We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft confirms 17-year old Windows bug

Google engineer reveals flaw in 32-bit Windows

Microsoft has confirmed that a 17-year-old bug in the kernel of all 32-bit versions of Windows could be used by hackers to hijack PCs.

The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed by Google engineer Tavis Ormandy on the Full Disclosure security mailing list.

Coincidentally, Ormandy received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday.

The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft's first fully 32bit operating system. VDM allows Windows NT and later to run DOS and 16bit Windows software.

The advisory spelled out the affected software - all 32bit editions of Windows, including Windows 7 - and told users how to disable VDM as a workaround. Windows' 64-bit versions are not vulnerable to attack.

It was Microsoft's second advisory in seven days; last week, the company posted a warning of a critical flaw in Internet Explorer after Google said its corporate computers had been hacked by Chinese attackers. That bug is to be patched later today (see Critical Internet Explorer patch coming today).

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," said the newest advisory.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Jerry Bryant, a program manager with the Microsoft Security Response Center (MSRC), said that the company had not seen any actual attacks using the vulnerability, and also downplayed the threat if hackers do exploit the flaw.

"To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system," Bryant said.

Typically, Microsoft ranks this kind of vulnerability - which it classified as an elevation of privilege flaw - as 'important', the second-highest of the four ratings in its four-step system.

Ormandy said that the vulnerability goes back nearly 17 years to Windows NT 3.1's release, and exists in every version of Windows since. He reported the bug to Microsoft more than seven months ago.

"Regrettably, no official patch is currently available," Ormandy said.

"As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch."

The workaround Ormandy included in his message was the same as Microsoft's: Edit group policies to block 16-bit applications from running.

Although Ormandy divulged information about the vulnerability, even posted attack code that works on Windows XP, Server 2003, Vista, Server 2008 and Windows 7, Microsoft didn't take him to task in the advisory for prematurely revealing the bug, as it almost always does researchers who spill the beans before a patch is ready.

Presumably, Microsoft will issue a fix for the flaw at some point, but as is its practice in security advisories, it didn't promise to do so.

The next regularly-scheduled security update is slated for February 9.

See also: Microsoft wants privacy code of conduct for the cloud


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia