Saturday February 11, 2012 8:43 AM AEST
Operating Systems

Ancient Windows flaw found after 17 years

By The Inquirer
09:49 Jan 21, 2010 | 21 Comments
Tags: Ancient | Windows | flaw | found | after | 17 | years
Ancient Windows flaw found after 17 years
Related Articles

And you never knew it was there.

A critical flaw has been found in the Windows NT trap handler that makes all Windows machines wide open to hackers. The problem has been a feature of every Windows system for the last 17 years and no one has noticed.

According to Full Disclosure, the security hole in Windows allows users with restricted access to escalate their privileges to system level.

It can be done on all 32-bit versions of Windows from Windows NT 3.1 to Windows 7. This is not likely to bother consumers much, but corporate IT managers will be wetting themselves.

The problem is caused by flaws in the Virtual DOS Machine (VDM) that was fitted under the bonnet of Windows NT in 1993 to support 16-bit applications. The VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls.

Google security team member Tavis Ormandy worked out how an unprivileged 16-bit program can manipulate the kernel stack of each process and this can enable an attacker to execute code at the system privilege level.

To make matters worse he published a sample exploit that runs under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. It opens a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7.

This is where it gets funny. You would think that faced with such an embarrassing security hole, the Vole would have moved fast to close it. Then when Ormandy announced his discovery, it would at least have some comeback. However Ormandy told Microsoft about the vulnerability in mid-2009 and it did nothing.

He had no problem with publishing his findings because there is a simple workaround for the flaw, which is to disable the MS-DOS subsystem in Windows. All you have to do is start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration \ Administrative Templates \ Windows Components \ Application Compatibility section.

The workaround reportedly doesn't cause any major compatibility problems for most users if they don't use 16-bit applications.

 

 

theinquirer.net (c) 2010 Incisive Media
 
Behind the scenes with Mass Effect 3! GTX 560 VGA round-up! Essential Skyrim tweaks to improve your game! Plus reviews, news, hardware, more games, and easy to following modding guides for PC builders. ON SALE NOW!
21 Comments
xBomx
Jan 21, 2010 11:01 AM
 its not that big of a deal, its always been on how you construct the infrastructure of data, generally it all comes down to storing the information and administrator privileges.

I know of one particular university that keeps students scores entirely on dos, from there its a play ground for those in the know.

Presently just for scare tactics, a particular corporation (and a big one in regards) even on Novaltel security systems on a windows search bar will search the entire linked network, lol and they thought they've been hack into.

Good thing still about windows is that, on a consumer level it is entirely dependable on the user privileges.

which reminds me its time to do my tax.
31imin8r
Jan 21, 2010 11:06 AM
 Doesn't surprise me, or bother me.
CptnChrysler
Jan 21, 2010 11:20 AM
 A critical security flaw in all 32bit Windows version and no patch 6 months after being informed of the flaw?
That's just plain negligence from Microsoft.

This is why I don't use Windows for anything except LAN gaming these days.

If an equivalent flaw was found in a Linux or BSD Distro a patch would have been released in day's if not hours of the flaw being made public on the relevant mailing lists. Take the Debian Random Number generator bug last year, it was patched within hours of public notice and the bug was widely publicized so system admins could update their systems and issue new SSL certificates.
Jeruselem
Jan 21, 2010 11:28 AM
 I'm a programmer ... you never find a bug until a user runs into it. I've run into bugs in our corporate database which have been there since day 0 but no one realised it was there.
Leonid
Jan 21, 2010 12:19 PM
 Thanks. I've just put the workaround into the default domain policy of all my clients.

None of this "elevation of system privileges" crap for me!
robzy
Jan 21, 2010 12:21 PM
 xBomx: Er, a security hole as big as this is always _that_ big of a deal.

Jerusalem: The problem isn't the existence of a bug, you're right in pointing out that this happens, the problem is that it's six months on and there's still no patch.
.:Cyb3rGlitch:.
Jan 21, 2010 1:30 PM
 Did I read this correctly, it only affects 32bit versions right?
sirtrancealot
Jan 21, 2010 1:54 PM
 yup, 32bit only.. and if you look at the Jan09 update bulletin from MS, they've decided to release a patch for it along with the mega one that just came out for IE.
was only posted this morning, probably when they realised that the hole made international news..
SquallStrife
Jan 21, 2010 5:15 PM
 CptnChrysler: Typical Anti-MS hyperbole. This is the equivalent of someone finding an exploit in something like ipchains. The response would be "Upgrade to iptables". Much like Microsoft is suggesting that the solution to this is to simply disable the subsystem.

