In a rare find, a researcher has unveiled dozens of related bugs in a core Windows API that could enable attackers to elevate their privileges in the operating system.

A year ago, Gil Dabah promised that he would find over 15 bugs related to the Windows win32k component:

This week, he released a report detailing 25 of them:

The bugs take advantage of a long-understood problem with win32k, which is the user interface kernel component in Windows. This software originally ran in user mode, which is where regular Windows applications run. User mode is a less privileged part of the system that can’t access system hardware directly. Instead, it has to send that request to the kernel, which is part of the core OS that handles low-level operating system functions.

Microsoft eventually moved win32k to the kernel, but because thousands of pieces of software rely on it, it must often reach back into user mode to do its job. That bridge between kernel and user mode is potentially dangerous if something operating in user mode figures out a way to compromise the kernel mode component. They could gain low-level access to the system.

A common mistake among developers in the past was to forget to lock a kernel-mode object in memory before it used win32k to call back to user mode. The attacker could then destroy the calling object from user mode. When the program returns control to the kernel object, it isn’t there anymore. This created a user-after-free (UAF) error where the attacker could then exploit the empty memory spot.