The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed Tuesday by Google engineer Tavis Ormandy on the Full Disclosure security mailing list. Coincidentally, Ormandy received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday.
The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft's first fully 32-bit operating system. VDM allows Windows NT and later to run DOS and 16-bit Windows software.
Yesterday's advisory spelled out the affected software -- all 32-bit editions of Windows, including Windows 7 -- and told users how to disable VDM as a workaround. Windows' 64-bit versions are not vulnerable to attack.
It was Microsoft's second advisory in seven days; last week, the company posted a warning of a critical flaw in Internet Explorer after Google said its corporate computers had been hacked by Chinese attackers. That bug is to be patched later today.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," said the newest advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Jerry Bryant, a program manager with the Microsoft Security Response Center (MSRC), said that the company had not seen any actual attacks using the vulnerability, and also downplayed the threat if hackers do exploit the flaw. "To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system," Bryant said in an e-mail.
Typically, Microsoft ranks this kind of vulnerability -- which it classified as an elevation of privilege flaw -- as "important," the second-highest of the four ratings in its four-step system.
Ormandy said that the vulnerability goes back nearly 17 years to Windows NT 3.1's release, and exists in every version of Windows since. He reported the bug to Microsoft more than seven months ago.
"Regrettably, no official patch is currently available," Ormandy wrote on Full Disclosure Tuesday. "As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch." The workaround Ormandy included in his message was the same as Microsoft's: Edit group policies to block 16-bit applications from running.
Although Ormandy divulged information about the vulnerability, even posted attack code that works on Windows XP, Server 2003, Vista, Server 2008 and Windows 7, Microsoft didn't take him to task in the advisory for prematurely revealing the bug, as it almost always does researchers who spill the beans before a patch is ready.
Presumably, Microsoft will issue a fix for the flaw at some point, but as is its practice in security advisories, it didn't promise to do so. The next regularly-scheduled security update is slated for Feb. 9.
source : http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug