Slashdot Mirror
Newly-Found Windows Bug Affects All Versions Since NT
garg0yle writes "A researcher has found a security bug that could allow privilege escalation in Windows. Nothing new there, right? Well, this affects the Virtual DOS Machine, found in every 32-bit version of Windows all the way back to Windows NT. That's 17 years worth of Windows and counting. 'Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system. ... The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported.'"
Cue "Windows Sucks" comments in 5, 4, 3, 2, 1....
Every time I read about one of these long-undiscovered instant pwn bugs, I always have to wonder if there's someone sitting deep underground in an NSA computer center saying "Well shit, looks like we'll not be using that exploit anymore."
Is this a hole nobody knew about or a hole nobody but the people who knew about it knew about, and those people weren't talking?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
No, I guess it wouldn't, would it?
Someone had to say it though.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Don't just dump IE.
Dump MicroSLOP
completely !
Yours In Novosibirsk,
K. Trout
Yet another driving factor for using the 64-bit editions of Windows (or something completely different from Windows altogether!).
This is the cost of backward compatibility at the expense of everything else. That is what made Microsoft and that is what may break it.
This space for rent.
This bug was discovered by Tavis Ormandy.
Tavis, you need a girlfriend.
Yet another reason people need to abandon 32-bit OSs. Seriously. What's the point of using half the power of your CPU?
For those who seek perfection there can be no rest on this side of the grave.
From the RFA: "He said he informed Microsoft security employees of the vulnerability in June".
So, Microsoft could at least have fixed this in Windows 7 (according to Wikipedia: "released to manufacturing on July 22, 2009").
Browsers shouldn't have a back button!! It's all about going forward...
Good job I run W7 64-bit then I guess. I remember when I tried using XP64, what a pile of crap that was. I'm glad they have sorted the compatibility issues in newer releases.
I am a leaf on the wind, watch how I soar.
In particular, if that could be used to turn the "safe" IE8 into something unsafe could lead into more governments asking their citizens to stop using IE, any version of it.
Ormandy said the security hole can easily be closed by turning off the MSDOS and WOWEXEC subsystems. The changes generally don't interfere with most tasks since they disable rarely-used 16-bit applications. He said he informed Microsoft security employees of the vulnerability in June.
So, to be clear, is this only about 32-bit Windows builds then?
64-bit Windows doesn't even support running 16-bit applications. And that's what WOWEXEC is all about. However, I'm less sure about this "MSDOS" subsystem in 64-bit builds? What's that for, anyway? The console emulation?
Beware: In C++, your friends can see your privates!
it looks Like one more reason to switch to 64bit to me. I have been using 64bit since Vista. Now I am glad I made the switch. and since the oem keys for vista and 7 are good for both the 32bit and 64bit versions the only excuse for not going 64bit is laziness (assuming you have a 64bit processor) I have yet to find a 32bit program that doesn't run on my 64bit machine.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
I guess windows 7 sales were a bit sluggish, so here comes a new bug they can fix in windows 8.
What about the PowerPC version of NT? That's 32-bit too. And of course the DEC Alpha version is 64-bit, so it can't have that exploit.
Slashdot makes me sick. It's just not fair to go digging 14 years prior to the date when Microsoft finally starting taking security seriously.
Rich And Stupid is not so bad as Working For Rich And Stupid.
So much for 'nobody writes hacks for old stuff anymore, if we just keep running NT we'll never get hacked' Sounded good at the time.
Actually, I was just messing around. I'm kind of suprised it took someone this long to find a vulnerability in wowexec. I'm sure MS is not even thinking much about this, yet pretty much any program can have the possiblity of a buffer overrun or some sort of registry memory shift.
I found it funny that the Google ad displayed next to the article was for Microsoft forefront touting the security features.
http://www.perfectreign.com/stuff/2010/forefront.jpg
The Kai's Semi-Updated Website Thingy
I've heard that coders at Microsoft don't code, and they don't go looking for bugs in old products especially. Afterall, that code is done and (to quote Blogovich) is F*ckin' golden! The only way MS code is checked is by reverse engineering by independent firms. BTW, that appears to be a violation of the EULA. How do they get ever away with this. F*ckin do gooder's, poking their nose into someone else's business!
Anyone still running only 32-bit Windows deserves the vulnerability. This is just one more reason why people should be upgrading to 64-bit.
I always wondered by PEEK and POKE still worked in QBASIC.
Interesting co-incidence that you should bring up that example. Tavis Ormandy, one of those who discovered the Linux kernel bug you mentioned, was also the one who posted the details on the Windows 16bit VDM bug that we're discussing here to Full Disclosure yesterday. I guess he must like his code to be covered in cobwebs or something...
UNIX? They're not even circumcised! Savages!
Vulnerability applies to 32-bit Microsoft Windows operating systems with Windows NT 3.5 heritage.
Vulnerability arises from ancient coding or design flaws in the MS-DOS execution subsystem. This subsystem is not present in 64-bit Windows OSs.
The workaround is to disable the MS-DOS subsystem.
Great article at the SANS Institute Internet Storm Center: http://isc.sans.org/diary.html?storyid=8023. This includes links to Youtube videos on how to use Windows Group Policy tools to disable this subsystem.
However, once you do this, you won't be able to run 16-bit DOS-based software, so if you really need that you may have to wait for a patch. Or build a dedicated DOS machine, where at least you'll have no illusions of security. (Cynics would say this is true of any MS operating system, but I leave that debate to others.)
Welcome to the Panopticon. Used to be a prison, now it's your home.
I seem to recall demo-coders bragging about using a local priv. escalation bug in the VDM to "break out" of 16-bit DOS code at least 3-4 years back.. Anyone remember?
This isn't a "Newly-found" bug. It was discoverd and reported to Microsoft on 12-Jun-2009. Not sure what's worse: An OS vendor whom doesn't patch holes quickly or a blog editor whom is clueless and uses inaccurate headlines to waste readers time.
...the German and French governments advise their citizens against using Windows altogether, not just Internet Explorer.
"As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch."
So, er, why isn't there a link telling us punters how to disable the WOWEXEC and MSDOS subsystems off? Enquiring minds wish to know...
from Tavis Ormandy's disclosure
So the bug was found six months ago, but Microsoft only decided it was serious enough to fix after it was publicized. Seems like another case of "responsible disclosure" being used to cover up a vulnerability, instead of fixing it (or publishing a workaround) before the bad guys find out about it.
You will never be able to review the source code of your windows OS.
All you have to be is Chinese Government. That is all. You think the Google hack was found by relentless probing of defenses of the WinOS? Or did they have to just grep through the WinOS source code for things like strcpy()?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Windows 98SE rules!
Is this a hole nobody knew about or a hole nobody but the people who knew about it knew about, and those people weren't talking?
The only public figure in American society who had anything remotely insightful to say in the last twenty years or so:
.
.
If this was a ruse to get me to dump them, spend money, go to the hassle of upgrading the O/S and very likely having to replace a whole load of hardware and applications, then sorry guys. You've failed.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
No, ignore the problem after all there is plenty of randomness available in Ubuntu. Randomly qualified maintainers fiddling with other randomly qualified maintainer's fiddling of the original maintainer's code. Nothing wrong what so ever with packaging in meta Linux distros...
I've always assumed any Windows PC I'm using could have been rooted long ago
Corrected version:
I've always assumed any device with a closed-source OS/BIOS/firmware/other code I'm using could have been rooted long ago
There, fixed that for you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Certainly the best way to eliminate this threat is to do away with the NTVDM altogether and use virtualization, similar to how Windows 7 Pro has "XP Mode." Microsoft should create a virtual HD (*.vhd) file with MS-DOS 6.22 installed on it and then offer it as a free download. Users could either use Virtual PC or the virtualization solution of their choice (VirtualBox, VMWare, etc).
