Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newly-Found Windows Bug Affects All Versions Since NT

Posted by Soulskill on from the staying-power dept.

garg0yle writes "A researcher has found a security bug that could allow privilege escalation in Windows. Nothing new there, right? Well, this affects the Virtual DOS Machine, found in every 32-bit version of Windows all the way back to Windows NT. That's 17 years worth of Windows and counting. 'Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system. ... The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported.'"

28 of 393 comments (clear)

  1. How do we know it's not already in use? by jollyreaper · · Score: 5, Interesting

    Every time I read about one of these long-undiscovered instant pwn bugs, I always have to wonder if there's someone sitting deep underground in an NSA computer center saying "Well shit, looks like we'll not be using that exploit anymore."

    Is this a hole nobody knew about or a hole nobody but the people who knew about it knew about, and those people weren't talking?

    --
    Kwisatz Haderach
    Sell the spice to CHOAM
    This Mahdi took Shaddam's Throne
    1. Re:How do we know it's not already in use? by Skratchez · · Score: 5, Interesting

      My first thoughts exactly. I've always assumed any Windows PC I'm using could have been rooted long ago to an extent that no security tool could detect or repair it. I guess I'm just paranoid, I should really just switch to a Linux distro and start compiling my own kernels. As if I wouldn't screw that up too.

    2. Re:How do we know it's not already in use? by think_nix · · Score: 5, Interesting

      funny how the security researcher (TFA) works at google , and now with the google china scenario this bug is now getting press when it was reported back in june 2009 , and still has not been fixed.
      Wonder if all these new MS & IE bugs exploits being made known through google are due to lack of solidarity on some issues between google / ms ?

    3. Re:How do we know it's not already in use? by clarkn0va · · Score: 4, Informative

      Any code can potentially be compromised. The difference here is that anybody can audit or fix the Linux code, and many people and organisations have and do. So yeah, you're safer using Linux than Windows in that regard.

      --
      I am literally 3000 tokens away from the chaotic crossbow --Stephen
    4. Re:How do we know it's not already in use? by TheRaven64 · · Score: 5, Informative

      Assuming, of course, that you're not running any binary blobs like, for example, the nVidia driver that had a remote exploit allowing an attacker to gain kernel privilege and wasn't fixed two years after it was first reported. No one outside of nVidia could audit the code and fix it, but other people (like the person who reported it) had found it and were able to exploit it.

      --
      I am TheRaven on Soylent News
    5. Re:How do we know it's not already in use? by Xest · · Score: 4, Interesting

      More likely Google discovered this one as a result of a security audit in the light of the Chinese attacks against them.

      Interestingly though, the parent may have a point, it could be that this one of the exploits the Chinese used internally at Google precisely because they have known about it so long.

      But still, who knows.

    6. Re:How do we know it's not already in use? by Chatterton · · Score: 4, Interesting

      If you are really paranoid, you will write yourself your own C compiler or else this could happen:
      http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php

    7. Re:How do we know it's not already in use? by snemarch · · Score: 4, Insightful

      Good luck auditing even such a "limited" part as the kernel, even if you've got a full team of people - claiming that any individual could audit an entire distro is lunacy.

      And it's not like serious bugs haven't had long timespans in linux before they were discovered; probably not any that were present as long as the NTVDM bug :), but still - shows that having the ability to audit the code doesn't help _that_ much if nobody are actually doing it.

      --
      Coffee-driven development.
    8. Re:How do we know it's not already in use? by X0563511 · · Score: 4, Insightful

      Yes, exactly. You will notice that that error was found and corrected fairly quickly, and didn't rot around for almost two decades...

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    9. Re:How do we know it's not already in use? by tacarat · · Score: 5, Insightful

      So it's not Windows vs Linux security, but a Closed vs Opens source security discussion.

      --
      "Common sense will be the death of us all"
    10. Re:How do we know it's not already in use? by sconeu · · Score: 4, Interesting

      You've got to build your own toolchain, too.... from the bare metal.

      Reflections on Trusting Trust.

