MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Today we released a security update rated Important for CVE-2010-1255 in MS10-032.  This vulnerability affects the win32k.sys driver.  This blog post provides more information about this vulnerability that can help with prioritizing the deployment of updates this month.


What’s the risk?


A local attacker could write a custom user-mode attack application that passes a bad buffer to win32k.sys’s GetGlyphOutline while retrieving font information. This could be an attempt to cause memory corruption with the end goal of running code in ring 0 — a classic local Elevation-of-Privilege vulnerability. 


If a regular, known-good application failed to properly request the length of the buffer when calling this API, that application might expose a different code execution attack vector to this vulnerability. Fortunately, default installations of Windows are not at risk because the API is properly used in Microsoft applications. If a third-party application inadvertently used this function incorrectly, this security update will protect any attack vector exposed by that application as well. In that light, the deployment priority of this update may need to be adjusted accordingly.


How difficult is this to exploit?


Due to a validation statement in the write loop, the attacker cannot write data of arbitrary length beyond the allocated buffer; the overwrite length is approximately 0x10 bytes.  Getting all of the data in the right place at the right time to gain code execution can be quite unreliable and as a result we gave it an Exploitability Index rating of 2.  We do not expect to see reliable exploit code within the next 30 days.


We would like to thank Colin McCambridge for his work on this case. 


– Bruce Dang, Brian Cavenah, and Jonathan Ness from MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*