DOSBox is also a decent solution, although it is geared more towards DOS games than to completely and accurately emulating MS-DOS.
There is a patch for not only this new bug in Windows, but every other bug, known or unknown. This patch will also boost performance and even removes all of those pesky Windows bugs that is erroniously attributed to open source software such as Firefox, Openoffice.org, etc. Click here for more info about the patch.
Perhaps MS should finally grow some balls and ditch legacy code. Just do it. It's not about what the customer thinks they want, it's about progress. Do it like Jobs.
That is all.
So, you mean to tell me Microsoft lied all those times they claimed Windows was rewritten? Didn't see that one coming...
Jason-Palmer.com
I'm not getting a lot of these posts. Microsoft is a software business, not a computer science business. I think some of you may be confusing one for the other. This is par for the course.
Does any major software still need the 16-bit subsystem?
Amusingly, when I first installed Windows NT 3.51, back around 1996, the 16-bit subsystem was optional, like the OS/2 subsystem, and I had it turned off. Everything worked fine. In NT 4, they let the kode kiddies from the Windows 95 group put legacy code into NT, some of which still ran in 16-bit mode, and the 16-bit subsystem was always on.
Good thing im running windows 7 64 bit then :)
Jack of all trades,master of none
...to run OS/2 Warp4. Yeppers.
YankDownUnder Veni, Vidi, volo in domum redire
I'm running MS-DOS right now so I'm really getting a kick out of these comments.
I used to work for a large defense company. I won't say who, or what project, but think Raytheon (a good sized defense contractor) and set your sights a bit higher.
Our department had a product, and of all the arguments 'round the table about this and that, one that I tried to fight was a bug that could kernel panic the system, regardless of privileges (i.e. you can be any user on the system). Worse, this bug can be invoked on command line, locally. Worse, this command line was a simple derivative of a legit command given in the documentation for common use while using the system. Worse, this episode cemented and reinforced my perception of the evils of proprietary software production and allowing business rationale and management influence design decisions and implementations.
I lost, the bug was never fixed by the time I had left. Even with architecture changes with underlying hardware, the bug propagated through hardware and software product revisions.
Allow me to backtrack for one second. When I was starting out in software development, I got the greatest piece of advice from my then boss; who was and is a very adept engineer. I had to develop a domain whois CGI script, I chose to do it in C. (Follow me here, yeah perl/php/python/ada blah blah blah) Every time I submitted a revision, he broke it. Until one day he said, "If you are going to have an end-user give input, in any way, be prepared to parse and process anything. You can not assume the user even knows what domain syntax is." Basically, if you have the end-user type something on command line, into a input box, or some other text field, make no assumptions and be able to parse anything that might be managed to be inserted into that field.
My program grew thousands of lines once that sunk in. Error handling, string parsing, input validation and sanitation, is the input even ASCII...
So with this ingrained into my psyche, which I think is an extremely valuable concept when designing interactive software, now you can appreciate my frustration when I was told that the bug in question would not be dealt with because the command that invoked it wasn't verbatim with what the documentation said. In a nut shell, the following transpired:
Let's say I make 150 dollars an hour, and it takes me a day to investigate this bug, another day to fix it, and a few more hours to document this, and then we conduct regression testing to make sure changes don't have negative effects elsewhere in the program, that's quite a bit of money the company spends on this problem. If the change is found out by the government testers, then we stand a chance to have to face re-certification (or at least a long delay in current certification processes) which costs even more, not to mention potentially missing our mark for shipping to market resulting in irrecoverable and high lost opportunity costs (LOC). Now, let's say the help desk folks, who make 15 dollars an hour, simply guide the user to type the correct thing in (he spends five minutes doing this), or the end-user follows the documentation and does it himself. The bug never surfaces, and the company doesn't have to spend the extra money or face negative consequences.
