14 DAY TRIAL // A new Windows vulnerability that could allow for privilege escalation and arbitrary code execution has been identified. According to vulnerability research company VUPEN Security, the flaw affects all supported versions of Microsoft Windows.
The issue is described by VUPEN in its advisory as a Windows kernel memory corruption vulnerability, because it is located in the Win32k.sys kernel-mode device driver. The bug can be exploited by placing and retrieving specifically formatted bitmap data from the clipboard and can potentially be leveraged by local attackers to elevate their privileges or execute arbitrary code.
Malicious users can also generate a Denial of Service condition by crashing the system. "VUPEN has confirmed the vulnerability on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3," the company writes, noting that it is not aware of any patch supplied by the vendor.
The bug is rated as moderate risk and a researcher identified only as Arkon is credited with its discovery. It's not clear if Microsoft has been informed of the issue, because VUPEN no longer supplies vulnerability intelligence to vendors for free and Redmond giant doesn't want to pay for bug information.
Microsoft has recently rebranded its vulnerability disclosure guidelines as Coordinated Vulnerability Disclosure (CVD). "CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible," the company explained.
VUPEN clearly takes issue with that concept as one of its Twitter announcements regarding this latest bug reads: "Uncoordinated Vulnerability Disclosure - Unpatched Microsoft Windows Kernel Flaw Publicly Revealed. Stay Tuned ..."
You can follow the editor on Twitter @lconstantin