A History of Errors: The Evolution of Windows Error Reporting Exploits

Description:

Windows Error Reporting (WER) is a fundamental component of the Windows ecosystem, designed to diagnose system crashes. However, its high privileges and complex file handling mechanisms have made it a persistent target for local privilege escalation (LPE) attacks.

In this talk, I will walk through the evolutionary history of WER vulnerabilities, ranging from classic arbitrary file manipulation to complex race conditions. I will dissect the cat-and-mouse game between attackers and Microsoft’s patch management, covering key CVEs from 2019 to 2026.

Through this presentation, I will trace how these vulnerabilities have persisted and evolved despite continuous mitigations, including undocumented "silent patches." I will examine the resurgence of handle duplication bugs in 2025, and as a culmination of this historical research, provide a detailed analysis of a powerful arbitrary process killing primitive (ZDI-24-1098) alongside a currently undisclosed 0-day vulnerability in wersvc.