The Inquirer-Home

Ancient Windows flaw found after 17 years

And you never knew it was there
Wed Jan 20 2010, 15:14

A CRITICAL FLAW has been found in the Windows NT trap handler that makes all Windows machines wide open to hackers. The problem has been a feature of every Windows system for the last 17 years and no one has noticed.

According to Full Disclosure, the security hole in Windows allows users with restricted access to escalate their privileges to system level.

It can be done on all 32-bit versions of Windows from Windows NT 3.1 to Windows 7. This is not likely to bother consumers much, but corporate IT managers will be wetting themselves.

The problem is caused by flaws in the Virtual DOS Machine (VDM) that was fitted under the bonnet of Windows NT in 1993 to support 16-bit applications. The VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls.

Google security team member Tavis Ormandy worked out how an unprivileged 16-bit program can manipulate the kernel stack of each process and this can enable an attacker to execute code at the system privilege level.

To make matters worse he published a sample exploit that runs under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. It opens a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7.

This is where it gets funny. You would think that faced with such an embarrassing security hole, the Vole would have moved fast to close it. Then when Ormandy announced his discovery, it would at least have some comeback. However Ormandy told Microsoft about the vulnerability in mid-2009 and it did nothing.

He had no problem with publishing his findings because there is a simple workaround for the flaw, which is to disable the MS-DOS subsystem in Windows. All you have to do is start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration \ Administrative Templates \ Windows Components \ Application Compatibility section.

The workaround reportedly doesn't cause any major compatibility problems for most users if they don't use 16-bit applications. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?