A new zero-day bug affecting Windows 7, XP and other versions of the operating system has been reported-a few short days before Microsoft releases the most Patch Tuesday security bulletins ever.
Microsoft is investigating a new report of a security
vulnerability in Windows that can be exploited to gain elevated privileges.
Microsoft confirmed that the bug, a privilege escalation
issue in the operating system's kernel driver, is being analyzed. Danish
security firm Secunia published an advisory on the bug Aug. 6, identifying the
issue as a boundary error in Win32k.sys that can be exploited via the
"GetClipboardData()" API to cause
a buffer overflow.
If successful, attackers will be able to execute code with
kernel privileges, according to Secunia, which warned organizations to only
grant "access to trusted users."
"Microsoft is investigating reports of a possible
vulnerability in Windows Kernel," said Jerry Bryant, group manager for Microsoft
Response communications. "Upon completion of the investigation, Microsoft
will take appropriate actions to protect customers."
The bug has been confirmed to work on numerous editions of
the operating system, including Windows 7, Windows XP SP3 (Service Pack 3) and
Windows Server 2008 SP2.
"The danger [of the bug] comes from the fact that the
vulnerability affects all Windows versions including Windows 7," explained
VUPEN Security CEO Chaouki Bekrar. "However,
exploitation is not trivial due to the nature of the flaw and due to a
hardcoded value of 4 being written into the buffer every fourth byte of the
source data to be copied."
VUPEN and Secunia rated the vulnerability as a "moderate
risk" and "less critical," respectively. The bug was first reported by a researcher
going by the name "Arkon," who has posted a proof-of-concept exploit
on the Web.
"This is another example of Uncoordinated Vulnerability
Disclosures where a researcher chooses to publicly release a proof-of-concept
for an unpatched vulnerability instead of informing the vendor and waiting at
least six months to just get a two-word credit in their security advisory,"
Bekrar said. "We can expect the number of Uncoordinated Vulnerability
Disclosures to go up significantly within the next months and years as long as
software vendors continue to not pay and reward security researchers for their
Microsoft recently stated it has no plans to pay researcher-per-bug
rewards as Mozilla and Google do, though the company has spent a lot of time in
the past several weeks dealing with issues around bug disclosure.
As part of its monthly Patch Tuesday update, Microsoft plans
to release a total of 14 security bulletins tomorrow, the most on record for