Windows security hole found after 17 years

[Modelworks]

Wow it took a long time for someone to find this. It is an easy fix, and if you run x64 no need to worry. Not a lot of exploits still in windows from the NT4 days. It basically allows any user level to open a command prompt as administrator .

http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.

This verification relies on the following incorrect assumptions:
- Setting up a VDM context requires SeTcbPrivilege.
- ring3 code cannot install arbitrary code segment selectors.
- ring3 code cannot forge a trap frame.

All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
be affected, including but not limited to the following actively supported
versions:
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7

Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.

Regrettably, no official patch is currently available. As an effective and easy
to deploy workaround is available, I have concluded that it is in the best
interest of users to go ahead with the publication of this document without an
official patch. It should be noted that very few users rely on NT security, the
primary audience of this advisory is expected to be domain administrators and
security professionals.

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.

 

[Rifter]

Thats awesome! And they havent even fixed it months later, what is MS thinking?

 

[Red Squirrel]

Haha that's hilarious. It's like that IE bug that came out a few weeks ago, it dates from like IE 6 and think even before, and it's STILL not fixed. The bug is one of many that allows remote code execution. This one through a bad pointer lol.

 

[dguy6789]

Me thinks some of the posters in here don't really understand the nature of software. They seem to think that if someone finds a vulnerability in software, that the developer of the software is somehow slacking or that the software is crappy because of it. Of course there are holes in the OS, there are holes that can be exploited in any piece of software. It's impossible to make software that complex and have it be without flaws.

Age of a hole is unimportant. There's probably still security issues that are just as old that nobody has discovered yet in Windows. That statement is true for virtually any piece of software.

Microsoft has probably patched more vulnerabilities in their OSes than any other company has ever patched anything else. Uninformed people would take this to mean that the OS had more holes to begin with than other software, but that is false logic at best. Windows is just attacked by significantly more people at all times than any other piece of software and through brute force and numbers, they inevitably discover vulnerabilities. The exact same thing would happen if that many people tried to attack any other operating system or program; countless holes would surface. Be grateful that Microsoft has a track record of releasing patches in a very timely manner most of the time and usually addresses everything that is found when they become aware of it.

 

[Absolution75]

Me thinks some of the posters in here don't really understand the nature of software. They seem to think that if someone finds a vulnerability in software, that the developer of the software is somehow slacking or that the software is crappy because of it. Of course there are holes in the OS, there are holes that can be exploited in any piece of software. It's impossible to make software that complex and have it be without flaws.

Age of a hole is unimportant. There's probably still security issues that are just as old that nobody has discovered yet in Windows. That statement is true for virtually any piece of software.

Microsoft has probably patched more vulnerabilities in their OSes than any other company has ever patched anything else. Uninformed people would take this to mean that the OS had more holes to begin with than other software, but that is false logic at best. Windows is just attacked by significantly more people at all times than any other piece of software and through brute force and numbers, they inevitably discover vulnerabilities. The exact same thing would happen if that many people tried to attack any other operating system or program; countless holes would surface. Be grateful that Microsoft has a track record of releasing patches in a very timely manner most of the time and usually addresses everything that is found when they become aware of it.

QFT

If anything, the fact that it took quite a long time to find out is supporting evidence of the "security by obscurity" motto. How rarely are 16bit apps used these days? Well, the dark forces 2: jediknight installer was 16bit, but thats the only one I've seen for many many years.

 

[Modelworks]

Me thinks some of the posters in here don't really understand the nature of software. They seem to think that if someone finds a vulnerability in software, that the developer of the software is somehow slacking or that the software is crappy because of it. Of course there are holes in the OS, there are holes that can be exploited in any piece of software. It's impossible to make software that complex and have it be without flaws.

Somewhat true. It is possible to make complex software very secure but it takes a lot more time and money. You see it in mission critical applications but not likely for an OS.

Age of a hole is unimportant. There's probably still security issues that are just as old that nobody has discovered yet in Windows. That statement is true for virtually any piece of software.

Agree completely. It is interesting that it took so long for someone to find it. If anything it shows people that regardless of how long you might have used a OS and think it is all patched up it may not be.

Be grateful that Microsoft has a track record of releasing patches in a very timely manner most of the time and usually addresses everything that is found when they become aware of it.

I am going to disagree here. MS does often release patches in a timely manner but not always. This bug could have been patched months ago. It isn't a monumental fix. MS tends to use things like this as a "I told you to buy 64 bit OS" type of event.

 

[Modelworks]

QFT

How rarely are 16bit apps used these days? Well, the dark forces 2: jediknight installer was 16bit, but thats the only one I've seen for many many years.

The exploit isn't by running a 16 bit application. It is by manipulating the stack using a 16 bit application written by someone who wants to gain access to the system. It would take about 10 minutes for an average windows programmer to make such an application. Once the application runs you now have a command prompt with full Admin rights.

The fix is disable 16 bit applications on all systems in a network. There are 16 bit applications still in use, quite a bit , depending on the field. I have about 20 of them that are engineering type programs for interfacing hardware and there are no newer version and will likely never be. For those I use a VM to run, but I know some places that still run win98 to be able to use these programs as they were written.

 

[Nothinman]

Windows is just attacked by significantly more people at all times than any other piece of software and through brute force and numbers, they inevitably discover vulnerabilities. The exact same thing would happen if that many people tried to attack any other operating system or program; countless holes would surface.

While I agree that Windows is obviously a popular target, it's impossible to prove that other systems would have as many security issues under the same amount of scrutiny. IMO saying that Windows has this many problems just because it's popular is a cop-out.

If anything, the fact that it took quite a long time to find out is supporting evidence of the "security by obscurity" motto.

It only took this long for someone to tell MS and for MS to acknowledge it. For all we know MS could've known about this years ago and never did anything because it's so obscure.

 

[VirtualLarry]

Be grateful that Microsoft has a track record of releasing patches in a very timely manner most of the time and usually addresses everything that is found when they become aware of it.

LOL! You're kidding, right? A timely manner?

What about the TCP/IP bug in XP that was NOFIX? And IE vulns that lingered for months without patches.

Open-source code is what is patched frequently and effectively, not MS code.

 

[nerp]

LOL! You're kidding, right? A timely manner?

What about the TCP/IP bug in XP that was NOFIX? And IE vulns that lingered for months without patches.

Open-source code is what is patched frequently and effectively, not MS code.

Then I hope you're not one of those people who complains when WU tells you it's time to reboot and close your porn downloads.