Windows has a 17 year old un-patched vulnerability

When it comes to updating security threats and bugs in their operating systems, Microsoft is, for the most part, pretty good about it. True, there are threats here and there that get overlooked, but eventually, Redmond takes care of them... except in this case.

The H Security points out that Microsoft has ignored a security hole in Windows since the release of Windows NT 3.1 in 1993. This vulnerability is present in all 32-bit Windows operating systems since then. The problem exists due to a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications. The flaw allows for a 16-bit program to manipulate the kernel stack of processes. The site notes that "this potentially enables attackers to execute code at system privilege level," making this a real threat to system security.

A Microsoft spokesperson confirmed to Neowin that the company was investigating the "public claims of a possible vulnerability in Windows." The spokesperson also confirmed Microsoft was unaware of any attacks trying to use the "claimed vulnerability," or of customer impact. "Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves," they said.

The vulnerability was discovered by a member of the Google security team, named Tavis Ormandy. The hole was tested and found to still be present in Windows XP, Server 2003, 2008, Vista, and 7, and can be used to open a command prompt "in the system context, which has the highest privilege level." Ormandy says that he informed Microsoft of this hole back in 2009, but they have yet to fix it. The work around for it happens to be pretty simple; all you have to do is disable the MS-DOS subsystem. It's advised that all companies patch the hole, especially now that the vulnerability is public knowledge. Turning this off should not affect any compatibility issues, unless, for some strange reason, you're still using 16-bit applications.

Here's how to disable it:

"The workaround requires users to start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section."

Report a problem with article
Previous Story

2011 to spell the end of free New York Times online access

Next Story

Internet Explorer vulnerability patch due tomorrow

74 Comments

Commenting is disabled on this article.

"When it comes to updating security threats and bugs in their operating systems, Microsoft is, for the most part, pretty good about it."

I stopped reading there.

We've a govt department in New Zealand that still uses an old DOS app from the early 90's why because it works and will cost a fortune to get someone to program an App that does exactly what this one does without problems

I guess honestly who really cares?? I mean if your running something 16 bit you need to get a shock value to you. right now at this point most of the Real Tech people. Who have their computers at home, have 64 bit processors running 64 bit operating systems.. BUSINESSES NEED TO UPGRADE. And yes it pays to do it..

Right now talking about 16bit is like talking about playing a Sega Genesis to Xbox 360........ You have to upgrade. The past is the past and there is no support for it anymore.

Wir3Tap said,
I guess honestly who really cares?? I mean if your running something 16 bit you need to get a shock value to you. right now at this point most of the Real Tech people. Who have their computers at home, have 64 bit processors running 64 bit operating systems.. BUSINESSES NEED TO UPGRADE. And yes it pays to do it..

you taken alook at most OEM systems for sale lately they all come with WIN7 home premium 32bit

Edited by Athlonite, Jan 21 2010, 5:20am :

Ok so it may be 17 years old but it took until 2009 for it to be brought to anyone's attention. Probably a bit of a sensationalist title.

Smigit said,
Ok so it may be 17 years old but it took until 2009 for it to be brought to anyone's attention. Probably a bit of a sensationalist title.

Yeah, I agree.

I don't know whether this was BS from Norton but the other day my ADSL failed so I connected my laptop to the net via my Blackberry and to my surprise every 5 minutes Norton would pop up and tell me that it has blocked an attack.

I checked the logs and they all looked pretty real, Integer overflow attacks, amongst other things.

Luckily I do have UAC cranked right up, firewall enabled, my BB internet connection is set to "Public" on Windows 7 network config and x64 Win 7 and Norton running so I was probably petty safe.

Jelly2003 said,
I don't know whether this was BS from Norton but the other day my ADSL failed so I connected my laptop to the net via my Blackberry and to my surprise every 5 minutes Norton would pop up and tell me that it has blocked an attack.

I checked the logs and they all looked pretty real, Integer overflow attacks, amongst other things.

Luckily I do have UAC cranked right up, firewall enabled, my BB internet connection is set to "Public" on Windows 7 network config and x64 Win 7 and Norton running so I was probably petty safe.

I don't get why people believe the FUD involved with Symantec and Norton... 'OMG YOU HAZ VIRUS, BUT WE SAVED YOU :)' just when you browse Facebook and other rather 'safe' sites.

