, modify or delete files, install programs, create new user accounts, etc.
  
  This vulnerability is usually exploited by creating a Word or PowerPoint document that contains a specially crafted EOT font embedded and sending it in an email message to a vulnerable computer. It can also be exploited by creating a website that contains specially crafted embedded fonts and enticing users to visit it. The link to the website can be distributed using different means, such as email or instant messages.

If you have a Windows Server 2008/Vista/2003/XP/2000 computer, it is recommended to download and apply the security patch for this vulnerability. Click here to access the web page for downloading the patch.

Bear in mind that this security patch replaces a previous one, called MS09-025.