Windows plagued by 17-year-old privilege escalation bug
All 32-bit versions vulnerable
A security researcher at Google is recommending computer users make several configuration changes to protect themselves against a previously unknown vulnerability that allows untrusted users to take complete control of systems running most versions of Microsoft Windows.
The vulnerability resides in a feature known as the Virtual DOS Machine, which Microsoft introduced in 1993 with Windows NT, according to this writeup penned by Tavis Ormandy of Google. Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system’s kernel, making it possible to make changes to highly sensitive parts of the operating system.
“You can in theory write to memory segments that are otherwise considered highly trusted and sensitive,” said Tom Parker, a director in the security consulting services group at Securicon, a Washington, DC-based security practice. “So for example, malware could possibly use it to install a key logger.”
The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported. Presumably, Windows 2000 is also susceptible. Immunity, a Miami-based company that makes auditing software for security professionals, has already added a module exploiting the vulnerability to its product called Canvas. The exploit has been tested on all versions of Windows except for 3.1.
It is a 16 bit kernel exploit in Windows kernel versions since 1993. Advisory to be found here: http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).
Again another example of security through obscurity, new exploitable skeletons are to be found up inside the Windows cupboard every once in a while, because one has build layer on layer to make it more secure, sometimes flaws are found that are there from day one to the present day, also heap spray exploits with of course javascript as the route will be found again and again. This is a predictable ongoing phenomenon…
Until script blocking like NS in Firefox does reach the MS browser for instance, it will never be fully secure, I fear,
thanks for the details … I still believe that the general switch to NT with XP was the best thing MS could do. Win9x was a disaster of instability and relative insecurity (relative because we were on dial-up, we were not constantly connected, there were not so many web threats etc… ) thinking that some desktop features in Win95 depended on the presence of IE4 for instance…
As to Win9x, I’ve only been running 95 and 98 (first edition)… I admit 98 was a bit more stable than 95, just a bit…real stability really came with Win2000 and XP (can’t tell about WinNT in the 90’s…just read a few times it was stable, but very unfriendly, never run it)
No I didn’t forget ME, but I wouldn’t have used it even if paid for it ;D … ME appears to me as a non-event in Win9x history… same goes for 98 and 98SE btw … I did buy Windows 98, although I knew in advance that it wouldn’t change much compared to Win95…but hey stupidly I wanted the last version ::), just in case : , but I won’t complain, I was an aware victim ;D … a new PC came after that with XP.
And the multi-exploits keep returning in PDF, Adobe and for IE. Just Google for and do some background about this heap spray file invalid array stack overflow one dating from 2006:
IE #Address of shellcode printf “\x41\x41\x41\x41” #
This is due to the software architectural limitations…
“$page = $page . “\x41\x41\x41\x41″ x 65535;” Just set the executable to a ceratin instruction address .Then, the instruction “call ecx” is executed so the flow of execution will jump to it…
iframe src=“file://BBBBBBBBBB…” name=“CCCCCCCCCC…” exploit crashed IE then…
Read this that resurfaced again: http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter.html
thanks for the additional info but all this coding is “Chinese” to me ;D (it might actually be )…could you translate into simple non-coder language, would be much appreciated, thanks
off topic again: just when I was wondering if I was going to reinstall Linux or not…had my worse issue with it two days ago…solved in the meantime, but it shouldn’t have happened in the first place… http://forum.avast.com/index.php?topic=53644.msg455010#msg455010
yeah, I know about the fonts, that’s one thing that I hate about Linux, in Firefox and Chrome, the font rendering. A bit better in Opera. Anyway, I’ve tried everything, switch to Liberation Fonts, even imported fonts from Windows and apply them…just a no go…you get used to it after a while, if you run Linux only ;D Rebooting from Windows into Linux underlines the difference each time again :
What I meant is that Chrome is still faster in Linux, well from what I’ve seen with the Google version of Chromium. Anyway, I know some people manage to get fantastic fonts in browsers in Linux, but I have no idea how, or I forgot. Someone explained how he did it a while ago on Mandriva’s forums, and when I tried to reproduce it didn’t work. Don’t know what it was anymore.
ps: not sure about it but I wonder if in the end the 24 bit limitation isn’t an issue…
… I still believe that the general switch to NT with XP was the best thing MS could do. Win9x was a disaster of instability and relative insecurity (relative because we were on dial-up, we were not constantly connected, there were not so many web threats etc… ) thinking that some desktop features in Win95 depended on the presence of IE4 for instance…
;D ;D
, but I won’t complain, I was an aware victim ;D 
… a new PC came after that with XP.