In the run-up to this month’s Patch Tuesday, Microsoft has admitted it is investigating a new report of a security vulnerability in Windows that can be exploited to gain elevated privileges.
Microsoft confirmed that the bug, a privilege escalation issue in the operating system’s kernel driver, is being analysed.
Danish security firm Secunia published an advisory on the bug 6 August, identifying the issue as a boundary error in Win32k.sys that can be exploited via the “GetClipboardData()” API to cause a buffer overflow.
If successful, attackers will be able to execute code with kernel privileges, according to Secunia, which warned organisations to only grant “access to trusted users.”
“Microsoft is investigating reports of a possible vulnerability in Windows Kernel,” said Jerry Bryant, group manager for Microsoft Response communications. “Upon completion of the investigation, Microsoft will take appropriate actions to protect customers.”
“The danger [of the bug] comes from the fact that the vulnerability affects all Windows versions including Windows 7,” explained VUPEN Security CEO Chaouki Bekrar. “However, exploitation is not trivial due to the nature of the flaw and due to a hardcoded value of 4 being written into the buffer every fourth byte of the source data to be copied.”
VUPEN and Secunia rated the vulnerability as a “moderate risk” and “less critical,” respectively. The bug was first reported by a researcher going by the name “Arkon,” who has posted a proof-of-concept exploit on the web.
“This is another example of Uncoordinated Vulnerability Disclosures where a researcher chooses to publicly release a proof-of-concept for an unpatched vulnerability instead of informing the vendor and waiting at least six months to just get a two-word credit in their security advisory,” Bekrar said. “We can expect the number of Uncoordinated Vulnerability Disclosures to go up significantly within the next months and years as long as software vendors continue to not pay and reward security researchers for their work.”
Microsoft recently stated it has no plans to pay researcher-per-bug rewards as Mozilla and Google do, although the company has spent a lot of time in the past several weeks dealing with issues around bug disclosure.
As part of its monthly Patch Tuesday update, Microsoft plans to release a total of 14 security bulletins tomorrow, the most on record for the company.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…