It lulls people into believing norton is actually doing something for the money you pay.

Me? I only use an anti-virus, none of that 'malware protector 2010' BS. I've not had a virus in about 6 years. I use a free anti-virus, so it has no need to pop up and say I have a fake virus just to believe its doing something, because I'm not paying for the privilege of using it.

Its all about being smart on the net tbh, if you are smart, you probably wont get a virus.

Sorry for the random off topic stuff.

Edited by dbbondy, Jan 21 2010, 12:17am :

i wonder if i can screw with my system while writing my assembly codes. im currently going back and forth between 32-bit and 16-bit instruction sets, so i think it might be cool to give this a shot :p

That's lame, I guess DOSBox will have to do.
I'm using 32-bit, much prefer it over 64 even though I've got 1GB RAM that's unusable.

franzon said,
I'm pretty sure that SP3 for Windows Vista and SP1 for Windows 7 will disable the 16-bit support

I hadn't heard that. Was that mentioned somewhere by Microsoft?

majortom1981 said,
I am confused. I thought vista and windows 7 have the 16bit subsystem removed?

Only on x64.

Isn't anyone disgusted by the anti-MS FUD wording of the article?
All those "not patched since 1993" makes average user think that the vulnerability was known for 17 years.
I guess a many *nix vunrerabilities are unpatched for 20+ years, but don't receive such deceiving article titles.

RealFduch said,
Isn't anyone disgusted by the anti-MS FUD wording of the article?
All those "not patched since 1993" makes average user think that the vulnerability was known for 17 years.
I guess a many *nix vunrerabilities are unpatched for 20+ years, but don't receive such deceiving article titles.

I agree, this is terrible reporting.

"Microsoft has ignored a security hole in Windows since the release of Windows NT 3.1 in 1993" (even though the security hole wasn't even discovered until 2009). How on earth were they supposed to fix a flaw that they didn't know existed?

RealFduch said,
Isn't anyone disgusted by the anti-MS FUD wording of the article?
All those "not patched since 1993" makes average user think that the vulnerability was known for 17 years.

"not patched since 1993" means just that. "actively exploited" would say something different, but this article isn't lying. It may have been exploited, it may not have been, but one thing is for sure - it has never been patched.

Saburac said,
How on earth were they supposed to fix a flaw that they didn't know existed?

How do you know that they didn't know it existed? It's not like they haven't done it before.

That's just speculating but. The article when it says "The H Security points out that Microsoft has ignored a security hole in Windows since the release of Windows NT 3.1 in 1993." could easily be interpreted as MS knowing about it since day one. Fact is it's only publicly been known about since 2009.

I won't call the above an outright lie, but it was written in a way that can easily be misinterpreted.

Saburac said,

I agree, this is terrible reporting.

"Microsoft has ignored a security hole in Windows since the release of Windows NT 3.1 in 1993" (even though the security hole wasn't even discovered until 2009). How on earth were they supposed to fix a flaw that they didn't know existed?

+1

How about reading the post; notice the fact he said 'or'? What is it with people and inability to read and comprehend basic English?

What i dont understand is this:

Vista was suppose to be rebuilt from the ground up right? So how can this flaw "still exist". Wouldnt it be a flaw that was rebuilt in to present day OS's?

Rich said,
What i dont understand is this:

Vista was suppose to be rebuilt from the ground up right? So how can this flaw "still exist". Wouldnt it be a flaw that was rebuilt in to present day OS's?


Only parts of Vista was rebuilt. It wasn't a complete clean slate. Otherwise, there would have been even more issues with application compatibility.

Rich said,
What i dont understand is this:

Vista was suppose to be rebuilt from the ground up right?

No, it wasn't. It was based on XP just as XP was based on 2000, NT 4.0, etc. Many parts were updated extensively or are completely new but the OS as a whole isn't even close to being written from scratch.

Rich said,
What i dont understand is this:

Vista was suppose to be rebuilt from the ground up right? So how can this flaw "still exist". Wouldnt it be a flaw that was rebuilt in to present day OS's?

Windows hasn't been NEW since v1.01 hit the shelves all those years ago.

Rich said,
What i dont understand is this:

Vista was suppose to be rebuilt from the ground up right? So how can this flaw "still exist". Wouldnt it be a flaw that was rebuilt in to present day OS's?

