2008-02-08  Sebastian Gottschalk  <seppig_relay at gmx dot de>

        * alertdrv.c (AlertDrvDispatch): The IOCTL code
        IOCTL_ALERTDRV_SET_ALERTABLE2, which calls the function
        ObReferenceObjectByHandle with the parameter "AccessMode" set to
        the value "UserMode". According to Microsoft's documentation on
        MSDN, this is a potential bug, since it's perfectly possible to
        get called from kernel mode by a lower level filter driver. For
        this reason, the value from Irp->RequestorMode should be taken
        instead;
        PHANDLE ph is not validated at all, which creates a multitude of
        security issues:
          - the handle might not refer to mapped memory, which will crash
            the system
          - it might refer to kernel memory, which will crash the system
            or leak sensitive information
          - it might be a handle to a non-thread object, which will corrupt
            kernel memory
          - it might be a guessed handle to a thread for which the
            application has no access, effectively creating a privilege
            escalation vulnerability.