Microsoft confirms 17-year-old Windows vulnerability Microsoft confirms 17-year-old Windows vulnerability

[CyberGod 1,234]

Microsoft confirms 17-year-old Windows vulnerability

Microsoft confirms 17-year-old Windows vulnerability

 

One day after a Google security researcher released code to expose a flaw that affects

 

every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including

 

Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and

 

warn of the risk of privilege escalation attacks.

 

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code

 

in kernel mode. For an attack to be successful, the attacker must have valid logon

 

credentials.

 

The flaw does not affect Windows operating systems for x64-based and Itanium-based

 

computers, Microsoft said.

 

According to Tavis Ormandy, the Google researcher who released the flaw details,

 

Microsoft was notified about the issue in June 2009. After waiting several months and not

 

seeing a patch, he decided it was in the best interest of everyone to go public.

 

As an effective and easy to deploy workaround is available, I have concluded that it is in the

 

best interest of users to go ahead with the publication of this document without an official

 

patch. It should be noted that very few users rely on NT security, the primary audience of

 

this advisory is expected to be domain administrators and security professionals.

 

Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and

 

WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group

 

Policy.

 

The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.

 

If you believe you may be affected, you should consider applying the workaround

described below.

 

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack

from functioning, as without a process with VdmAllowed, it is not possible to

access NtVdmControl() (without SeTcbPrivilege, of course).

 

The policy template "Windows Components\Application Compatibility\Prevent

access to 16-bit applications" may be used within the group policy editor to

prevent unprivileged users from executing 16-bit applications. I'm informed

this is an officially supported machine configuration.

 

Administrators unfamiliar with group policy may find the videos below

instructive. Further information is available from the Windows Server

Group Policy Home

 

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

 

 

MORE & SOURCES:

 

http://blogs.zdnet.com/security/?p=5307&tag=nl.e589

http://seclists.org/fulldisclosure/2010/Jan/341

http://www.microsoft.com/technet/security/advisory/979682.mspx