Update on the publicly disclosed Win32k.sys EoP Vulnerability

Hi everyone,

Yesterday we tweeted to let customers know that we were investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time. Today we have more information, as well as a planned course of action.

While most in the industry reported this as a low-severity vulnerability, it generated quite a bit of attention, and as always, we started our investigation as soon as we became aware of the issue. We have not yet reported on this issue because it’s important we’re thorough in our investigations, and there were a couple of possible vectors that we wanted to validate (or invalidate as the case may be) before we commented or defined a course of action.

As a result, we are now able to report that this is a local elevation of privilege vulnerability only. This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system.  For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users. 

We will not be releasing a security advisory for this issue, but it will be included in a future security update. We will continue monitoring the threat landscape and alert customers if anything changes.

Thanks to Dustin Childs and the rest of our security engineering team for their quick and thorough work to determine the cause and extent of this issue across platforms!


Jerry Bryant
Group Manager, Response Communications