Microsoft Windows 2008 and Windows Vista contain a vulnerability within the kernel-mode driver win32k.sys. By making numerous calls to the "NtUserCheckAccessForIntegrityLevel" function, a failure in "LockProcessByClientId" is triggered which decrements a reference counter to an object twice, instead of only once, thereby resulting in the freed object being used. A local attacker that is able to leverage the reference count leak could potentially execute arbitrary code with elevated privileges or cause the system to crash.
Windows Vista SP1
Windows Server 2008 SP1/SP2
Denial of Service
Local denial of service This vulnerability would likely be utilized in situations where the goal of the attacker is to crash a system. It would need to be used in tandem with some other exploit to gain access to the system, since this DoS is a local vulnerability. After exploiting the vulnerability, the system will be forced to restart, thus disrupting any services might be running.
BeyondTrust Prevention and Detection:
- BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
There are no known forms of mitigating this vulnerability. It may be possible to limit exploitation by restricting access to trusted users and applications.