New Windows Bug Scare Ahead Of Patch Tuesday

In the run-up to this month’s Patch Tuesday, Microsoft has admitted it is investigating a new report of a security vulnerability in Windows that can be exploited to gain elevated privileges.

Microsoft confirmed that the bug, a privilege escalation issue in the operating system’s kernel driver, is being analysed.

Danish security firm Secunia published an advisory on the bug 6 August, identifying the issue as a boundary error in Win32k.sys that can be exploited via the “GetClipboardData()” API to cause a buffer overflow.

Elevated Privileges

If successful, attackers will be able to execute code with kernel privileges, according to Secunia, which warned organisations to only grant “access to trusted users.”

“Microsoft is investigating reports of a possible vulnerability in Windows Kernel,” said Jerry Bryant, group manager for Microsoft Response communications. “Upon completion of the investigation, Microsoft will take appropriate actions to protect customers.”

The bug has been confirmed to work on numerous editions of the operating system, including Windows 7, Windows XP SP3 (Service Pack 3) and Windows Server 2008 SP2.

“The danger [of the bug] comes from the fact that the vulnerability affects all Windows versions including Windows 7,” explained VUPEN Security CEO Chaouki Bekrar. “However, exploitation is not trivial due to the nature of the flaw and due to a hardcoded value of 4 being written into the buffer every fourth byte of the source data to be copied.”

Moderate Risk

VUPEN and Secunia rated the vulnerability as a “moderate risk” and “less critical,” respectively.  The bug was first reported by a researcher going by the name “Arkon,” who has posted a proof-of-concept exploit on the web.

“This is another example of Uncoordinated Vulnerability Disclosures where a researcher chooses to publicly release a proof-of-concept for an unpatched vulnerability instead of informing the vendor and waiting at least six months to just get a two-word credit in their security advisory,” Bekrar said. “We can expect the number of Uncoordinated Vulnerability Disclosures to go up significantly within the next months and years as long as software vendors continue to not pay and reward security researchers for their work.”

Microsoft recently stated it has no plans to pay researcher-per-bug rewards as Mozilla and Google do, although the company has spent a lot of time in the past several weeks dealing with issues around bug disclosure.

As part of its monthly Patch Tuesday update, Microsoft plans to release a total of 14 security bulletins tomorrow, the most on record for the company.