July 7th, 2025
mind blown1 reaction

Dubious security vulnerability: If I perform this complex series of manual steps, I can crash a program I am running

Raymond Chen
Raymond Chen

A security vulnerability report arrived that went roughly like this.

In Program X, click on the triangle icon and hold the mouse down. Drag the triangle icon to the green box in the corner, and while still holding the mouse down, press Alt+F4 to close the window. The program will crash on a null pointer.

It sure looks like you found a bug. But is it a security bug?

Who is the attacker? Who is the victim? What has the attacker gained?

The attacker is presumably the person using the mouse and keyboard to trigger the bug.

The victim is, um, I guess it’s the person whose program crashed. But wait, that’s the same as the attacker!

What the attacker gained is the ability to prevent the victim from getting work done.

It’s unclear how this became “elevation of privilege”. A crash on null pointer is typically at most a denial of service. And in this case, the attacker is denying service to himself.

If you want to deny service to yourself, you can just click the × button in the top right corner of the window. There, now you can’t use the program!

The report finishes with a claim that if malware could trigger the crash, then the malware could use a crafted input to escalate privileges.

First of all, there’s no escalation here. The crash is on a null pointer, not a use-after-free or something else that could be leveraged to gain remote code execution. Furthermore, if malware has the ability to inject input, then they don’t need this bug to escalate privileges. They could inject input to run an elevated command prompt and type commands into it!

Category
Old New Thing
Topics
Other

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

2 comments

Discussion is closed. Login to edit/delete existing comments.

Sort by :
  • Andreas Rejbrand

    When I test my own software, I always do things like this: At the most "scary" moment possible (a lot of threads running, an ongoing OLE drag and drop operation, mouse button down, etc.), I Alt+F4, Win+D, Win+L, or even Ctrl+Alt+Del. And then I make sure that nothing unwanted happens. I also test very rapid keyboard and mouse input; no matter what the user does, the UI should never enter an invalid state. This is an important part of software quality IMHO. And Microsoft Windows was really really good at this in the 95–Windows 7 era. (Since then, things have...

    Read more
  • Henke37

    It might be time for a formal blog Category/Topic called “Dubious security vulnerability”.

Read next