CVE-2013-1293

Vulnerability

The NTFS kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 improperly handles objects in memory when processing specially crafted IOCTL requests from local applications. This flaw leads to a NULL pointer dereference in kernel mode [1]. The driver fails to validate object state before use, allowing a crafted application to trigger the condition [1].

Exploitation

An attacker must have valid logon credentials and be able to log on locally to the target system [1]. The attacker runs a specially crafted application that sends a series of IOCTL calls to the NTFS driver, causing the kernel to dereference a NULL pointer [1]. No additional user interaction or network access is required beyond local authentication.

Impact

Successful exploitation results in a denial of service (system crash due to a bug check) or, in some cases, elevation of privilege, potentially allowing the attacker to execute arbitrary code in kernel mode [1]. The attacker gains SYSTEM-level access, fully compromising the confidentiality, integrity, and availability of the affected system [1].

Mitigation

Microsoft released security update MS13-036 (Knowledge Base Article 2829996) on April 9, 2013, which addresses this vulnerability by correcting the memory handling in the NTFS driver [1]. The update is rated Important and is available through automatic updates, Microsoft Update, and enterprise deployment tools [1]. No workaround is documented; applying the update is the sole mitigation.