Microsoft confirms 17-year-old Windows vulnerability
Summary: Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode.
One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel -- from Windows NT 3.1 (1993) up to and including Windows 7 (2009) -- Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.
Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials.
The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.
According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009. After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public.
As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.
Ormandy's advisory includes instructions for temporarily disabling the MSDOS and WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group Policy.
The mitigation in Microsoft's advisory mirrors the advice from Ormandy.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Same ole stuff
Right.
Corps. don't use Linux? Really?
http://www.computerworlduk.com/technology/networking/messaging/news/index.cfm?newsid=18429
That's just one pittance example. And I think a STOCK EXCHANGE would be concerned about security among other things. Why don't you get Clue 0 before towing the party line.
Thank god for Linux Mint!!
If I need to run XP, I'll do that in Virtual Box, which flies on my dual core Toshiba lappie. I'm still seeing my naive friends running XP/Vista and they're always complaing about "performance" or this or that virus/trojan/worm.
Heck, my time is more valuable than worrying about Windows CHALLENGES or issues from 17 years ago that might rear its ugly head TODAY. "Serenity now!"
Get Linux Mint now!
http://www.LinuxMint.com
My approach.
was 15. It was only $399 after the rebate.
She used XP for a while, but it quickly began
giving BSOD's every time she opened a browser.
I Loaded Mint (exclusively) and she was able to
use it for high school with no problems. I
recently replaced the 40 GB HDD with a 160 GB
perpendicular drive ($86) and upgraded the DDR2
memory (256 MB) to 2GB for only $23. It's been
running great ever since with no attention. (XP
was never re-installed)
Now she's in college and I just installed Linux
Mint 8. No problems at all and no maintenance
calls. I don't have to worry about driving 1.5
hours to her dorm to fix virus issues.
I think nothing of replacing the HDD on my new
Toshiba 17" with a 500GB, 7200 Perpendicular HDD
and increasing the memory to 4GB. It only runs
Linux Mint 8 with a full complement of Wine-
Doors. No problems leaving Windows and IE.
You will never go back.
It's better to have a secure OS that does not need AV programs running in the background to protect a faulty OS.
MS can't change their authentication system, it's too late in the game.
If you go to "control center" and "firewall", you can enable the built in firewall for extra protection.
Using Linux Mint for kids in school is great also. There's no breakdowns due to virus infections.
Were they 17 years old?
Now, you're talking about 0-day vulns in Firefox. Any 200-day vulns? Anyone at Mozilla left a massive vulnerability unpatched for [u]7 months[/u]? Anyone at Cupertino been that sloppy? Are there any critical flaws open on the Linux kernel in their third trimester?
No?
Sure, 0-day flaws are bad because that suggests the developers are leaving too low hanging fruit for hackers but not fixing a critical security flaw for 7 months is just shite.
Wrong.
No one knows.
years, who's to say whether FF or Apple doesn't
have one, too? Your argument is flawed.
He's talking about known vulnerabilities.
they didn't fix it to for 7 months, as is the
case.
That MS didn't find out about it for 17 years is
bad, but isn't the sole problem.
When Firefox and Open Office...
have the equivalent Linux versions, there's
never any problems.
Quality Open Source products should never be
written to try and operate on such an inferior
platform.
The Fact that Windows itself allows the attacks
is almost never addressed in articles.
Microsoft is history.
Maybe you should get a clue. Google & ZDNet websites run only Linux
http://searchdns.netcraft.com/?host=google.com&x=0&y=0
http://searchdns.netcraft.com/?restriction=site+contains&host=zdnet.com&lookup=wait..&position=limited
And the same 'ole TROLLER at the top of the responses!
Maybe [i]you[/i] should start designing/encoding/publishing your [i]own[/i] OS, and we can all sit back in our arm-chair pick it to buggery! Let's make [i]Linux[/i] the mainstream OS of choice, and see how [i]it[/i] stands up to umpteen THOUSAND hacker and malware writers (many heavily funded by organised crime groups), all looking for the tiniest chinq (wrong spelling, but correct spelling deemed offensive!) to exploit! Let's see how [i]Linux[/i] handles the balance btwn security and usability and downtime (because many large corporations see any time lost due to rolling out patches and the successive app breaks as expensive downtime), and thus keep systems running which are vulnerable.
How about you get down from that soap-box of yours and quit the tired old (and rather ignorant) spiels. Fact is that this "glitch" has taken everyone out there [b]17 years[/b] to discover... I wonder how may such glitches there are in what-ever OS or apps which [i]you[/i] use, just sitting there undiscovered???
Unix
It takes more than just volume of attacks to bring a secure system to its knees.
Really??
UNIX
professional level OS.
It will still be there when Windows is dust.
It is not the OS
We have come so far, (I have been a hardware engineer/IT Analyst since 1981), to allow the current level of non-security to exist.
It is very simple to fix, make all software/protocols validate via a hardware connection. Old school is sometimes good.....
Here, Here, for Hardware implemented sucurity
This vulnerability..
anywhere in the OSI model. It doesn't even have
anything to do with networking.
UNIX - Really??