Microsoft confirms 17-year-old Windows bug
Google engineer reveals ancient flaw in all 32-bit versions of Windows
Computerworld - Microsoft late yesterday issued its second advisory of the last week, warning users that a 17-year-old bug in the kernel of all 32-bit versions of Windows could be used by hackers to hijack PCs.
The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed Tuesday by Google engineer Tavis Ormandy on the Full Disclosure security mailing list. Coincidentally, Ormandy received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday.
The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft's first fully 32-bit operating system. VDM allows Windows NT and later to run DOS and 16-bit Windows software.
Yesterday's advisory spelled out the affected software -- all 32-bit editions of Windows, including Windows 7 -- and told users how to disable VDM as a workaround. Windows' 64-bit versions are not vulnerable to attack.
It was Microsoft's second advisory in seven days; last week, the company posted a warning of a critical flaw in Internet Explorer after Google said its corporate computers had been hacked by Chinese attackers. That bug is to be patched later today.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," said the newest advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Jerry Bryant, a program manager with the Microsoft Security Response Center (MSRC), said that the company had not seen any actual attacks using the vulnerability, and also downplayed the threat if hackers do exploit the flaw. "To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system," Bryant said in an e-mail.
Typically, Microsoft ranks this kind of vulnerability -- which it classified as an elevation of privilege flaw -- as "important," the second-highest of the four ratings in its four-step system.
Ormandy said that the vulnerability goes back nearly 17 years to Windows NT 3.1's release, and exists in every version of Windows since. He reported the bug to Microsoft more than seven months ago.
"Regrettably, no official patch is currently available," Ormandy wrote on Full Disclosure Tuesday. "As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch." The workaround Ormandy included in his message was the same as Microsoft's: Edit group policies to block 16-bit applications from running.
Although Ormandy divulged information about the vulnerability, even posted attack code that works on Windows XP, Server 2003, Vista, Server 2008 and Windows 7, Microsoft didn't take him to task in the advisory for prematurely revealing the bug, as it almost always does researchers who spill the beans before a patch is ready.
Presumably, Microsoft will issue a fix for the flaw at some point, but as is its practice in security advisories, it didn't promise to do so. The next regularly-scheduled security update is slated for Feb. 9.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to email@example.com or subscribe to Gregg's RSS feed .
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts