Bypassing Windows 10's Protections Using a Single Bit

When your OS kernel handles scroll bars, you&#x27;re doing something wrong.<p>NT 3.5 had the GUI entirely outside the kernel. For compatibility with Windows 95, much of the Windows 95 GUI code was moved into the kernel. 20 years later, that decision is still causing bugs.

It&#x27;s a flaw. A bad one. But things like this get patched every day. Only an idiot would believe there aren&#x27;t plenty of other undiscovered security flaws in windows, or any other OS. What matters is whether this flaw was ever exploited, whether it was ever spotted in the wild, before it was patched.<p>I am more than happy to criticize microsoft. I truly hate windows and everything it represents. But the system seems to have worked here. The bug was reported and patched before it became a widespread issue. I&#x27;ll save my venom for those all-to-common days where Microsoft fails to address a problem in a timely manner. (or also Apple, plenty of venom for them too.)

This doesn&#x27;t &quot;bypass all Windows security measures&quot;. As of Windows 8, processes can disable win32k syscalls using SetProcessMitigationPolicy with ProcessSystemCallDisablePolicy.<p><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088%28v=vs.85%29.aspx" rel="nofollow">https:&#x2F;&#x2F;msdn.microsoft.com&#x2F;en-us&#x2F;library&#x2F;windows&#x2F;desktop&#x2F;hh7...</a>

How do they find exploits like this? Do they check every single kernel functions for unchecked pointers? Do they have some automated way to discover this?

&gt; This particular vulnerability appears in the <i>GUI component of Microsoft Windows Kernel</i><p>There&#x27;s your problem right there.

How many of those new protections listed (DEP, ASLR, page 0 mapping) are still useful with a system like Rust? Cause it seems like a hell of a lot of effort is going into hardening the environment cause the code is just that leaky, but I&#x27;m probably misunderstanding something.

The dead code comment at the end was informative. Does anyone else use code analysis of C&#x2F;C++ to find dead stores etc.?<p>I have used flawfinder, cppcheck and Xcode (clang&#x27;s) analysis which has helped me find issues.

&gt; <i>After some hard word, however, we managed to produce a fully working exploit which we’ll describe.</i><p>Wait, now I&#x27;m confused... was it a single bit, or an entire word that triggers this bug? ;)

I&#x27;m sorry, wait... they hacked it through the scroll-bars? You can&#x27;t make this shit up.

Remove those unnecessary lines of code and you will be surprised how the security holes close by themselves.