Microsoft set to fix 17 year old Windows vulnerability next week

Microsoft has confirmed it is on course to issue a patch next Tuesday for a recently discovered 17 year old Windows vulnerability

In January Neowin reported on the recent discovery of a Windows vulnerability that has existed since the release of Windows NT 3.1 in 1993. The vulnerability has only recently been published but it appears 32-bit Windows operating systems have inherited the flaw since NT 3.1.

Microsoft issued a Security Advisory on the vulnerability. The software giant described the flaw as an "Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows." 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The problem exists due to a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications. The flaw allows for a 16-bit program to manipulate the kernel stack of processes.

In a company blog posting on Thursday, Jerry Bryant, Sr. Security Communications Manager at Microsoft confirmed "we are on track to release an update for this issue next Tuesday (February 9)." Microsoft will also be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities.

Report a problem with article
Previous Story

New Flaw could affect Internet Explorer 6, 7 and 8

Next Story

Microsoft preparing bumper Patch Tuesday for February 2010

32 Comments

Commenting is disabled on this article.

Been computer shopping lately? the only 32 bit versions of windows 7 I'm seeing are on netbooks, small formfactor laptops and bargin basement walmart desktops. In 3 to 5 years I'll bet a years wages finding a 32 bit widows will be like finding the holy grail, or a unicorn turd.

~ 90% of Windows based OSes in use today are 32-bit. Only large incorporated businesses and enthusiasts/gamers/tweakers who can afford to pay premium $$$ use 64-bit Vista or 7, and that accounts for < 10% of computer users.
64-bit Windows was released upon the unexpecting consumers only since WinVista [now slowly replaced by Win7] 64-bit started to get bundled with new pre-built, pre-installed cheapo PCs [OEM/VAR], which are sold in massive quantities at major retail stores and online.
But keep in mind that Windows 32-bit OSes [*all* of them] still use guano-load of 16-bit code, expecially to handle DOS VMs.
And most of that stone age code hasn't changed since 1990, since the release of Windows 3.0.
Think about it... ;)

I don't see any solution on upgrading to 64 bits. It will be exactly the same problem. See, the 16 bit Old windows had 16 bits viruses programmed. Oh wait, let's move to 32 bits, that will be more secure. Hm Nop. The same malware its being spread for 32. ¿Solution?. New engineers. They must redesign the whole system itself. If there are still compatibility issues thats from the core of the OS itself. I think they are lazy to start from scratch or afraid of doing it.

Mocosoft said,
I don't see any solution on upgrading to 64 bits. It will be exactly the same problem. See, the 16 bit Old windows had 16 bits viruses programmed. Oh wait, let's move to 32 bits, that will be more secure. Hm Nop. The same malware its being spread for 32. ¿Solution?. New engineers. They must redesign the whole system itself. If there are still compatibility issues thats from the core of the OS itself. I think they are lazy to start from scratch or afraid of doing it.

Considering 16bit code isn't executable on x64 platform due to the architecture differences, I'd say you don't really know what you're talking about.

As far as the lazy comment, it's very difficult to refactor 16Million lines of code in one production cycle.
If you take a look at the under the hood changes of windows 7, you will see they did rearchitect the system quite substantially. Maybe not enough to prevent this sort of thing, but they are doing a better job of seperating user from kernel and having mixed mode drivers. All things that weren't even considered back in the day.

Mark Russinovich has a few videos online discussing how the Windows Architecture is evolving. it's a good thing for all of us going forward.

dotf said,

Considering 16bit code isn't executable on x64 platform due to the architecture differences, I'd say you don't really know what you're talking about.

As far as the lazy comment, it's very difficult to refactor 16Million lines of code in one production cycle.
If you take a look at the under the hood changes of windows 7, you will see they did rearchitect the system quite substantially. Maybe not enough to prevent this sort of thing, but they are doing a better job of seperating user from kernel and having mixed mode drivers. All things that weren't even considered back in the day.

Mark Russinovich has a few videos online discussing how the Windows Architecture is evolving. it's a good thing for all of us going forward.

The architecture its not equal but has the same flaws. That's what I'm talking about. It can't evolve properly since the beginning itself has problems. It must be started over again. If they don't Windows 20 or whatever will be called later, will had the same problem.

Mocosoft said,

The architecture its not equal but has the same flaws. That's what I'm talking about. It can't evolve properly since the beginning itself has problems. It must be started over again. If they don't Windows 20 or whatever will be called later, will had the same problem.

This bug specifically only works on the 32-bit version of windows and that is explained very well in the article. They are not saying that 64-bit version of windows is overall more secure, just that this exploit doesn't work on 64-bit windows.

Julius Caro said,
I dont think it is very fair to consider this a 17year old vulnerability if it has only recently been discovered.

This was argued about last time a news entry about this was posted, but what it comes down to is that a news post about a "17 year old unpatched bug" gets more views then a "recently discovered bug".

http://a248.e.akamai.net/7/248/430/20080327144030/www.mercksource.com/ppdocs/us/common/dorlands/dorland/images/humerus%281%29.jpg

ir0nw0lf said,
What I find kind of funny is that this vulnerability is *older* than many of the young grasshoppers here LOL.
It is rather humerus that this bug has been present since I was 4....way before I even knew what "Windows" was. :P

neo158 said,
Question is, why do we still have a Virtual DOS Machine?

To run old 16bit DOS applications or loader programs.

Some things just don't get as much attention when they go through their development cycle. I can still find a few things in Windows 7 that are very reminicent of their Windows 2000 counterpart (E.g. Briefcase, File Syncronisation, Computer Management Console, Phone Dialer, Telnet) A lot have missed any artwork/icon updates.

Guess if it's still working and there's a chance someone might be using it, keep it unless informed otherwise.

neo158 said,
Question is, why do we still have a Virtual DOS Machine?

Backwards compatibility. Many older programs still use 16-bit installers, even if the program itself it 32-bit. Also lots of companies are still using older programs and as pointed out above people still love playing their old DOS and Windows 3.1 games. Of course virtualization software like Virtual PC and VMware are much better solutions for running legacy programs and the virtual DOS machine is now being phased out (already gone in 64-bit versions).

Windows is filled with legacy stuff. The old Windows 3.1 program manager and file manager programs were not finally removed until Windows XP SP2. :laugh:

It's very quite over here... Was this about a 17year old bug?... Not to start a flame war, but just pointing that all OSs have their flaws. Nothing is perfect. It's good they fixed it though....

That's what we like to see, a good rapid response! Although to give them their due, it was only reported very recently...

Nick Brunt said,
That's what we like to see, a good rapid response! Although to give them their due, it was only reported very recently...

You forgot your <sarcasm> tag:
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.

Trajik 2600 said,

You forgot your <sarcasm> tag:
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.

Really takes the fun out of this, 7months is not bad.

Nick Brunt said,
That's what we like to see, a good rapid response! Although to give them their due, it was only reported very recently...
LOL your sarcasm almost escaped