Microsoft Scrambles to Squash Bug in Windows Kernel

Microsoft on Friday said it is investigating an unpatched vulnerability in Windows after an Israeli researcher revealed a bug in the operating system's kernel driver.

Artwork: Chip Taylor
According to Gil Dabah, a researcher from Tel Aviv who goes by the nickname "arkon," the Windows' kernel harbors a heap overflow vulnerability. Dabah also posted a short proof-of-concept to demonstrate the bug on RageStorm.com, a site he and two others run.

"Microsoft is investigating reports of a possible vulnerability in Windows Kernel," said Jerry Bryant on Friday. "Upon completion of the investigation, Microsoft will take appropriate actions to protect customers." Microsoft issues regular patches, but last week released a fix for a critical zero-day hole.

In an alert published Friday , Danish bug tracker Secunia pinpointed the bug in the "Win32k.sys" kernel-mode device driver, the kernel component of the Windows subsystem. Attackers could exploit the flaw using "GetClipboardData," an API (application programming interface) that retrieves data from the Window clipboard.

A successful exploit would allow hackers to execute their attack code in kernel mode, which would then let them infect the PC with malware or pillage any data on the machine.

The flaw exists in several versions of Windows, including XP SP3, Server 2003 R2, Vista, Windows 7 and Windows Server 2008 SP2, said Secunia, which rated the bug as "less critical," the firm's second-lowest threat ranking.

Microsoft has patched 13 Windows kernel vulnerabilities this year. In June, for example, MS10-032 patched three vulnerabilities in Win32k.sys; in April, it quashed eight bugs with MS10-021 ; and in February, MS10-015 fixed two flaws.

One researcher with experience digging up kernel bugs said the latest is business as usual. "I don't think there's been more than a few days this year that Microsoft [hasn't] been vulnerable to public kernel flaws," said Tavis Ormandy on Twitter . Ormandy reported three of this year's kernel vulnerabilities to Microsoft.

Most of those bugs were rated as "important," Microsoft's second-highest ranking, because they could not be exploited remotely, but required an attacker to have physical access to the PC and valid log-in credentials. It's likely that Dabah's find will as well.

Microsoft will issue 14 security updates, including 10 for Windows, on Tuesday. But unless the company found Dabah's flaw on its own, or the vulnerability was reported by another researcher earlier -- it's not unheard of for several researchers to stumble across the same bug -- a fix won't appear until September or later.

In the meantime, said Secunia, "Grant access [only] to trusted users."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Best of TechHive Newsletter

Comments