The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability announce CVE-2010-1734 CVE-2010-1735

Windows: denials of service of win32k.sys

Synthesis of the vulnerability

A local attacker can use the PostMessage() function, in order to generate an error in win32k.sys, which stops the system.
Vulnerable software: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity of this announce: 1/4.
Consequences of an intrusion: denial of service on server.
Attacker's origin: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/04/2010.
Références of this computer vulnerability: 2160329, BID-39630, BID-39631, CVE-2010-1734, CVE-2010-1735, MS10-048, VIGILANCE-VUL-9607.

Description of the vulnerability

The PostMessage() function is used to send a message to a window. It uses win32k.sys. Two vulnerabilities of win32k.sys can be exploited via PostMessage().

The PostMessage() function does not check the memory address given as argument, when the message type is 0x4c (SfnLOGONNOTIFY). [severity:1/4; BID-39630, CVE-2010-1735]

The PostMessage() function does not check the memory address given as argument, when the message type is 0x18d (SfnINSTRING). [severity:1/4; BID-39631, CVE-2010-1734]

A local attacker can therefore use the PostMessage() function, in order to generate an error in win32k.sys, which stops the system.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system.