Microsoft confirms 17-year-old Windows vulnerability

Microsoft confirms 17-year-old Windows vulnerability

Summary: Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode.


One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel -- from Windows NT 3.1 (1993) up to and including Windows 7 (2009) -- Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode.  For an attack to be successful, the attacker must have valid logon credentials.

The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.

According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009.  After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public.

As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.

Ormandy's advisory includes instructions for temporarily disabling the MSDOS and WOWEXEC subsystems to prevent an attack from functioning.  This can be done via Group Policy.

The mitigation in Microsoft's advisory mirrors the advice from Ormandy.

Topics: Windows, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Same ole stuff

    Insecure software what would you expect...
    • Right.

      Because linux and Mac OS X and firefox NEVER have flaws. I just saw several 0-days for firefox on a security site yesterday, it doesn't get any news because not many people, and especially corporations don't use firefox, linux and mac os x. Why don't you get clue one before blabbing on about comp. security.
      • Corps. don't use Linux? Really?

        Just today:

        That's just one pittance example. And I think a STOCK EXCHANGE would be concerned about security among other things. Why don't you get Clue 0 before towing the party line.
        • Thank god for Linux Mint!!

          I finally ditch Windoze a few months ago starting off with the very impressive Ubuntu 9.10 and then moving to its more polished cousin, Linux Mint. I haven't looked back nor am I going back to Windows. Nope!!!
          If I need to run XP, I'll do that in Virtual Box, which flies on my dual core Toshiba lappie. I'm still seeing my naive friends running XP/Vista and they're always complaing about "performance" or this or that virus/trojan/worm.

          Heck, my time is more valuable than worrying about Windows CHALLENGES or issues from 17 years ago that might rear its ugly head TODAY. "Serenity now!"

          Get Linux Mint now!

          • My approach.

            We bought my daughter an Acer Notebook when she
            was 15. It was only $399 after the rebate.
            She used XP for a while, but it quickly began
            giving BSOD's every time she opened a browser.

            I Loaded Mint (exclusively) and she was able to
            use it for high school with no problems. I
            recently replaced the 40 GB HDD with a 160 GB
            perpendicular drive ($86) and upgraded the DDR2
            memory (256 MB) to 2GB for only $23. It's been
            running great ever since with no attention. (XP
            was never re-installed)

            Now she's in college and I just installed Linux
            Mint 8. No problems at all and no maintenance
            calls. I don't have to worry about driving 1.5
            hours to her dorm to fix virus issues.

            I think nothing of replacing the HDD on my new
            Toshiba 17" with a 500GB, 7200 Perpendicular HDD
            and increasing the memory to 4GB. It only runs
            Linux Mint 8 with a full complement of Wine-
            Doors. No problems leaving Windows and IE.
          • You will never go back.

            It's valuable not to have interruptions due to virus attacks. I've noticed recently that today's malware doesn't advertise itself. So, with Windows and virus checker programs you still can't be sure you are free of keyloggers and trojans.

            It's better to have a secure OS that does not need AV programs running in the background to protect a faulty OS.

            MS can't change their authentication system, it's too late in the game.

            If you go to "control center" and "firewall", you can enable the built in firewall for extra protection.

            Using Linux Mint for kids in school is great also. There's no breakdowns due to virus infections.
      • Were they 17 years old?

        Before you go calling anyone else clueless have a look at Firefox's ever-increasing market share. It's, what, over 30% now? Also, try to pay attention because FF flaws are brought up on tech sites all the time now. It's not their fault if you're not paying attention. FF is both big and it's flaws well reported. None, so far, date back to its inception.

        Now, you're talking about 0-day vulns in Firefox. Any 200-day vulns? Anyone at Mozilla left a massive vulnerability unpatched for [u]7 months[/u]? Anyone at Cupertino been that sloppy? Are there any critical flaws open on the Linux kernel in their third trimester?


        Sure, 0-day flaws are bad because that suggests the developers are leaving too low hanging fruit for hackers but not fixing a critical security flaw for 7 months is just shite.
        • Wrong.

          By Microsoft's standards it's superb response time and exemplary of their dedication to their customers' security.
        • No one knows.

          If no one got around to noticing this one for 17
          years, who's to say whether FF or Apple doesn't
          have one, too? Your argument is flawed.
          • He's talking about known vulnerabilities.

