Windows Kernel's Graphics Component Still Filled with Holes

Security researcher Tarjei Mandt has found dozens of vulnerabilities in the graphics control component of Windows Kernel.

Microsoft has issued more than 40 patches so far this year for this class of bugs, but "the actual vulnerability count is much higher than those that have been addressed," Mandt said. "There are plenty more that haven't been announced."

Mandt, who works for the security company Norman ASA, presented his findings on vulnerabilities in Windows' use of user-mode callbacks Aug. 3 at the Black Hat Briefings. Although Microsoft has addressed "a big chunk of the issues," an unknown number remain, he said. "It's ongoing research. The complexity of some of the issues makes it hard to say how many more bugs there might be."

The problem lies in the Win32k.sys operating environment introduced in 1997, and remains a fundamental component of the Windows architecture for managing both the Windows Manager and Graphic Device Interface. It allows the kernel to make user-mode callbacks to enable a variety of tasks, including invoking application-defined hooks, making event notifications and copying data to and from the user mode. The problem is that the kernel fails to sufficiently validate changes in memory on its return from a call-back when it releases a lock that had been in place, Mandt said.

"Without proper authentication, this will result in all kinds of vulnerabilities," he said.

Microsoft in April released patches for 30 vulnerabilities in Windows kernel-mode drivers that could allow elevation of privileges by an attacker that logged on locally. The attacker would have to have valid log-in credentials and could not exploit vulnerabilities remotely, the company said in its April security bulletin. Still, "this security update is rated Important for all supported releases of Microsoft Windows," the bulletin said. Another 14 patches for related vulnerabilities were released in July.

Mandt said most security research is being done in applications and that kernel-level research takes a different set of skills. He began researching the Win.32k environment last fall and reported the first bugs in the kernel to Microsoft in October.

"This particular component hadn't been looked at by others," he said. "That was one motivating factor," for choosing it. "I knew that the module had certain complex components," which meant there was a greater chance for finding bugs.

Still, he was surprised at the number he found because the component had been around since 1997. But because complex operating systems are built up over time on legacy components, problems will persist if the code is not carefully examined.

"In order to have a secure operating system, you need people to look into the components," he said, and "not many people are doing it."

He called his discoveries eye-opening. "Whatever software you look at there will always be problems," he said, but he did not expect to find as many problems as he did. "It is surprising that there have been so many vulnerabilities present in the Windows kernel."

Because the fundamental problem is buried in an old element of the Windows kernel, Microsoft's response to date has been to mitigate individual vulnerabilities through patches. Mandt said he is not aware of any exploits in the wild for vulnerabilities he has discovered, but that regular patching is important because of the likelihood that new vulnerabilities will continue to be reported.


About the Author

William Jackson is the senior writer for Government Computer News (


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus