released: bug fix for win32k.sys/fsg_RunPreProgram

[Start Me Up]

Hello Windows 2000 fans,

when using vanilla Windows 2000 with a rather new version of win32k.sys, there is a bug in the function "fsg_RunPreProgram" which reduces that drawing quality of some fonts. This bug was fixed with the version 5.00.2195.7610 by Microsoft. However, it was reintroduced into the operating system shortly afterwards, so it still exists in the newest version of win32k.sys (5.00.2195.7640).

To fix this bug there are 2 ways:

• Use Extended Kernel 3.1H or newer. Blackwingcat fixed this bug.
• If you don't like or can't install Extended Kernel, there is now a second option available: WINDOWS2000-OTSKB3037639-V1-X86-INTL.exe

There is an article in the knowledge database available with more information on the nature of this bug.

There is some more auxilliary information available, which I do not plan to distribute among end users: code.htm

---

If someone likes to help with an upcoming Windows 2000 update: I am looking for Windows XP updates which contain a version of win32k.sys. My list of known updates is currently pretty short:

• KB3013455 contains version 5.1.2600.6712
• KB3034344 contains version 5.1.2600.6755
• KB4039384 contains version 5.1.2600.7334

Thank you.

Edited Friday at 08:44 AM by Start Me Up

[NotHereToPlayGames]

I have at least ONE in your list.

BUT please note that I did not do XP Updates in the past by way of KB....... files.

I slipstreamed from well-known Update Packs so I technically have this/these as a "WIN32K.SY_" file inside an XP install disk's "I386" folder.

It's just a zip-compressed "win32k.sys" so 'inside' is the untouched file embedded inside an Update Pack.

 

[NotHereToPlayGames]

ie, will the win32k.sys file get you what you need?  or is the KB....... that it was pulled from required?

[Start Me Up]

Sorry for the misunderstanding, but I am looking for updates that I haven't listed, yet. There should be something like 10 or 20 different versions of win32k.sys. But I know only the 3 I listed.

Edited Friday at 01:53 PM by Start Me Up

[jumper]

Summary of first two trys asking Google Gemini (Fast):

For the final updates, this number was in the high 7000s (e.g., 5.1.2600.7512 or higher).

KB4500331 (May 2019): BlueKeep Remote Desktop Services vulnerability (CVE-2019-0708). 

KB4012598 (May 2017): Released to address the WannaCry vulnerability.

Mar 2014: MS14-015 KB2939576 Critical EoP vulnerability in Win32k. (One of the final official patches)

Dec 2013: MS13-101 KB2880430 Multiple EoP vulnerabilities in Windows Kernel-Mode Drivers (Win32k).

Jul 2013: MS13-053 KB2850851 Remote Code Execution/EoP vulnerabilities in Win32k and TrueType Font handling.

Jan 2013: MS13-005 KB2769369 EoP vulnerability in the Windows kernel-mode driver (Win32k).

[jumper]

Third try by asking Google Gemini (Thinking):

Quote

Here is the compiled list of updates containing win32k.sys versions for Windows XP (x86), ordered from the latest available (Post-EOL / POSReady 2009) down to the final official public update.

Note: Versions higher than 5.1.2600.65xx belong to the POSReady 2009 branch. These updates were technically for the embedded version of XP but were binary-compatible and widely used to patch standard XP systems after 2014.

 

Post-Support / POSReady 2009 Updates (2014–2019)

Update KB - Release Date - win32k.sys Version

KB4486924 - Feb 2019 - 5.1.2600.7649

KB4339854 - Jul 2018 - 5.1.2600.7512

KB4131188 - May 2018 - 5.1.2600.7472

KB4039384 - Sep 2017 - 5.1.2600.7334

KB3205715 - Nov 2016 - 5.1.2600.7156

KB3197835 - Nov 2016 - 5.1.2600.7156

KB3185319 - Sep 2016 - 5.1.2600.7107

KB3140735 - Mar 2016 - 5.1.2600.6953

KB3057154 - Jun 2015 - 5.1.2600.6865

KB3034344 - Mar 2015 - 5.1.2600.6755

KB3013455 - Feb 2015 - 5.1.2600.6712

 

Official Windows XP Final Updates (2013–2014)

Update KB - Release Date - win32k.sys Version - Notes

KB2939576 - Mar 2014 - 5.1.2600.6532 - Last official public update (MS14-015)

KB2893984 - Dec 2013 - 5.1.2600.6483 - (MS13-101)

KB2850851 - Jul 2013 - 5.1.2600.6411 - (MS13-053)

KB2839229 - Jun 2013 - 5.1.2600.6404 - (MS13-046)

KB2769369 - Jan 2013 - 5.1.2600.6329 - (MS13-005)

 

Edited 4 hours ago by jumper
Table formatting

[jumper]

More details from Gemini. Note at bottom: "Updates KB3034344, KB3013455, and KB2850851 specifically address critical vulnerabilities in how win32k.sys parses TrueType fonts...." 