            As in, somebody found it, reported it to MS, and
            they didn't fix it to for 7 months, as is the

            That MS didn't find out about it for 17 years is
            bad, but isn't the sole problem.
      • When Firefox and Open Office...

        have issues with Windows, it's Windows. If you
        have the equivalent Linux versions, there's
        never any problems.

        Quality Open Source products should never be
        written to try and operate on such an inferior

        The Fact that Windows itself allows the attacks
        is almost never addressed in articles.

        Microsoft is history.
      • Maybe you should get a clue. Google & ZDNet websites run only Linux

        @jamesrayg You are really off base. Firefox is written up to have flaws by sites like ZDNET all the time. The "Flaw" in firefox is actually a hole or deficiency in Windows that needs to be addressed. Since MS doesn't adequately address their "holes", any app that tries to run on windows is held accountable and has to be modified to "patch" the Microsoft deficiency. The same Forefox or Chrome or Open Office running on Linux doesn't have a problem because the OS is better and more secure and the app works as intended with no problems. The version for Linux is patched, but just for consistency sake, Linux doesn't roll out the red carpet for intruders like MS does. My family has been using Linux (Freespire, Ubuntu, Mint among others) for over 8 years without a single incident and never have we used AV). The fact the MS HAS to use AV says it all.
    • And the same 'ole TROLLER at the top of the responses!

      How things never do change!

      Maybe [i]you[/i] should start designing/encoding/publishing your [i]own[/i] OS, and we can all sit back in our arm-chair pick it to buggery! Let's make [i]Linux[/i] the mainstream OS of choice, and see how [i]it[/i] stands up to umpteen THOUSAND hacker and malware writers (many heavily funded by organised crime groups), all looking for the tiniest chinq (wrong spelling, but correct spelling deemed offensive!) to exploit! Let's see how [i]Linux[/i] handles the balance btwn security and usability and downtime (because many large corporations see any time lost due to rolling out patches and the successive app breaks as expensive downtime), and thus keep systems running which are vulnerable.

      How about you get down from that soap-box of yours and quit the tired old (and rather ignorant) spiels. Fact is that this "glitch" has taken everyone out there [b]17 years[/b] to discover... I wonder how may such glitches there are in what-ever OS or apps which [i]you[/i] use, just sitting there undiscovered???
      • Unix

        has been the "mainstream operating system" of choice for quite a while. It's had its share of problems, yes, but you may want to double check your assumptions about the fragility of its current popular incarnation's security.

        It takes more than just volume of attacks to bring a secure system to its knees.
        • Really??

          When Unix ever becomes the mainstream operating system of choice for PC manufacturers, it will be hacked in unimaginable ways. Just like the actual OS of choice, Windows.
          Woned B. Fooldagan
          • UNIX

            Unix predates Windows by decades as a
            professional level OS.

            It will still be there when Windows is dust.
          • It is not the OS

            It is the connection layers. If IP based systems had an "authenticated" physcial connetion layer, not an arbitrated layer these vulnuabilities would be near non existant.

            We have come so far, (I have been a hardware engineer/IT Analyst since 1981), to allow the current level of non-security to exist.

            It is very simple to fix, make all software/protocols validate via a hardware connection. Old school is sometimes good.....
          • Here, Here, for Hardware implemented sucurity

            I built my first computer from a kit in 1974. I worked for DEC from 1979 to 1999. DEC had hardware implemented security before anyone. VAX\VMS was superb for security. If it took 17 years for this problem to emerge by analysis and not because of infections it must not have been too much of an issue. I do not see anything wrong with Microsoft taking 9 months to deal with a problem that took 17 years to get documented. I do not think it was ever exploited. Now it is known and we may see an issue. This is a petty bone some people are picking on. If you want to get on a subject with weight why not look at why we jumped back in technology by about 15 years by settling on a hardware platform that did not have security under hardware control. I personally know this concept was known about by real computer engineers. The decision to use this un-secured hardware was made by the ignorant masses because of their pocketbooks and lack of understanding of happens with no hardware implemented security control. You get what you pay for.
          • This vulnerability..

   not a problem in the IP protocol. Nor
            anywhere in the OSI model. It doesn't even have
            anything to do with networking.
          • UNIX - Really??

            UNIX password protects itself at the file level. In order to make any changes to those files you need the root access password, and UNIX doesn't store that password in hashes throughout the file system that can be cracked the way Windows does. It takes a huge amount of effort to crack UNIX security whereas Windows IE pretty much has left the door cracked for years. It's not just who's the "mainstream OS". It's who writes better security.