Last Updated: 2010-01-19 21:47:39 UTC
by Johannes Ullrich (Version: 1)
In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.
The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.
Here are the mitigation instructions (copied from the advisory):
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home
To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.
To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.
To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.
On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.
Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.
If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.
This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.