      And I guess you have to trust the CPU not to have backdoors, too...

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    11. Re:How do we know it's not already in use? by dpilot · · Score: 4, Insightful

      Elsewhere in this thread there are comments like, "Just because it can be audited doesn't mean that it is," etc. Those comments are to a true, to a certain extent. Certainly long-hiding bugs have been found in the Linux kernel and software.

      But there is one other factor at work, here. I've spent a few decades in the corporate world, and I can guarantee that the first response will be political/legal. Technical issues will come later. Let's say that Joe Coder-in-the-trenches finds a lurking bug in the source code that can be exploited. He reports it, and it starts moving up the management chain, probably gaining urgency as it goes. But at some point, some level of management is going to say, "What would an emergency patch for this look like to our customers?", "What does this do to our statistics?", "What are the potential liabilities?", etc. At that point, the patch will go in, and it will get fixed, but it will be put into "the process" and run through as quietly/non-disruptively as possible. The longer a bug has existed without being exploited, the more delay in "the process" will be tolerated.

      I've also seen situations where patching a bug is interpreted by management as "admission of guilt," and then they start worrying about liability/recall type issues. In particular there was once a situation where they stonewalled a problem so hard that it when it finally broke, of course they got dynamic, let us fix it the way we'd been pushing to do, took credit, and gave themselves nice pat$ on the backs. In that case, it was at least decent that they didn't punish us other than during the stonewalling phase. We even got some pat$ on the back, too.

      I have more confidence that such decisions in Linux will be technically, not politically based. I also know that there are personality issues, so it's not 100%, but it will generally be better.

      --
      The living have better things to do than to continue hating the dead.
    12. Re:How do we know it's not already in use? by aztektum · · Score: 4, Insightful

      One of the big differences here is that those bugs are fixed and were fixed rather quickly. How long will we have to wait for MS to do anything about this one? Will they simply suggest people use 64-bit Windows? They're going to take a stance that they feel best benefits them and, until they do, Windows users are in the dark and fucked.

      --
      :: aztek ::
      No sig for you!!
    13. Re:How do we know it's not already in use? by Bacon+Bits · · Score: 5, Insightful

      Well, look at the vulnerability. It's in the Virtual DOS Machine. That means you have to get 16-bit code onto the system and then make Windows execute it. So, in order to exploit the vulnerability, you've already got to have local access. No wonder Microsoft is dragging their feet. It's only exploitable in cases where you can already gain access to the system. If you're not logged on, I don't see any way to exploit this. It's not like you could even put 16-bit code in a buffer overrun and expect the kernel to execute it. It's got to be run through the NT Virtual Dos Machine or Windows-on-Windows, or it's not executable code.

      I'm sure someone will correct me if I'm wrong, but AFAIK there's no possible way to remotely exploit this (outside of another vulnerability). It's a Moderate vulnerability at best.

      --
      The road to tyranny has always been paved with claims of necessity.
    14. Re:How do we know it's not already in use? by steelfood · · Score: 5, Informative

      there's no possible way to remotely exploit this (outside of another vulnerability)

      Your caveat says more than the rest of your post. Considering how many external-facing exploits exist, and how many probably remain undiscovered, I wouldn't be surprised if this one is often used to root a machine once it's been compromised. You can clean infected files, but only if you can detect them, and they're separate and distinct from your files.

      One external-facing exploit can wreck havoc before it's fixed or the machine's reformatted. Add this one into play, and the operator simply won't realize the machine's compromised.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  2. Re:Cue "Windows Sucks" comments in 5, 4, 3, 2, 1 by jbezorg · · Score: 4, Funny

    Cue the "cue the" comments in 3, 2, 1, 0, -1, -2, -3....

    --
    I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
  3. Backward compatibility by recoiledsnake · · Score: 5, Insightful

    This is the cost of backward compatibility at the expense of everything else. That is what made Microsoft and that is what may break it.

    --
    This space for rent.
  4. Re:64 Bit by TeknoHog · · Score: 4, Informative

    Yet another reason people need to abandon 32-bit OSs. Seriously. What's the point of using half the power of your CPU?

    I only have 32-bit hardware, you insensitive clod!

    --
    Escher was the first MC and Giger invented the HR department.
  5. Re:Free time. by taviso · · Score: 5, Funny

    Applications Welcome ;-)

    --
    ex$$
  6. Re:Free time. by JustOK · · Score: 4, Funny

    There's an app for that?

    --
    rewriting history since 2109
  7. WARNING: Technical stuff follows by idontgno · · Score: 4, Informative

    Vulnerability applies to 32-bit Microsoft Windows operating systems with Windows NT 3.5 heritage.

    Vulnerability arises from ancient coding or design flaws in the MS-DOS execution subsystem. This subsystem is not present in 64-bit Windows OSs.

    The workaround is to disable the MS-DOS subsystem.

    Great article at the SANS Institute Internet Storm Center: http://isc.sans.org/diary.html?storyid=8023. This includes links to Youtube videos on how to use Windows Group Policy tools to disable this subsystem.

    However, once you do this, you won't be able to run 16-bit DOS-based software, so if you really need that you may have to wait for a patch. Or build a dedicated DOS machine, where at least you'll have no illusions of security. (Cynics would say this is true of any MS operating system, but I leave that debate to others.)

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  8. Re:Warning: Clueless editor writes panic headline by idontgno · · Score: 4, Informative

    Relative to a 17-year latency period, yeah, 7 months is new-found. And full disclosure was new as of yesterday. To everyone but the discoverer and the OS vendor, that makes it new.

    To crib some TV network's advertisement, "It's a rerun, but it's new to you!"

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  9. Not "Newly-Found" by Len · · Score: 4, Insightful

    Microsoft was informed about this vulnerability on 12-Jun-2009, and they confirmed receipt of my report on 22-Jun-2009. Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch.

    from Tavis Ormandy's disclosure

    So the bug was found six months ago, but Microsoft only decided it was serious enough to fix after it was publicized. Seems like another case of "responsible disclosure" being used to cover up a vulnerability, instead of fixing it (or publishing a workaround) before the bad guys find out about it.

  10. You can review Windows OS code. by 140Mandak262Jamuna · · Score: 4, Interesting

    You will never be able to review the source code of your windows OS.

    All you have to be is Chinese Government. That is all. You think the Google hack was found by relentless probing of defenses of the WinOS? Or did they have to just grep through the WinOS source code for things like strcpy()?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. Re:"OSs released since 1993" by HotBits · · Score: 5, Insightful

    ... Microsoft finally starting taking security seriously.

    Where starting is the operative word. Here is one indication of how far they still have to go:

    Visit the Microsoft Online Safety password checker (https://www.microsoft.com/protect/fraud/passwords/checker.aspx). Try “Password1”.

    Wow, a "Strong" password! They don’t even do a simple dictionary check. Same is true in the OS from what I’ve seen so far.

    How long has that been built into Linux?

    From what I’ve seen in the field, dictionary attacks are the first thing malware attempts to gain control of a network.

    They are just starting to be serious about security.

  12. Re:Only 32-bit Windows builds? by The+Wild+Norseman · · Score: 4, Funny

    Oh, fuck me for not even reading the summary properly. :p

    Nice try, dude. If that really worked, we'd all be getting laid like rock stars.

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
  13. exploit as published doesn't work by chentiangemalc · · Score: 4, Interesting

    I've tested the exploit in virtual machine in Windows 7 x32 and Windows XP SP3 and it doesn't work. These are default installs of OS with no config changes. When run in Windows 7 x32 as Administrator it did cause BSOD. Running as standard user it did nothing, the process supposed to have escalated priviliges did not. anybody else found it working?

  14. Re:Cue "Windows Sucks" comments in 5, 4, 3, 2, 1 by bami · · Score: 5, Funny

    More like cue the comments in 3, 2, 5 days, 3 hours, 23 minutes, 8 minutes, 2 hours 15 minutes, 15 seconds, 'Any moment now', 2 years.