1. 9

  2. 4

    More details about the exploit at: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/.

    Clearly there is a bug in the code, but more importantly why is a font driver running in kernel mode? Would running the code in user space not reduce the effectiveness of the bug?

    1. 5

      History: Windows NT 3.51 had the Win32 stuff, as the primary subsystem be run in CSRSS, and Windows was good and like a microkernel. Enter Windows NT 4.0. The Win32 stuff is moved into a kernel driver called win32k.sys, to improve speed. (Printing was moved into the kernel as well.)

      To improve reliability and security, since Vista is undoing a lot of this. (Example: When GPU drivers crash, they can gracefully restart.)

      Note I am not a Dave Cutler or Mark Russinovich, and as such, my knowledge of NT’s guts may be a bit off.