Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 6th, 2010

New Windows Arbitrary Code Execution Flaw Disclosed, All Windows Versions Affected

A new Windows vulnerability that could allow for privilege escalation and arbitrary code execution has been identified. According to vulnerability research company VUPEN Security, the flaw affects all supported versions of Microsoft Windows.

The issue is described by VUPEN in its advisory as a Windows kernel memory corruption vulnerability, because it is located in the Win32k.sys kernel-mode device driver. The bug can be exploited by placing and retrieving specifically formatted bitmap data from the clipboard and can potentially be leveraged by local attackers to elevate their privileges or execute arbitrary code.

Malicious users can also generate a Denial of Service condition by crashing the system. “VUPEN has confirmed the vulnerability on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3,” the company writes, noting that it is not aware of any patch supplied by the vendor.

The bug is rated as moderate risk and a researcher identified only as Arkon is credited with its discovery. It’s not clear if Microsoft has been informed of the issue, because VUPEN no longer supplies vulnerability intelligence to vendors for free and Redmond giant doesn’t want to pay for bug information.

Microsoft has recently rebranded its vulnerability disclosure guidelines as Coordinated Vulnerability Disclosure (CVD). “CVD’s core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action — and even then it should be coordinated as closely as possible,” the company explained.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Apple Safari For Windows Critical Vulnerabilities
  • 0-Day Vulnerability In Internet Explorer 6, 7 and 8, Exploit Code Already Released
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild
  • QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible
  • Extremely Severe Vulnerabilities Patched In Opera Browser

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Windows Arbitrary Code Execution Flaw Disclosed, All Windows Versions Affected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.