1) Vista was NEVER rebuilt - the Video WDDM subsystem and a few other features like the network stack were built from scracth and just attached to the NT architecture.

2) Vista is just a newer version of NT.

3) Windows IS NOT the same since 1.01 at the post above suggests. Windows 1.x died with Win98 and WinME, NT replaced it as the main consumer Windows OS with XP.

4) This problem is in the DOS VM (which is a virtualized DOS subsystem) that runs on NT. This is why the DOS VM from Win9x and even Win7 are affected as the problem is in the DOS subsystem/VM.

5) Go Wiki Windows NT people, this type of ignorance is really scary in today's world. It would be like Mac users running around saying that OS X is the same as System 9.

thenetavenger said,

1) Vista was NEVER rebuilt - the Video WDDM subsystem and a few other features like the network stack were built from scracth and just attached to the NT architecture.

2) Vista is just a newer version of NT.

3) Windows IS NOT the same since 1.01 at the post above suggests. Windows 1.x died with Win98 and WinME, NT replaced it as the main consumer Windows OS with XP.

4) This problem is in the DOS VM (which is a virtualized DOS subsystem) that runs on NT. This is why the DOS VM from Win9x and even Win7 are affected as the problem is in the DOS subsystem/VM.

5) Go Wiki Windows NT people, this type of ignorance is really scary in today's world. It would be like Mac users running around saying that OS X is the same as System 9.

Windows 9x didn't have a DOS VM. 9x was hybrid 16/32 bit and always had a part of DOS loaded. DOS applications were executed just like they were under the 386 Enhanced mode of Windows 3.x

this issue only applies to the NTVDM, which exists only on 32-bit NT operating systems

What about a fix for Home premium as Group Policy isn`t available, or is it a wait for the patch which might never come!

Riggers said,
What about a fix for Home premium as Group Policy isn`t available, or is it a wait for the patch which might never come!

The group policy editor just makes changes to the registry. On Home editions you can make the change manually, see this page: http://serverfault.com/questions/104623/local-policy-to-disable-16-bit-execution

Sometimes these things happen and as stated in the post, Microsoft are pretty good at keeping on top of them. Never is there a program which is completely bug free...

And that is why I use Win 7 64 bit.

Actually it's for more ram, though I'll take the added security bonus any day.

goji said,
And that is why I use Win 7 64 bit.

Actually it's for more ram, though I'll take the added security bonus any day.

Exactly, this is a real myth that you should go x64 only if you have more than 4GB ram.
now i am more secure in 2GB ram with x64. :P

goji said,
And that is why I use Win 7 64 bit.

Actually it's for more ram, though I'll take the added security bonus any day.

Since the 16-bit subsystem is easily disabled it's kind of a moot point. :)

ilovetech said,

Exactly, this is a real myth that you should go x64 only if you have more than 4GB ram.
now i am more secure in 2GB ram with x64. :P

Well.. actually I've been using x64 for some time now, and I've only 2 GB of RAM, why do I use it, is because my processor is faster in x64

Saburac said,

Since the 16-bit subsystem is easily disabled it's kind of a moot point. :)

Except if you want to use more than 4 gigs of ram and don't care for 64 bit XP :P

JonathanMarston said,
Doesn't affect me since I run 64-bit on all my machines. :)
Doesn't affect me either, since I don't run Windows.

Neither comment contributes anything to the discussion.

This is a serious problem that needs to be resolved.

I know a lot of you probably know how to get there but the easiest way is to just hit Window+R then type gpedit.msc and you're there. Just a quick tip for those who might go looking around for how to get in there. Hopefully most of you know how to get there already but you never know.

dogmai said,
I know a lot of you probably know how to get there but the easiest way is to just hit Window+R then type gpedit.msc and you're there. Just a quick tip for those who might go looking around for how to get in there. Hopefully most of you know how to get there already but you never know.

XP Home and Vista/7 Home Premium lacks group policy.

Gotta find a 16-bit compiler to try, I must have that somewhere on some floppies in a cardbox in the attic.
Oh Snap! My machine does not have a Floppy drive anymore!!!!

AgentGray said,
wow... how did it take THAT long to discover?

It took that long to be "disclosed", "when was it discovered and for how long has it been exploited in dark corners?" that's a whole another story not much people know about ;)

AgentGray said,
wow... how did it take THAT long to discover?

