This is the Trace Id: 46c1ab468c3d5db4283384ce2b896c4e
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Security Research & Defense
/ By swiat /

Today we released a security update rated Important for CVE-2010-1255 in MS10-032. This vulnerability affects the win32k.sys driver. This blog post provides more information about this vulnerability that can help with prioritizing the deployment of updates this month.

What’s the risk?

A local attacker could write a custom user-mode attack application that passes a bad buffer to win32k.sys’s GetGlyphOutline while retrieving font information. This could be an attempt to cause memory corruption with the end goal of running code in ring 0 – a classic local Elevation-of-Privilege vulnerability.

If a regular, known-good application failed to properly request the length of the buffer when calling this API, that application might expose a different code execution attack vector to this vulnerability. Fortunately, default installations of Windows are not at risk because the API is properly used in Microsoft applications. If a third-party application inadvertently used this function incorrectly, this security update will protect any attack vector exposed by that application as well. In that light, the deployment priority of this update may need to be adjusted accordingly.

How difficult is this to exploit?

Due to a validation statement in the write loop, the attacker cannot write data of arbitrary length beyond the allocated buffer; the overwrite length is approximately 0x10 bytes. Getting all of the data in the right place at the right time to gain code execution can be quite unreliable and as a result we gave it an Exploitability Index rating of 2. We do not expect to see reliable exploit code within the next 30 days.

We would like to thank Colin McCambridge for his work on this case.

- Bruce Dang, Brian Cavenah, and Jonathan Ness from MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads