A CRITICAL FLAW has been found in the Windows NT trap handler that makes all Windows machines wide open to hackers. The problem has been a feature of every Windows system for the last 17 years and no one has noticed.
According to Full Disclosure, the security hole in Windows allows users with restricted access to escalate their privileges to system level.
It can be done on all 32-bit versions of Windows from Windows NT 3.1 to Windows 7. This is not likely to bother consumers much, but corporate IT managers will be wetting themselves.
The problem is caused by flaws in the Virtual DOS Machine (VDM) that was fitted under the bonnet of Windows NT in 1993 to support 16-bit applications. The VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls.
Google security team member Tavis Ormandy worked out how an unprivileged 16-bit program can manipulate the kernel stack of each process and this can enable an attacker to execute code at the system privilege level.
To make matters worse he published a sample exploit that runs under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. It opens a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7.
This is where it gets funny. You would think that faced with such an embarrassing security hole, the Vole would have moved fast to close it. Then when Ormandy announced his discovery, it would at least have some comeback. However Ormandy told Microsoft about the vulnerability in mid-2009 and it did nothing.
He had no problem with publishing his findings because there is a simple workaround for the flaw, which is to disable the MS-DOS subsystem in Windows. All you have to do is start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration \ Administrative Templates \ Windows Components \ Application Compatibility section.
The workaround reportedly doesn't cause any major compatibility problems for most users if they don't use 16-bit applications. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted