Windows plagued by 17-year-old privilege escalation bug

[Hermite15]

Windows plagued by 17-year-old privilege escalation bug
All 32-bit versions vulnerable

A security researcher at Google is recommending computer users make several configuration changes to protect themselves against a previously unknown vulnerability that allows untrusted users to take complete control of systems running most versions of Microsoft Windows.

The vulnerability resides in a feature known as the Virtual DOS Machine, which Microsoft introduced in 1993 with Windows NT, according to this writeup penned by Tavis Ormandy of Google. Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system.

"You can in theory write to memory segments that are otherwise considered highly trusted and sensitive," said Tom Parker, a director in the security consulting services group at Securicon, a Washington, DC-based security practice. "So for example, malware could possibly use it to install a key logger."

The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported. Presumably, Windows 2000 is also susceptible. Immunity, a Miami-based company that makes auditing software for security professionals, has already added a module exploiting the vulnerability to its product called Canvas. The exploit has been tested on all versions of Windows except for 3.1.

http://www.theregister.co.uk/2010/01/19/microsoft_escalation_bug/

[polonus]

Hi Logos,

It is a 16 bit kernel exploit in Windows kernel versions since 1993. Advisory to be found here:
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).
Again another example of security through obscurity, new exploitable skeletons are to be found up inside the Windows cupboard every once in a while, because one has build layer on layer to make it more secure, sometimes flaws are found that are there from day one to the present day, also heap spray exploits with of course javascript as the route will be found again and again. This is a predictable ongoing phenomenon...
Until script blocking like NS in Firefox does reach the MS browser for instance, it will never be fully secure, I fear,

polonus

[Hermite15]

hi Polonus,

thanks for the details   ... I still believe that the general switch to NT with XP was the best thing MS could do. Win9x was a disaster of instability and relative insecurity (relative because we were on dial-up, we were not constantly connected, there were not so many web threats etc...... ) thinking that some desktop features in Win95 depended on the presence of IE4 for instance...

[bob3160]

Win9x was a disaster of instability

I found 98 SE pretty stable.   (not very secure your right.)

[Hermite15]

Win9x was a disaster of instability

I found 98 SE pretty stable.  (not very secure your right.)

As to Win9x, I've only been running 95 and 98 (first edition)... I admit 98 was a bit more stable than 95, just a bit...real stability really came with Win2000 and XP (can't tell about WinNT in the 90's...just read a few times it was stable, but very unfriendly, never run it)

[polonus]

Hi Logos and bob3160,

And no-one mentioned ME (how quickly people do forget),


polonus

[bob3160]

Hi Logos and bob3160,

And no-one mentioned ME (how quickly people do forget),


polonus

I didn't forget but my comment was related to stability and Windows ME was never stable.  :'( 

[Hermite15]

No I didn't forget ME, but I wouldn't have used it even if paid for it   .. ME appears to me as a non-event in Win9x history... same goes for 98 and 98SE btw ... I did buy Windows 98, although I knew in advance that it wouldn't change much compared to Win95...but hey stupidly I wanted the last version  , just in case   , but I won't complain, I was an aware victim   ... a new PC came after that with XP.

[polonus]

Hi Logos,

And the multi-exploits keep returning in PDF, Adobe and for IE. Just Google for and do some background about this heap spray file invalid array stack overflow one dating from 2006:
IE #Address of shellcode printf "\x41\x41\x41\x41" # 
This is due to the software architectural limitations....
 "$page = $page . “\x41\x41\x41\x41″ x 65535;" Just set the executable to a ceratin instruction address .Then, the instruction “call ecx” is executed so the flow of execution will jump to it......
iframe src="file://BBBBBBBBBB....." name="CCCCCCCCCC....." exploit crashed IE then...
Read this that resurfaced again: http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter.html

pol

[Hermite15]

Hi Polonus,

thanks for the additional info but all this coding is "Chinese" to me  (it might actually be  )...could you translate into simple non-coder language, would be much appreciated, thanks 

[polonus]

Hi Logos,

But they were the masters of heap spraying Feng Shui: http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
http://contagiodump.blogspot.com/2010/01/jan-20-cve-2009-4324-chinese.html

polonus

[Hermite15]

off topic: why doesn't my new avatar show any animation here    :'(

[FreewheelinFrank]

off topic: why doesn't my new avatar show any animation here    :'(

You didn't feed Chompy enough flies and he died?

[Hermite15]

lol, yeah...last time I used a gif here the animation worked   ...I'm hijacking the thread I started   

[FreewheelinFrank]

Apng's don't work as avatars, or at least Chompy doesn't- maybe he's too big.