Teeth make smiles, and smiles make sales - Unidentified Harrods person in Alan Sugar's The Apprentice
|
|
|
Ancient Windows flaw found after 17 years
A CRITICAL FLAW has been found in the Windows NT trap handler that makes all Windows machines wide open to hackers. The problem has been a feature of every Windows system for the last 17 years and no one has noticed.
According to Full Disclosure, the security hole in Windows allows users with restricted access to escalate their privileges to system level.
It can be done on all 32-bit versions of Windows from Windows NT 3.1 to Windows 7. This is not likely to bother consumers much, but corporate IT managers will be wetting themselves.
The problem is caused by flaws in the Virtual DOS Machine (VDM) that was fitted under the bonnet of Windows NT in 1993 to support 16-bit applications. The VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls.
Google security team member Tavis Ormandy worked out how an unprivileged 16-bit program can manipulate the kernel stack of each process and this can enable an attacker to execute code at the system privilege level.
To make matters worse he published a sample exploit that runs under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. It opens a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7.
This is where it gets funny. You would think that faced with such an embarrassing security hole, the Vole would have moved fast to close it. Then when Ormandy announced his discovery, it would at least have some comeback. However Ormandy told Microsoft about the vulnerability in mid-2009 and it did nothing.
He had no problem with publishing his findings because there is a simple workaround for the flaw, which is to disable the MS-DOS subsystem in Windows. All you have to do is start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration \ Administrative Templates \ Windows Components \ Application Compatibility section.
The workaround reportedly doesn't cause any major compatibility problems for most users if they don't use 16-bit applications. µ
Share this:
Share
16-bit support should be dropped altogether, even on a processor level.
If corporate users really really need it, then Microsoft should fund/support/bundle DOSBox. It works really well on modern computers.
All they need to do is make an applet in control panel that says "ENABLE/DISABLE 16-BIT PROGRAMS" and the problem is solved.
In regards to the person who said to remove 16-bit mode at the processor level. That's be a TERRIBLE idea as it'd cripple compatibility for those trying to use 16bit systems.
If you're going to be a Grade-A jerk and cut compatibility inside a OS, atleast have the decency to leave it in the hardware for those poor souls who need to use legacy systems.
Getting rid of 16bit mode all together is not such a bad idea. With fast processors and virtual machine software available these days, those needing to run a 16bit app can just as easily do it in an emulated environment. Performance gains being what they are, I doubt that anyone would notice the difference anyway.
Who knows, getting rid of 16bit mode from modern processors might actually make it easier to make them faster and more efficient.
OMFG NOW I CANT PLAY SIM CITY 2000@$@#$#
Even I'll give M$ a pass on this one. It's probably unavoidable
due to the history of DOS, and luckily (seems) wasn't discovered
when 16-bit programs were common. But there should be a *fix*
other than just turning off the whole sub-section, still many
programs (perhaps with dedicated hardware) that need to be
accommodated.
What's galling about M$ security isn't their not foreseeing
possible mis-use of low-level arcana, but their high-level
"features", such as Active-X, numerous network services, Internet
Explorer up to at least v6, Autoplay, and the Registry snakepit
that *should* be for the OS only (and limited in function so can
be *trusted*), but is in fact wide open. Those all have *obvious*
flaws and drawbacks and yet ARE ON BY DEFAULT, like "balloon
tips", with no easy way to change setting.
I can't even get some 32-bit software to run on Vista, yet they're still trying to support 16-bit stuff? Huh?
And WHEN can we get them to pull their trousers up over their arse?
This is not the oldest or biggest flaw actually.
The oldest and biggest flaw is even more serious, its the flaw that Windows was written in the first place.
The article states that this is a flaw in *every* version of Windows since NT 3.5. Doesn't anyone remember that there once was a Windows product known as Windows 9x and Windows ME, and that those products continue to show us that they have significantly fewer vulnerability issues than the much touted NT-based versions of Windows?
I believe windows 95 and 98 had native 16-bit support. Windows ME probably was released after nt 3.5, but I would imagine there are fewer vulnerabilities for these machines due to there being less of them about nowadays.
I always thought of this as more of a Feature than a Bug. Must be the Developer in me..
Just that latest evidence that you cannot WIN using Micr0$ucks products, but you are certain to LOSE.
I guess maybe it is good thing that LoseDoze XP/Vista/7 64-bit doesn't support 16-bit mode, even though though the hardware supports it.
Yes, you are correct. Windows ME was based on Windows 98 and was little more than a Plus! pack.
I still wonder why they didn't make Win7 in x64 only.
"16-bit support should be dropped altogether, even on a processor level. "
Uhm, they did. It's called x86-64. Which is why this bug doesn't affect 64 bit systems.
Windows 7. You try to increase the priviledges you get told :S
Also if it doesnt a simple AV does it for you :S
OMG...
Oh and a so called security expert published a file just because he told Microsoft last year and they ignored it (first of all so he says he told them) doesnt give him the right to publish it...
Imagine if Android finally gets the full version and Microsoft do the same or even Apple...
Hole like this are all to do with compatability, you want an OS which can run pritty much everything you have to be ready for flaws its why you have AV. If you know what you are doing and have limited apps you need get Liunx, but first think, YOU WOULD BE SPENDING ALL YOUR TIME TEACHING YOUR PARENTS HOW TO USE THE THING FIRST and then THE REST OF THE TIME TO YOUR MATES...
As for Apple... LOL...
"Ancient Windows flaw found after 17 years
And you never knew it was there"
I knew something was wrong for all those years 'cos none of the wretched versions ever worked properly
You need to re-read the article, which specifically states that Win 7 aka Vista SP2 is equally vulnerable.
Which drives the final nail into the coffin of Vista "written from scratch" as far as I'm concerned.
You actually believe this editor's bullshit? Windows hasn't used "Virtual DOS Machine" since Windows XP was released.
It's not there, it doesn't even exist any more, Vista and 7 and XP are entirely 32-bit and up now.
Really... i swear they'll write anything in here. *Sigh*
There is no "Virtual DOS Machine".
Yet XP will still run 16-bit DOS programs!
Who am I to believe, AquaVixen? You, or my own lyin' eyes?
Did you even read the link? They seem to take a VDM for granted, and give API calls...
This has been known about at least since the Windows 98 days. It has never been fixed because Microsoft has never discussed it.
AquaVixen, well nice try at pretending to know your stuff there.
MS DOS has not been in since XP, but it is not MS DOS we are talking about here ;)
To exploit this remotely, you'd need to be running a networked 16-bit app. Thing is, nobody is. Nobody has for 15 years. The only way you'd take advantage of this is by putting a specially crafted 16-bit app on someone's computer and executing it. And if you can get anything on someone's computer and execute it, it's game over anyway, really, isn't it?
Is it safe to play RoadRash?
You don't really need flaws to break into Windows:
- there are lots of blank administrator passwords on Windows computers
- the name of the administrator account on Windows is well known (just guess the blank password)
- the ports for the Remote Desktop feature are not blocked by firewalls