32-bit Windows 7, Vista, XP Affected by 17-Year-Old EoP Vulnerability

The 64-bit flavors of Windows are safe

By on 21 Jan 2010, 14:22 GMT
Windows operating systems are in essence evolving from one release to another, with some pieces of code surviving across multiple iterations of the platform. It is the case of the BIOS calls in the Virtual-8086 mode monitor code which was introduced in Windows NT 3.1, released in 1993 and that survived until this day in Windows 7. In this regard, Microsoft has confirmed information made public detailing a vulnerability contained in every release of the Windows NT kernel and dating back 17 years.

The Redmond company released Security Advisory 979682 to help customers mitigate the vulnerability until a patch is made available. The Windows NT #GP Trap Handler security hole, discovered and documented by Google engineer Tavis Ormandy, can potentially allow an attacker to elevate an existing account on a 32-bit (x86) Windows machine to full administrative privileges. This is nothing more than an Elevation of Privilege (EoP) vulnerability affecting the Windows kernel. It only impacts versions of 32-bit Windows, including XP, Vista and Windows 7. 64-bit (x64) Windows flavors are in no way affected.

“The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability. It’s important to note that we are not currently aware of any active attacks against this vulnerability and the Microsoft believes risk to customers, at this time, is limited. It is recommended that customers review and implement the mitigations and workarounds detailed in the Security Advisory,” revealed Jerry Bryant, senior security program manager, Microsoft.

Users must understand that the risk associated with this vulnerability is extremely low. It is critical to note that the flaw cannot be exploited remotely. An attacker would already have to have access to a Windows computer containing a vulnerable version of the operating system. Moreover, the attacker would also need access to an account on that computer.

“To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications can disable the NTVDM subsystem. Information on this workaround can be found in the Security Advisory,” Bryant added.

Here are the steps necessary to disable the NTVDM subsystem, according to Microsoft:

“Click Start, click Run, type gpedit.msc in the Open box, and then click OK. This opens the Group Policy console. 1. Expand the Administrative Templates folder, and then click Windows Components. 2. Click the Application Compatibility folder. 3. In the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured. 4. Change the policy setting to Enabled, and then click OK. Impact of Workaround: Users will not be able to run 16-bit applications.”

1 Comment