Another reason to be on 64bit, but should be resolved.


here's to WoW64's flaw that will celebrate its 16th birthday in a few years, too.

Glassed Siver:win

I'm surprised the 16-bit VM is still present in Windows 7. What system, business or otherwise, could possibly require access to 16-bit software on Windows 7?

boogerjones said,
I'm surprised the 16-bit VM is still present in Windows 7. What system, business or otherwise, could possibly require access to 16-bit software on Windows 7?

You'd be surprised - some really old installers used 16-bit code even though the application itself is 32-bit. You'd have thought Microsoft would discontinue 16-bit VDM in 7 and just get anyone who needed to run legacy 16 bit code to use Windows Virtual PC.

boogerjones said,
I'm surprised the 16-bit VM is still present in Windows 7. What system, business or otherwise, could possibly require access to 16-bit software on Windows 7?
Lots of businesses still use 16bit apps, I know at the grocery store I worked at, the ordering system, and inventory systems at our place, and every one of your suppliers was 16bit Win3.11.. Why upgrade if it works ?

boogerjones said,
I'm surprised the 16-bit VM is still present in Windows 7. What system, business or otherwise, could possibly require access to 16-bit software on Windows 7?

Don't know about you guys but, I couldn't get a 16-bit installer to work on W7.

Ryoken said,
Lots of businesses still use 16bit apps, I know at the grocery store I worked at, the ordering system, and inventory systems at our place, and every one of your suppliers was 16bit Win3.11.. Why upgrade if it works ?

+1, unfortunately.

Ryoken said,
Lots of businesses still use 16bit apps, I know at the grocery store I worked at, the ordering system, and inventory systems at our place, and every one of your suppliers was 16bit Win3.11.. Why upgrade if it works ?

There were a lot of specialized programs in use back then that no longer exist today, or are expensive to upgrade. I knew a video rental place that (until it closed a few years ago) still used Windows 3.1 and a video rental program that had been written just for them. They weren't online though so it was perfectly safe but just goes to show that it's not uncommon at all for businesses to still be using old 16-bit software.

boogerjones said,
I'm surprised the 16-bit VM is still present in Windows 7. What system, business or otherwise, could possibly require access to 16-bit software on Windows 7?

Earlier this month, I was evaluating how Windows 7 ran on a XP-era machine. That machine was to run older Win95 era edutainment games, of which almost all of them were 16-bit applications.

Ryoken said,
Lots of businesses still use 16bit apps, I know at the grocery store I worked at, the ordering system, and inventory systems at our place, and every one of your suppliers was 16bit Win3.11.. Why upgrade if it works ?

Exactly. We don't need to "upgrade" to the latest all the time - if it works, and if it can STILL be updated for new needs, hey, great!

One thing I always hated was the moving away from DOS text-based programs to windows - it was easier to use DOS for text-based information w/o graphics than to use windows for the same thing IMHO.

Edited by Mr. Black, Jan 20 2010, 10:55pm :

Mr. Black said,

One thing I always hated was the moving away from DOS text-based programs to windows - it was easier to use DOS for text-based information w/o graphics than to use windows for the same thing IMHO.

Go back to Linux/Unix. They seem to share the same nonsense opinion of CLI superiority.

Udedenkz said,

Don't know about you guys but, I couldn't get a 16-bit installer to work on W7.

If you are running a 64-bit version then right there is why. You can go only one generation back when dealing code. A 32-bit OS can run 16-bit and 32-bit code. A 64-bit OS can run 32-bit and 64-bit code but 16-bit code can't be executed. It doesn't matter if the VDM is involved or not.

Mr. Black said,

Exactly. We don't need to "upgrade" to the latest all the time - if it works, and if it can STILL be updated for new needs, hey, great!

One thing I always hated was the moving away from DOS text-based programs to windows - it was easier to use DOS for text-based information w/o graphics than to use windows for the same thing IMHO.

I know someones in a company relying on Framework 7 under DOS! Quite tough to handle this in our days. Must try to make it run smoothly in DosBox, not that straight forward...

Tom W said,
Wow. Pretty crazy. Is there any exploit code available?

Yes there is. Here's the full disclosure : http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

still1 said,

thats good then... I am safe.

But then again, 32-bit users can get rid of the vulnerability within minutes. So you are as secured as before you knew about this exploit.

Edited by Skulltrail, Jan 20 2010, 8:28pm :