Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released

Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released
In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected. The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications. Here are the mitigation instructions (copied from the advisory): Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course). The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration. Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx. To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below. http://www.youtube.com/watch?v=XRVI4iQ2Nug To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below. http://www.youtube.com/watch?v=u8pfXW7crEQ To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below. http://www.youtube.com/watch?v=u7Y6d-BVwxk On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems. http://support.microsoft.com/kb/220159 Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users require this functionality. If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface. This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter	Johannes 3904 Posts ISC Handler Jan 19th 2010
Subscribe	Jan 19th 2010 1 decade ago
Typo: It's Windows NT 3.1, not Windows NS 3.1 The full post is here: http://seclists.org/fulldisclosure/2010/Jan/341	Anonymous
Quote	Jan 19th 2010 1 decade ago
many factories machine still use an old application especially in asia. Open vulnerabilities for 30 years...	Anonymous
Quote	Jan 20th 2010 1 decade ago
"(all versions)"? No, it's all 32bit/x86 versions of Windows. Windows x64 doesn't support 16 bit any longer.	Anonymous
Quote	Jan 20th 2010 1 decade ago

In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.

The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.

Here are the mitigation instructions (copied from the advisory):

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.

If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.

This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes