Yesterday Neowin reported on the recent discovery of a Windows vulnerability that has existed since the release of Windows NT 3.1 in 1993. The vulnerability has only recently been published but it appears 32-bit Windows operating systems have inherited the flaw since NT 3.1.
Microsoft has issued a Security Advisory on the vulnerability. The software giant describes the flaw as an "Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows." 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The problem exists due to a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications. The flaw allows for a 16-bit program to manipulate the kernel stack of processes.
In a company blog posting, Jerry Bryant, Microsoft Security Program Manager, confirmed the steps an attacker would need to take to make use of the flaw:
"To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system."
Bryant also confirmed that Microsoft is not aware of any active attacks against this vulnerability and that they "believe the risk to customers, at this time, is limited." Microsoft is recommending that customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, disable the NTVDM subsystem. Leslie Forbes, technical manager at F-Secure said "If this is one vulnerability in the kernel, you could be certain that there are likely to be others." Forbes also mirrored Microsoft's advise by suggesting "the best advice for end-users is to disable the 16-bit subsystem." More information on disabling this subsystem is available in the Security Advisory.