Quote

Here is the compiled list of updates containing win32k.sys, including the specific versions and the key vulnerabilities (CVEs) they addressed.

Post-Support / POSReady 2009 Updates (2014–2019)

KB4486924 contains version 5.1.2600.7649 (Patches CVE-2019-0623, CVE-2018-8589)

KB4339854 contains version 5.1.2600.7512 (Patches CVE-2018-8282; Win32k Elevation of Privilege)

KB4131188 contains version 5.1.2600.7472 (Patches CVE-2018-8120; Win32k Elevation of Privilege)

KB4039384 contains version 5.1.2600.7334 (Patches CVE-2017-8684; GDI+ Information Disclosure)

KB3205715 contains version 5.1.2600.7156 (Patches CVE-2016-7255; Win32k Elevation of Privilege)

KB3197835 contains version 5.1.2600.7156 (Patches CVE-2016-7255; bundled in Nov 2016 Monthly Rollup)

KB3185319 contains version 5.1.2600.7107 (Patches CVE-2016-3308, CVE-2016-3309)

KB3140735 contains version 5.1.2600.6953 (Patches CVE-2016-0120, CVE-2016-0121)

KB3057154 contains version 5.1.2600.6865 (Patches CVE-2015-1701; Win32k Elevation of Privilege)

KB3034344 contains version 5.1.2600.6755 (Patches CVE-2015-0032; TrueType Font Parsing)

KB3013455 contains version 5.1.2600.6712 (Patches CVE-2015-0057; TrueType Font Parsing)

Official Windows XP Final Updates (2013–2014)

KB2939576 contains version 5.1.2600.6532 (Patches CVE-2014-0300; Win32k Elevation of Privilege)

KB2893984 contains version 5.1.2600.6483 (Patches CVE-2013-3906; TIFF Graphics Handling)

KB2850851 contains version 5.1.2600.6411 (Patches CVE-2013-3129; TrueType Font Parsing)

KB2839229 contains version 5.1.2600.6404 (Patches CVE-2013-3660; Win32k Input Handling)

KB2769369 contains version 5.1.2600.6329 (Patches CVE-2013-0008; Win32k Window Handle Vulnerability)

Note on TrueType Font Vulnerabilities

Updates KB3034344, KB3013455, and KB2850851 specifically address critical vulnerabilities in how win32k.sys parses TrueType fonts, which were common vectors for remote code execution attacks via malicious documents or web pages.

 

[jumper]

I replied: "Excellent. Do the same for Windows 2000."

Quote

Here is the compiled list of updates containing win32k.sys versions for Windows 2000 SP4, ordered from the final Extended Support updates down to earlier significant patches.

Note: Windows 2000 support ended on July 13, 2010. The "Update Rollup 1 for SP4" (KB891861) established the baseline for many files, with subsequent security updates incrementing the version further.

Final Extended Support Updates (2008–2010)

KB979683 contains version 5.0.2195.7390 (Patches CVE-2010-0480; Win32k Elevation of Privilege)

KB975560 contains version 5.0.2195.7355 (Patches CVE-2010-0026; Win32k Z-Order vulnerability)

KB969947 contains version 5.0.2195.7317 (Patches CVE-2009-2514; Win32k Message Handling)

KB959482 contains version 5.0.2195.7275 (Patches CVE-2009-0229; Win32k Window Class)

KB954154 contains version 5.0.2195.7196 (Patches CVE-2008-2252; Windows Kernel Input Validation)

Mid-Late Lifecycle Updates (2005–2007)

KB943485 contains version 5.0.2195.7154 (Patches CVE-2007-5352; Win32k Improper Memory Validation)

KB931784 contains version 5.0.2195.7133 (Patches CVE-2007-1206; Cursor/Icon Handling Buffer Overflow)

KB925902 contains version 5.0.2195.7127 (Patches CVE-2007-0038; Cursor Animation Vulnerability)

KB920958 contains version 5.0.2195.7103 (Patches CVE-2006-3444; Window Class Handling)

KB891861 contains version 5.0.2195.7032 (Update Rollup 1 for SP4 - The major baseline update)

Note on Versioning

Unlike Windows XP which uses 5.1.x, Windows 2000 uses the kernel version 5.0.2195. The final number (e.g., 7390) indicates the specific patch level. If you are analyzing a system, 5.0.2195.7032 is generally considered the "stable baseline" for a fully updated SP4 system before applying individual security hotfixes.