CVE-2012-0157 | Windows - win32k.sys Operational Intel

Executive Risk Summary

"A vulnerability in the win32k.sys kernel-mode driver allows local users to gain privileges via a crafted application that calls the PostMessage function. This vulnerability affects various Windows operating systems, including Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7."

Anticipated Attack Path

1. Exploitation of the PostMessage function vulnerability
2. Elevation of privileges
3. Execution of arbitrary code

Am I Vulnerable?

Verify the presence of the win32k.sys kernel-mode driver
Check for the vulnerability using the OVAL definition (oval:org.mitre.oval:def:14217)
Apply the patch from Microsoft (MS12-018)

Operational Audit Arsenal

Target Type Kernel-mode driver

Target Asset win32k.sys

Standard Path C:\Windows\System32\drivers\win32k.sys

PowerShell

# 🛠️ Senior Engineer Universal Audit
# Target: win32k.sys (Kernel-mode driver)
$Targets = 'win32k.sys'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}