Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released
In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.
The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.
Here are the mitigation instructions (copied from the advisory):
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.
To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.
http://www.youtube.com/watch?v=XRVI4iQ2Nug
To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.
http://www.youtube.com/watch?v=u8pfXW7crEQ
To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.
http://www.youtube.com/watch?v=u7Y6d-BVwxk
On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.
http://support.microsoft.com/kb/220159
Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.
This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
The full post is here: http://seclists.org/fulldisclosure/2010/Jan/341
JJ
Jan 19th 2010
1 decade ago
Kamil
Jan 20th 2010
1 decade ago
Freudi
Jan 20th 2010
1 decade ago