Windows Zero-Day Bug Surfaces Ahead of Massive Patch Tuesday


It's that time of the month again when Microsoft plugs some of the holes in its software. If the sheer number of vulnerabilities a Patch Tuesday addresses is the best way to gauge its significance, it does not get any bigger than this: MS is slated to release 14 security bulletins covering 34 vulnerabilities in Windows, Internet Explorer, Office and Silverlight.

But the record number of security bulletins will not include a fix for a recently revealed bug in the Windows kernel driver. The zero-day bug was reported by Gil Dabah (aka Arkon), an Israeli security researcher, who also published proof-of-concept exploit code on his site According to Jerry Bryant, Microsoft's group manager of response communications: "Microsoft is investigating reports of a possible vulnerability in Windows Kernel. Upon completion of the investigation, Microsoft will take appropriate actions to protect customers."

“This issue is caused by a buffer overflow error in the 'CreateDIBPalette()' function within the kernel-mode device driver 'Win32k.sys' when using the 'biClrUsed' member value of a 'BITMAPINFOHEADER' structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges,” reads an advisory issued by French security research firm VUPEN.

Microsoft has already addressed 13 Windows kernel bugs in 2010. According to security researcher Tavis Ormandy, who recently infuriated Redmond by hastily exposing a critical zero-day Windows bug, the company has been vulnerable to public kernel flaws for most of this year.

Around the web