Windows Kernel Reference Count Vulnerabilities – Case Study (ZeroNights 2012)


  • Language: English
  • Conference: ZeroNights
  • Location: Moscow, Russia
  • Date: November 2012
  • Speaker(s): Mateusz ‘j00ru’ Jurczyk



Windows kernel vulnerabilities are quickly becoming the second most significant concern of low-level software specialists after client-side security issues, allowing remote exploits to subvert the widely deployed sandboxing technologies found in popular web browsers or document readers. As a growing number of such security flaws is being found and fixed every month with Microsoft investing more and more effort into hardening the kernel, we believe it is equally important to understand and discuss how certain classes of bugs could be eliminated entirely. In this presentation, we will highlight several interesting kernel-mode flaws caused by invalid reference counting recently patched by Microsoft, cover their actual impact on the system security and propose some ideas of how the bugs could have been addressed in a more generic way.