* Windows 7
* Windows Vista
* Windows Server 2008 R2
* Windows Server 2008
* Microsoft Windows XP
* Microsoft Windows Server 2003
* Windows 7 with MS10-048
* Windows Vista with MS10-048
* Windows Server 2008 R2 with MS10-048
* Windows Server 2008 with MS10-048
* Microsoft Windows XP with MS10-048
* Microsoft Windows Server 2003 with MS10-048
There is a bug in the xxxCreateWindowEx Windows kernel function, located in win32k.sys. This function addresses memory with a user-supplied (via a callback) window pseudo-handle (the hParent parameter). This bug can be exploited by surreptitiously registering a callback or "hook" that will cleverly modify parameters passed by the kernel into userland that are then reused when returning to kernel from the callback.
In normal execution when the CreateWindow is called from userspace, the NtUserCreateWindowEx kernel function is executed, the xxxCreateWindowEx is next in the kernel-side call stack. The later function then checks that the callback functions (or "hooks") where properly set and calls xxxCallHook which then starts the dispatch into userland of the registered callback functions.
The problem resides in the mechanism used to pass parameters back to the process creating the window, like for example the aforementioned hParent parameter. These parameters are passed via the stack into userspace, and reused by the kernel after the callback function is executed. If the callback function resets the hParent parameter to pseudo-handle values like 0xffffffff or 0xfffffffe the kernel crashes (likely because validation of handle values was already done and was not being re-verified after executing untrusted userland code).