Last week an exploit for a Windows kernel flaw was published by an unknown source. Presumably as a joke, details of the flaw, along with proof-of-concept code, were published on Code Project. Code Project is a programmer peer support community, containing many tutorials and useful snippets of code to assist developers. Malware developers are not the usual target audience for posts made to the site, and so perhaps unsurprisingly, the article has been removed (though is mirrored here).

The flaw is a privilege escalation vulnerability. Anyone who can run code on a Windows system can elevate her privileges to the highest level, and accordingly install back doors, compromise sensitive data, and so on. The flaw lies in a critical Windows driver called win32k.sys. The driver inappropriately handles certain data stored in the registry—data that is stored on a per-user basis, and hence accessible to any unprivileged program. The proof-of-concept code uses this flaw to elevate the privileges of the user running the demo code; it could just as well be used to install a back door or other malware.

This is not the first such flaw in Windows to be discovered this year. Several flaws in the win32k.sys driver have been made public, and typically they allow privilege escalation in much the same way as this one. Privilege escalation can be a useful tool in the malware developer's arsenal—it means that a system can be infected even if the user is otherwise following best practices—but it does not itself allow code execution. Privilege escalation flaws hence have to be combined with other attacks to become serious issues.

The original Code Project post, along with subsequent media coverage, has described the flaw as a "UAC bypass." While technically true, this is missing the point: this flaw works on Windows XP, which has no UAC, and it works even if UAC is disabled. It also allows privilege escalations that UAC doesn't, as it allows attackers to run malicious code with kernel privileges, something that UAC does not do. The flaw has also been described as a potential "nightmare" by some security researchers. This seems unnecessarily alarmist for a flaw that can't be exploited remotely, and isn't that different from many other flaws found already this year.

Microsoft says that it is investigating the flaw but has not yet published a fix or a timetable for a fix.