New Windows 0-day flaw allows malware installation

VUPEN Security has issued a security advisory that reveals the discovery of a new zero-day Windows vulnerability, which could be used by local attackers to mount a denial of service attack or to potentially gain elevated privileges and install malware on the system.

“This issue is caused by a buffer overflow error in the “CreateDIBPalette()” function within the kernel-mode device driver “Win32k.sys” when using the “biClrUsed” member value of a “BITMAPINFOHEADER” structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges,” says in the advisory.

The flaw affects fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows XP SP3 and SP2 – and the last one is no longer supported by Microsoft.

There are no reports of the vulnerability being exploited in the wild, but it is unlikely that the fix will be included in tomorrow’s Patch Tuesday.