Wednesday, January 20, 2010

New Windows vulnerability announced

Sometimes it takes people a while to discover security bugs. Like 17 years:
The vulnerability resides in a feature known as the Virtual DOS Machine, which Microsoft introduced in 1993 with Windows NT, according to this writeup penned by Tavis Ormandy of Google. Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system.
"Inject code of his choosing directly into the system's kernel" means "GAME OVER."

But seventeen years? Wow. That's a record.

Backwards compatibility is a great source of security fail. It's terribly important - one of the biggest problems with Vista was that a lot of XP code didn't run on it, and Microsoft never really recovered from that. Nobody does backwards compatibility as well as Microsoft: the reason for the length of their development cycle is regression testing. But all this means that you keep porting old bugs forward into the new OS versions. Hackers love to attack old code, because it's not frequently used, so it doesn't get a lot of attention.

So this one is bad:
The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported. Presumably, Windows 2000 is also susceptible. Immunity, a Miami-based company that makes auditing software for security professionals, has already added a module exploiting the vulnerability to its product called Canvas. The exploit has been tested on all versions of Windows except for 3.1.
Automated testing scripts mean this is coming Real Soon Now to a Bad Guy near you. The researchers recommend turning off the DOS subsystems, which is a really, really good idea. Here's how for XP:

3 comments:

TJP said...

That would be WOW and NTVDM. XP and Vista Home users are SOL, because the mmc snap-in for group policies is on the "pro" versions only.

Oh wait, me to the rescue!

If you're a registry wiz, you can find your way around here:



PLEASE REGISTER ON OUR FORUMS TO SEE THE ANSWERS -- IT'S ONLY $30 A FEMTOSECOND



Just kidding...

Go here: HKLM\System\CurrentControlSet\Control\WOW

Make a DWORD value named 'DisallowedPolicyDefault', and give it a value of 1. This prevents NTVDM from running for all users.

To verify it's working, run 'cmd.exe', and try to launch a 16-bit shell by entering 'command' and hitting enter. If NTVDM is blocked, it will say, "Access is denied."

If you have Vista then you deserve to get raped by whatever exploit comes along.

Also: completely unrelated, but if you have Adobe Acrobat, disable embedded Javascript in the preferences. I'm not sure what moron thought it was a good idea to enable read-only PDFs to deliver viral payloads, but it works really well because most people have a browser plug-in that auto-magically opens PDF files.

Ah, I remember the good old days on Usenet in the Linux groups: "An operating system with a superuser will never be secure!" Every operating system has a superuser, whether its called "root" or "the kernel".

Eseell said...

Speaking of turning off stuff you don't need. . .

Anonymous said...

You wonder why I'm glad I've got an Ubuntu partition...

Jim