[Device] - Microsoft confirms 17-year-old Windows vulnerability

humble3d · January 22nd, 2010

Microsoft confirms 17-year-old Windows vulnerability

One day after a Google security researcher released code to expose a flaw that affects

every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including

Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and

warn of the risk of privilege escalation attacks.

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code

in kernel mode. For an attack to be successful, the attacker must have valid logon

credentials.

The flaw does not affect Windows operating systems for x64-based and Itanium-based

computers, Microsoft said.

According to Tavis Ormandy, the Google researcher who released the flaw details,

Microsoft was notified about the issue in June 2009. After waiting several months and not

seeing a patch, he decided it was in the best interest of everyone to go public.

As an effective and easy to deploy workaround is available, I have concluded that it is in the

best interest of users to go ahead with the publication of this document without an official

patch. It should be noted that very few users rely on NT security, the primary audience of

this advisory is expected to be domain administrators and security professionals.

Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and

WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group

Policy.

The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.

If you believe you may be affected, you should consider applying the workaround
described below.

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

MORE & SOURCES:

http://blogs.zdnet.com/security/?p=5307&tag=nl.e589

http://seclists.org/fulldisclosure/2010/Jan/341

http://www.microsoft.com/technet/security/advisory/979682.mspx

8-X

SEspider360 · January 26th, 2010

Thanks for the Info

hardwire · December 7th, 2011

you can always trust microsoft to get security right =)

l3ehrooz · January 22nd, 2012

Don't ever trust Microsoft. Use Linux and if need windows, use virtual machines.

**dping28** · January 30th, 2012

Has this issue ever been patched or do they still suggest the workaround?

jimsim · January 31st, 2012

interesting stuff

blogs · March 11th, 2012

sorry, i don not know.

**allejo** · March 12th, 2012

Microsoft, the most reliable security expert...

gutcheck · March 15th, 2012

thanx for the info !!!!!!!!

Lelin14 · March 31st, 2012

I think Microsoft is a trust able company.

January 22nd, 2010	#1
humble3d Offline
Join Date: Oct 2006 Rank: Verified Member Posts: 29	Microsoft confirms 17-year-old Windows vulnerability Microsoft confirms 17-year-old Windows vulnerability One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks. Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials. The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said. According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009. After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals. Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group Policy. The mitigation in Microsoft’s advisory mirrors the advice from Ormandy. If you believe you may be affected, you should consider applying the workaround described below. Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course). The policy template "Windows Components\Application Compatibility\Prevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration. Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx MORE & SOURCES: http://blogs.zdnet.com/security/?p=5307&tag=nl.e589 http://seclists.org/fulldisclosure/2010/Jan/341 http://www.microsoft.com/technet/security/advisory/979682.mspx 8-X

January 26th, 2010	#2
SEspider360 Offline
Join Date: Feb 2008 Rank: Verified Member Posts: 13	Thanks for the Info

December 7th, 2011	#3
hardwire Offline
Join Date: Dec 2011 Rank: Verified Member Posts: 6	you can always trust microsoft to get security right =)

January 22nd, 2012	#4
l3ehrooz Offline
Join Date: Jan 2012 Rank: Verified Member Posts: 4	Don't ever trust Microsoft. Use Linux and if need windows, use virtual machines.

January 30th, 2012	#5
dping28 (Donator) Offline
Join Date: Jan 2012 Rank: VIP Posts: 26 Total Awards: 1	Has this issue ever been patched or do they still suggest the workaround?

January 31st, 2012	#6
jimsim Offline
Join Date: Nov 2011 Rank: Verified Member Posts: 37	interesting stuff

March 11th, 2012	#7
blogs Offline
Join Date: Mar 2012 Rank: Verified Member Posts: 2	sorry, i don not know.

March 12th, 2012	#8
allejo (Hater of All Things) Offline
Join Date: Dec 2009 Rank: Moderator Posts: 928	Microsoft, the most reliable security expert... "Those who do not understand Unix are condemned to reinvent it, poorly." -Henry Spencer

March 15th, 2012	#9
gutcheck Offline
Join Date: Apr 2008 Rank: Verified Member Posts: 33	thanx for the info !!!!!!!!

March 31st, 2012	#10
Lelin14 Offline
Join Date: Mar 2012 Rank: Extreme Member Posts: 496	I think Microsoft is a trust able company.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)