The vulnerability resides in a feature known as the Virtual DOS Machine, which Microsoft introduced in 1993 with Windows NT, according to this writeup penned by Tavis Ormandy of Google. Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system."Inject code of his choosing directly into the system's kernel" means "GAME OVER."
But seventeen years? Wow. That's a record.
Backwards compatibility is a great source of security fail. It's terribly important - one of the biggest problems with Vista was that a lot of XP code didn't run on it, and Microsoft never really recovered from that. Nobody does backwards compatibility as well as Microsoft: the reason for the length of their development cycle is regression testing. But all this means that you keep porting old bugs forward into the new OS versions. Hackers love to attack old code, because it's not frequently used, so it doesn't get a lot of attention.
So this one is bad:
The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported. Presumably, Windows 2000 is also susceptible. Immunity, a Miami-based company that makes auditing software for security professionals, has already added a module exploiting the vulnerability to its product called Canvas. The exploit has been tested on all versions of Windows except for 3.1.Automated testing scripts mean this is coming Real Soon Now to a Bad Guy near you. The researchers recommend turning off the DOS subsystems, which is a really, really good idea. Here's how for XP: