Microsoft confirms 17-year-old Windows vulnerability
Microsoft confirms 17-year-old Windows vulnerability
One day after a Google security researcher released code to expose a flaw that affects
every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including
Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and
warn of the risk of privilege escalation attacks.
Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code
in kernel mode. For an attack to be successful, the attacker must have valid logon
credentials.
The flaw does not affect Windows operating systems for x64-based and Itanium-based
computers, Microsoft said.
According to Tavis Ormandy, the Google researcher who released the flaw details,
Microsoft was notified about the issue in June 2009. After waiting several months and not
seeing a patch, he decided it was in the best interest of everyone to go public.
As an effective and easy to deploy workaround is available, I have concluded that it is in the
best interest of users to go ahead with the publication of this document without an official
patch. It should be noted that very few users rely on NT security, the primary audience of
this advisory is expected to be domain administrators and security professionals.
Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and
WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group
Policy.
The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.
If you believe you may be affected, you should consider applying the workaround
described below.
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
MORE & SOURCES:
http://blogs.zdnet.com/security/?p=5307&tag=nl.e589
http://seclists.org/fulldisclosure/2010/Jan/341
http://www.microsoft.com/technet/security/advisory/979682.mspx
One day after a Google security researcher released code to expose a flaw that affects
every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including
Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and
warn of the risk of privilege escalation attacks.
Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code
in kernel mode. For an attack to be successful, the attacker must have valid logon
credentials.
The flaw does not affect Windows operating systems for x64-based and Itanium-based
computers, Microsoft said.
According to Tavis Ormandy, the Google researcher who released the flaw details,
Microsoft was notified about the issue in June 2009. After waiting several months and not
seeing a patch, he decided it was in the best interest of everyone to go public.
As an effective and easy to deploy workaround is available, I have concluded that it is in the
best interest of users to go ahead with the publication of this document without an official
patch. It should be noted that very few users rely on NT security, the primary audience of
this advisory is expected to be domain administrators and security professionals.
Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and
WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group
Policy.
The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.
If you believe you may be affected, you should consider applying the workaround
described below.
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
MORE & SOURCES:
http://blogs.zdnet.com/security/?p=5307&tag=nl.e589
http://seclists.org/fulldisclosure/2010/Jan/341
http://www.microsoft.com/technet/security/advisory/979682.mspx
0 Response to "Microsoft confirms 17-year-old Windows vulnerability"
Post a Comment