Microsoft issues Security Advisory for 17 year old Windows vulnerability

Yesterday Neowin reported on the recent discovery of a Windows vulnerability that has existed since the release of Windows NT 3.1 in 1993. The vulnerability has only recently been published but it appears 32-bit Windows operating systems have inherited the flaw since NT 3.1.

Microsoft has issued a Security Advisory on the vulnerability. The software giant describes the flaw as an "Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows." 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The problem exists due to a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications. The flaw allows for a 16-bit program to manipulate the kernel stack of processes.

In a company blog posting, Jerry Bryant, Microsoft Security Program Manager, confirmed the steps an attacker would need to take to make use of the flaw:

"To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system."

Bryant also confirmed that Microsoft is not aware of any active attacks against this vulnerability and that they "believe the risk to customers, at this time, is limited." Microsoft is recommending that customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, disable the NTVDM subsystem. Leslie Forbes, technical manager at F-Secure said "If this is one vulnerability in the kernel, you could be certain that there are likely to be others." Forbes also mirrored Microsoft's advise by suggesting "the best advice for end-users is to disable the 16-bit subsystem." More information on disabling this subsystem is available in the Security Advisory.

Report a problem with article
Previous Story

Amazon's Kindle gets its own app store

Next Story

Final Fantasy I and II coming to the iPhone

28 Comments

Commenting is disabled on this article.

The problem is that it could have been patched back in the summer when MS was notified of it. The guy seemed to feel that Microsoft brushed his report off and he decided to go public with it in light of the recent IE bug. Seems reasonable to me.

boogerjones said,
The problem is that it could have been patched back in the summer when MS was notified of it. The guy seemed to feel that Microsoft brushed his report off and he decided to go public with it in light of the recent IE bug. Seems reasonable to me.

As someone posted above, you can turn the VDM off and block it from even running, thus making this thing pointless. I would've brushed it off as well, or put it to the side while I tacked more important and higher priority bugs/exploits of the remote nature. Not everything is equal in importance.

This bug, thus, IMO, is no where near as important to fix as the new IE bug.

People are overlooking the fact that alone, this is pretty useless, but combined with some other spyware or virus, this could be extremely deadly to your computer

franzon said,
I would like disable the 16-bit support, but the gpedit.msc is not available in Home Premium. :-(

There is a simple registry file (I think it is just one line) you can create in a text editor then double-click to disable running all 16-bit apps. I will see if I can look it up in Google again.

EDIT: Here is a link that shows it. http://www.osnews.com/story/22767/Windows_NT_VDM_Vulnerability_Detected_After_17_Years
Strange that Microsoft's own advisory doesn't mention this method for those that don't have the group policy editor. Shame on them for that oversight.

Edited by markjensen, Jan 21 2010, 12:40pm :

markjensen said,

There is a simple registry file (I think it is just one line) you can create in a text editor then double-click to disable running all 16-bit apps. I will see if I can look it up in Google again.

EDIT: Here is a link that shows it. http://www.osnews.com/story/22767/Windows_NT_VDM_Vulnerability_Detected_After_17_Years
Strange that Microsoft's own advisory doesn't mention this method for those that don't have the group policy editor. Shame on them for that oversight.

Thank you markjenson, for doing what Microsoft should have done. i.e. given the Home Premium users a fix, allthough in a way it shouldn`t affect home users that much if at all.