Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Microsoft Windows NtUserCheckAccessForIntegrityLevel Use-After-Free

Disclosed July 5, 2010    Fully Patched

Vulnerability Description:

Microsoft Windows 2008 and Windows Vista contain a vulnerability within the kernel-mode driver win32k.sys. By making numerous calls to the "NtUserCheckAccessForIntegrityLevel" function, a failure in "LockProcessByClientId" is triggered which decrements a reference counter to an object twice, instead of only once, thereby resulting in the freed object being used. A local attacker that is able to leverage the reference count leak could potentially execute arbitrary code with elevated privileges or cause the system to crash.



Vulnerable Software/Devices:

Windows Vista SP1
Windows Server 2008 SP1/SP2

Vulnerability Severity:


Exploit Availability:


Exploit Impact:

Denial of Service
Local denial of service This vulnerability would likely be utilized in situations where the goal of the attacker is to crash a system. It would need to be used in tandem with some other exploit to gain access to the system, since this DoS is a local vulnerability. After exploiting the vulnerability, the system will be forced to restart, thus disrupting any services might be running.

BeyondTrust Prevention and Detection:


There are no known forms of mitigating this vulnerability. It may be possible to limit exploitation by restricting access to trusted users and applications.




Leave a Reply