The reason it only affects 32-bit copies of Windows is that 64-bit copies don't contain the unmaintained 16-bit subsystem, which is where the exploit lies.
DiStOrTeD
Jan 21, 2010 5:24 PM
 @xBomx
I dont think you quite understand. It doesn't matter if the executed code has the lowest possible privileges, it can work its way up to SYSTEM. If you dont understand that SYSTEM privileges entitle you to do whatever the hell you want. Spread you code over the network (which is really not hard to do, there is bound to be a hole somewhere) and tada you've taken over a full network.

Not a big deal
Yeh ok
robzy
Jan 21, 2010 5:39 PM
 @SquallStrife: Your ipchains/iptables argument is invalid.

Linux: "There is a security hole in ipchains? We have a replacement product for you that will allow you to do the exact same thing, sans security hole"

Microsoft: "There is a security hole in VDM? *absolute silence*"

Rob.
.:Cyb3rGlitch:.
Jan 21, 2010 5:56 PM
 robzy, Microsoft does have a solution, upgrade to 64bit. :P
sudiptapl
Jan 21, 2010 6:05 PM
 Add zing to the special occasions of your acquaintances in Bangalore by sending our fantastic flowers and tasty cakes. Our expert team affords excellent customer service support for the delivery of our flowers and cakes to Bangalore. Our supreme delivery networks all over Bangalore, Same day delivery option to Bangalore and punctual delivery of flowers and cakes to Bangalore have helped us to be more proficient. Moreover sending flowers and cakes to Bangalore online with us is 100% secured.

Please visit:
www.bangaloreonlineflorists.com
Ezekill
Jan 21, 2010 6:29 PM
 ^^^, ok, I got as far as 'flowers' before I realised WTF was going on.
SquallStrife
Jan 21, 2010 8:39 PM
 @robzy, it was more like: "There's a hole in VDM? The vendor of your 16-bit software has a replacement product for you that will allow you to do the exact same thing, and isn't delivered on 5.25in floppy disks."

:)

I see what you're getting at, but... c'mon... NTVDM... really?
Mademan
Jan 22, 2010 9:24 PM
 Wasn't there a bug in unix found recently that had existed since the mid-seventies?
milamber_of_the_assembly
Jan 22, 2010 11:16 PM
 shit, half of our department still runs 16 bit applications.

well i hope the 'gods of tech' in Central get their act together and wack the patch or the policy change out real quick. fuck 16 bit :D
robzy
Jan 24, 2010 8:08 PM
 Cyb3r & Squallstrife: You're right, my past comment was a bit wrong.

Still, CptnChrysler's comments were not at all "typical anti-MS hyperbole."

He was having a go at Microsoft for knowing about this pretty-major-hole for 6 months and not having done anything about it - and noted that if this were a *nix bug then it would've been fixed in days, if not hours.

CptnChrysler attack of Microsoft was 100% justified because they neither:

a) Released a patch fixing the flaw in NTVDM

b) Released a patch entirely disabling NTVDM

Rob.
CptnChrysler
Jan 25, 2010 9:30 AM
 At last, someone understands me...
Steebling
Jan 27, 2010 5:57 PM
 Gotta love Microsnot!!!
CptnChrysler
Feb 10, 2010 12:39 PM
 Interestingly - only a couple of weeks after the hole was made public, MS have released a patch.

Comments have been disabled on this article.
 
Latest Competitions
 
Atomic Magazine

Issue: 133 | February, 2012

Atomic is a magazine aimed squarely at computer enthusiasts, gamers, and serious PC upgraders.

Every month we bring you the latest reviews of new technology and PC components, in depth features on everything from overclocking to console hacking, and gaming previews and interviews.
 
Latest Comments
Powered by Disqus
 
Latest User Reviews
Battlefield 3 is the new benchmark online FPS
90%
Battlefield 3 is the new benchmark online FPS
A very fun and realistic multiplayer ride.
By Periander | 10:59 Nov 20, 2011
 
Antec Kuhler 920 - liquid cool
90%
Antec Kuhler 920 - liquid cool
Antec Kuhler 920 silent but effientive out of the box no maintence water cooling kit
By mattleyland | 14:23 Oct 28, 2011
 
Antec's Lanboy Air - our new favourite case
90%
Antec's Lanboy Air - our new favourite case
Antec Lan boy Air in red a very cool design
By mattleyland | 12:55 Oct 28, 2011
 
Antec's Lanboy Air - our new favourite case
90%
Antec's Lanboy Air - our new favourite case
This product overall is awesome.
By Provodnik14 | 10:43 Oct 16, 2011
 
MSI's GT780 laptop as fast as it gets
90%
MSI's GT780 laptop as fast as it gets
Nice laptop
By daryl.cheshire | 00:53 Oct 4, 2011
 
more user reviews »
 
Close Get the February, 2012 issue of Atomic mailed to you for $8.95, including postage.

Buy nowDigital Version