Another Windows 7 Zero-Day Released

Microsoft’s security response team is investigating the release of a new zero-day flaw that exposes Windows 7 users to blue-screen crashes or code execution attacks.

The flaw could be exploited by local attackers to cause a denial-of-service or potentially gain elevated privileges, according to an advisory from VUPEN, a French security research outfit.

From VUPEN’s advisory:

This issue is caused by a buffer overflow error in the “CreateDIBPalette()” function within the kernel-mode device driver “Win32k.sys” when using the “biClrUsed” member value of a “BITMAPINFOHEADER” structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges.

The flaw is confirmed on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.

Microsoft plans to issue 13 bulletins with patches for 34 vulnerabilities tomorrow (Tuesday August 10) but it is unlikely we will see a fix for this new issue.