Perhaps this is an unfair oversimplification, but a humorous (to me) summary of the SDL might be "security is solved because old code is irrelevant and new code is perfect". For this reason, I can't help finding it amusing that both old and new Microsoft code keeps failing so spectacularly. I mentioned some ancient code that fails yesterday, here's a fun example of brand new code failing. There is a new Windows 8+ only feature I've been looking at, the Touch Injection API: http://msdn.microsoft.com/en-us/library/windows/desktop/hh802898(v=vs.85).aspx The feature is backed by two new system calls, win32k!NtUserInitializeTouchInjection and win32k!NtUserInjectTouchInput. When you initialize touch injection, you specify the maximum number of simultaneous contacts you want to support, up to MAX_TOUCH_CONTACTS. This allocates enough space for the appropriate structures. Unfortunately, win32k!InitializeTouchInjectionWithQDCData doesn't handle allocation failure correctly. This can be exploited by allocating all available pool, and then increasing the number of contacts requested. I have a reliable test case for this issue, attached for reference or at the URL below (only tested on x86, but I don't see why it wouldn't work on x64). https://gist.github.com/taviso/4cfc3035e99f2ea1377e -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred -------------------------------------------------------