cbcvebase.
CVE-2017-0001
published 2017-03-17

CVE-2017-0001: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold…

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
3.11%
86.2th percentile
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0005, CVE-2017-0025, and CVE-2017-0047.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_gdi
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploited via a specially crafted application run by a locally authenticated user, targeting the Windows Graphics Device Interface (GDI) memory object handling to achieve kernel-mode code execution.
  • Successful exploitation results in arbitrary code execution in kernel mode; monitor for unexpected kernel-mode process activity or privilege escalation from interactive user sessions.
  • Attack vector is local — attacker must already be logged on to the system. Focus detection on post-authentication local privilege escalation activity rather than remote exploitation.
  • ·CVE-2017-0001 is one of four related Windows GDI Elevation of Privilege vulnerabilities; detections should account for the full family (CVE-2017-0001, CVE-2017-0005, CVE-2017-0025, CVE-2017-0047) as they share the same attack surface.
  • ·Microsoft's patch also replaces certain third-party libraries used by Windows 8.1, Server 2012/2012 R2, Server 2016, and all Windows 10 versions; ensure patching covers this broader library replacement, not just the GDI fix.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.