{"id":111351,"date":"2025-07-07T07:00:00","date_gmt":"2025-07-07T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=111351"},"modified":"2025-07-07T05:58:23","modified_gmt":"2025-07-07T12:58:23","slug":"20250707-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20250707-00\/?p=111351","title":{"rendered":"Dubious security vulnerability: If I perform this complex series of manual steps, I can crash a program I am running"},"content":{"rendered":"

A security vulnerability report arrived that went roughly like this.<\/p>\n

\n

In Program X<\/i>, click on the triangle icon and hold the mouse down. Drag the triangle icon to the green box in the corner, and while still holding the mouse down, press Alt<\/kbd>+F4<\/kbd> to close the window. The program will crash on a null pointer.<\/p>\n<\/blockquote>\n

It sure looks like you found a bug. But is it a security bug?<\/p>\n

Who is the attacker? Who is the victim? What has the attacker gained?<\/p>\n

The attacker is presumably the person using the mouse and keyboard to trigger the bug.<\/p>\n

The victim is, um, I guess it’s the person whose program crashed. But wait, that’s the same as the attacker!<\/p>\n

What the attacker gained is the ability to prevent the victim from getting work done.<\/p>\n

It’s unclear how this became “elevation of privilege”. A crash on null pointer is typically at most a denial of service. And in this case, the attacker is denying service to himself.<\/p>\n

If you want to deny service to yourself, you can just click the \u00d7 button in the top right corner of the window. There, now you can’t use the program!<\/p>\n

The report finishes with a claim that if malware could trigger the crash, then the malware could use a crafted input to escalate privileges.<\/p>\n

First of all, there’s no escalation here. The crash is on a null pointer, not a use-after-free or something else that could be leveraged to gain remote code execution. Furthermore, if malware has the ability to inject input, then they don’t need this bug to escalate privileges. They could inject input to run an elevated command prompt and type commands into it!<\/p>\n","protected":false},"excerpt":{"rendered":"

What security boundary did you cross?<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-111351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"

What security boundary did you cross?<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=111351"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111351\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=111351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=111351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=111351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}