By Stuart J. Johnston
January 22, 2010
Microsoft acknowledged that a security researcher has located a 17-year-old hole in Windows that could be used to take over a user's system and said it plans a patch.
However, compromising a user's PC would not be easy, requiring physical access to the machine as well as authenticated password access, Microsoft (NASDAQ: MSFT) said in a Security Advisory Wednesday.
The hole, which originated with the release of Windows NT back in 1993 and is present in every 32-bit version of Windows since, including Windows 7, was discovered by Tavis Ormandy, a Google security team member in Switzerland.
Ormandy claimed in a posting to the Full Disclosure security mailing list earlier this week that the hole is in a portion of Windows originally meant to enable NT to run 16-bit MS-DOS applications.
The problem lies in what is known as the Virtual DOS Machine or VDM, which is meant to allow NT-based versions of Windows run 16-bit x86 programs. By manipulating what's called the kernel stack, an attacker can elevate his or her user privileges to an administrator’s level in order to take over the user's system.
Ormandy said that he notified Microsoft of the hole in June but, after receiving no response other than an acknowledgement, decided to publish his discussion as well as a proof-of-concept exploit.
That got Microsoft's attention and, on Wednesday, the software giant released the Security Advisory regarding the problem.
Microsoft noted that the proof-of-concept has not triggered any real world attacks so far. Partly, that is related to the requirement that any attack be carried out locally, not remotely. For that reason, the hole is not as dangerous as most zero-day vulnerabilities. Some Windows users are not at any risk
One piece of good news is that users of 64-bit versions of Windows are not affected. Many new PCs sold today are shipped with 64-bit Windows 7 preloaded, meaning they are not at risk, according to Microsoft's Security Advisory.
Microsoft's Security Advisory contains a workaround, which is to disable the use of the 16-bit VDM. That should have little impact on most users since the feature is rarely used today.
Even Ormandy played down how broad the hole's effect might be.
"The primary audience of this advisory is expected to be domain administrators and security professionals," Ormandy's post stated.
Microsoft normally patches zero-day vulnerabilities as quickly as possible, especially if they critically affect users' security.
For example, Microsoft patched a previously unknown zero-day that surfaced last week in attacks on Google China with an "out-of-band" fix Thursday.
Microsoft said it is working on a patch for the problem but hasn’t decided yet whether it will be released as an out-of-band fix or during a regular Patch Tuesday cycle.
However, since it took 17 years to discover the bug in the first place, and the additional requirement that a hacker be physically in control of a PC being attacked, Microsoft's security response team may view the hole as less likely than most to be seriously exploited.