They made their decision to ignore this problem using business rationale. I can not underestimate how pissed off I got over this issue, because our product was in use, in the field. It was a part of the military machine, and so lives are at stake as far as I'm concerned. Business rationale my ass, everyone there was salary and it's my opinion that the government get's shafted often by contractors as they attempt to recoup all costs by charging to a authorized project charge number for everything. So the company doesn't really pay the 150 dollars an hour to develop a broken feature, the taxpayer does. But this is how decisions are made when business philosophy interferes with logic, and while my bug won't likely cause an international tragedy, this exact same thing can be transposed over the events leading up to
I've tested the exploit in virtual machine in Windows 7 x32 and Windows XP SP3 and it doesn't work. These are default installs of OS with no config changes. When run in Windows 7 x32 as Administrator it did cause BSOD. Running as standard user it did nothing, the process supposed to have escalated priviliges did not. anybody else found it working?
Exactly. My POS '99 Ford Explorer has a cruise control recall due that apparently causes the car to explode in flames (their words). My point here is that I am sure Ford knew about the problem years in advance and finally broke out their profit/loss calculator after the law suits started piling up and decided it was time to fix it. Design flaws are here to stay, is this a surprise? A for profit company has different legal liabilities (both to the public and their shareholders) than an open source community has.
Are those 3D printers good enough that I can print off an Ubuntu 4-door hybrid yet?
I am a v1ral sig. Plse c0py me and h3lp me spread. Thank y0u?
haha suckers your backdoors are getting less and less every day
soon there will be only one
I was just gonna say "Windows is insecure! Film at 11:00"
But your deeply insightful comment got me thinking and I've amended my response to "Windows sucks! Fuck off shill."
Just saying.
This new bug does NOT affect ALL 32-bit versions of windows.
Windows 9x/ME systems are not vulnerable to this latest security issue. Again we see how poorly designed the NT-based versions of Windows really is compared to the 9X/ME versions. NT - The emperor has no clothes.
and sitting in front of it. Windows is therefore vulernable to every user of Windows. So what makes you trust that everybody whos using Windows can be trusted not to exploit it? Why do they need to lock down desktops in corporate environments if everybody who uses Windows is trustworthy?
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
. 'Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel,
As if 99% of all Windows users aren't already running as root.
Summary of workaround for WinXP:
start->run->gpedit.msc
Navigate to:
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility -> Prevent access to 16-bit applications
Select "enable".
The real question is, how do I secure my PC? And don't give me those Policy Groups buzzwords -- how many PC owners know what they mean? Criminy, tell us which files to rename, which registry keys to change, or which services to turn off -- give us something simple and effective.
I am using x64 so I am ok ;)
People who laughed at your comment also enjoyed the Jack Benny article on todays's front page.
"How long will we have to wait for MS to do anything about this one? Will they simply suggest people use 64-bit Windows?" - by aztektum (170569) on Wednesday January 20, @11:58AM (#30833872)
You've got a point on THAT much, this is certain (licensed Windows 7 64-bit user here)... Microsoft would do well by doing that, & probably spur/usher-in MORE "64-bit computing" on Personal Computers in doing so.
HOWEVER: This is all that users on Windows need to "adjust" (i.e.-> Simply "rip out" the DOS/Win16 subsystem basically) -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
(Iirc, that's where any "emulated" subsystems, such as POSIX, exist on ANY form of Windows NT-based OS'...)
APK
P.S.=> It's often suggested for security to do so for the POSIX subsystem, so, this is probably going to shortly be another such suggestion is my guess, for better security (assuming that using some old "legacy app" is not mandatory by a user or company that utilizes Windows)... apk
given enough eyeballs, all bugs are shallow
-Eric S. Raymond, The Cathedral and the Bazaar
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
great, I'll test this virus ASAP :-)