Connect with us

Hi, what are you looking for?



Code Execution Flaw Plagues Intel Graphics Driver

A local code execution vulnerability that affects the Intel HD Graphics Kernel Mode Driver for Windows could allow an attacker to run arbitrary code on a target system or cause denial of service, Cisco Talos researchers discovered.

A local code execution vulnerability that affects the Intel HD Graphics Kernel Mode Driver for Windows could allow an attacker to run arbitrary code on a target system or cause denial of service, Cisco Talos researchers discovered.

Tracked as CVE-2016-5647, the security issue was discovered in the communication functionality of Intel Graphics Kernel Mode Driver. An attacker can exploit the vulnerability by sending a specific message to escalate privileges on the local system and cause a system crash (denial of service), or execute arbitrary code.

The vulnerability was discovered by Piotr Bania in Intel HD Graphics Windows Kernel Mode Driver version and requires physical access to the impacted machine to be exploited. The sending of a specially crafted D3DKMTEscape request to the Intel HD Graphics driver results in a NULL dereference and an attacker can leverage the vulnerability for their own benefits, the researcher notes in an advisory.

However, the exploitation of the flaw is limited to local contexts, and Cisco’s researcher explains that the severity of the vulnerability depends on the system an adversary would be trying to exploit. Windows 7 or earlier systems can be targeted for arbitrary code execution in the context of SYSTEM, while Windows 8 or later systems are only prone to a system crash (denial of service).

According to Cisco Talos’ Earl Carter, an attacker would require the ability to allocate or map the NULL page in Windows to exploit the bug for arbitrary code execution. In Windows 7 or earlier, the NTVDM (NT Virtual DOS Machine) subsystem can be used to allocate or map the NULL page.

“When a NULL dereference occurs in kernel space, the user-mode application that caused a context switch is still mapped in lower memory. An attacker can take advantage of this and map the NULL page before triggering the vulnerability to control the contents of the dereference. In this case, the user-controlled value could be a function pointer and lead to arbitrary code execution,” the researcher explains.

Microsoft removed the NTVDM subsystem from the 64-bit version Windows 8 and later to mitigate the attack type, while 32-bit version of Windows 8 or newer have NTVDM disabled by default. According to Cisco’s researcher, however, these mitigations are not foolproof, because “another driver could possibly be manipulated into placing user controlled data at the NULL page.” However, this is not a generic case like the usermode mapping.

Advertisement. Scroll to continue reading.

According to Carter, the main issue here is backwards compatibility, which can be exploited by adversaries who are aware that many organizations cannot upgrade to newer platform releases due to legacy application requirements. Thus, businesses need to find other ways to mitigate attacks, such as ensuring they keep their operating system updated with the latest security patches.

Related: Intel Patches Vulnerability in Driver Update Utility

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.