Microsoft Identifies 17-Year-Old Bug in Windows
Microsoft Identifies 17-Year-Old Bug in Windows
Posted 01/21/2010 at 1:40pm
| by Bart Salisbury
14
Comments
Print
A code flaw in Windows that has been around for 17 years raises some interesting questions. Are hackers not as diligent in ferreting out these vulnerabilities as we normally suspect? Or is it there are so many weaknesses in Windows that hackers haven’t yet gotten around to exploiting this particular one? Doesn’t matter, really. Microsoft has come clean on a just discovered flaw in 32-bit versions of Windows, and there’s a simple workaround that can provide protection until an official patch becomes available.
The problem lies in the Windows Virtual DOS Machine (VDM), which handles the task of running legacy 16-bit programs. It was discovered and first disclosed by Tavis Ormandy, the engineer for Google who also discovered the flaw in Internet Explorer that was exploited in the recent cyber-attacks against Google. VDM became a part of Windows back in 1993, with the release of Windows NT, and is a part of all 32-bit Windows versions since. (Including the 32-bit version of Windows 7.)
According to Microsoft’s advisory: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” In other words it’s a flaw, if exploited, that hands over the keys to your PC kingdom.
Microsoft isn’t aware of any cyber-attacks that exploit the flaw. Instead, Microsoft says, “Upon completion of this investigation, [we] will take the appropriate action to help protect our customers.” That’s little comfort for the fretful among us, so Ormandy recommends a simple workaround: edit group policies to block 16-bit applications from running.
Image Credit: phil h/Flickr
More like this
14
Comments
Comments are closed on this article
gendoikari1
January 21, 2010 at 1:52pm
How many 16-bit applications are still in use today? Probably none to a few, besides the control software for archaic industrial equipment (which begs the question, why are people using a modern OS like Windows 7 to control some antiquated machine?)
Honorary Family Member:
Phenom II x4 925 2.8 GHz
XFX Radeon HD 5870
8GB G.Skill DDR2-800 RAM
ASUS M3A32-MVP Deluxe
Seagate Barracuda 750GB HDD
Biceps
January 21, 2010 at 3:30pm
Think big companies with old databases. Think hospitals. Think doctor's and dentists offices. Think non-profits that still use the same database they did 5-10 years ago. All vulnerable, and none can just 'stop using 16-bit applications'. Microsoft better get their act together and fix this, stat.
gendoikari1
January 21, 2010 at 4:07pm
"...antiquated machines...". Most home PCs aren't running 16-bit applications.
And besides, would there be any reason to connect workstations such as those (which should be used controlling the equipment in question) to the Internet?
Honorary Family Member:
Phenom II x4 925 2.8 GHz
XFX Radeon HD 5870
8GB G.Skill DDR2-800 RAM
ASUS M3A32-MVP Deluxe
Seagate Barracuda 750GB HDD
Biceps
January 21, 2010 at 4:37pm
If you have a database that is shared by several locations nationally (or globally), and that database happens to be 16-bit, this bug is an immeditate issue for your organization.
A lot of older CRM systems are 16-bit, old proprietary databases (developed by companies internally, or by contractors years ago) that are used by a lot of organizations, companies, etc (yes, they are using those 'outdated' 16-bit systems right now) might fall under this umbrella. These organizations may have upgraded OSs, but have NOT upgraded their own proprietary databases. Why? The 'if it ain't broke, don't fix it' rule. Except now, it looks like its broke.
nekollx
January 21, 2010 at 4:21pm
Lazy ITs, their probably connected to the internet to make windows update easy and LAN easy. The fix is easy to. Disable internet acess outside of schedualed windows update shedule checks till a fix comes in.
Or disable 16 bit apps.
------------------------------
Coming soon to Lulu.com --Tokusatsu Heroes--
Five teenagers, one alien ghost, a robot, and the fate of the world.
roleki
January 21, 2010 at 2:47pm
Way to announce a vulnerability before the fix has been developed. The vulnerability has been lying undiscovered for SEVENTEEN YEARS. They couldn't wait another two weeks to roll out the patch and then fess up?
And good timing, as well. Article 1: Apple Product Saves Life Of Haitian Quake Victim. Article 2: Microsoft Builds Vulnerability Into 'Greatest OS Ever'
Biceps
January 21, 2010 at 3:31pm
My thoughts exaclty. Or maybe it is a closely-watched trap for gullible Chinese hackers?
nekollx
January 21, 2010 at 3:30pm
It's implied this is the vector for the Goggle Attack. Given that isn't it best people know a work around?
------------------------------
Coming soon to Lulu.com --Tokusatsu Heroes--
Five teenagers, one alien ghost, a robot, and the fate of the world.
DasHellMutt
January 21, 2010 at 6:01pm
No, you misread. This was discovered by the same engineer who discovered the flaw in IE that was one of the vectors of attack in the google incident. This "new" flaw is not known to have ever been exploited.
Biceps
January 21, 2010 at 3:33pm
If, for even only 5% of the users, the only work around is to not use their most critical programs (believe me there are plenty of organizations still running 16-bit apps), then I'm not sure it can really be called a workaround.
nekollx
January 21, 2010 at 3:36pm
a good question
is it better to be vulnerable but unaware (vs something already exploited once) or protected but non productive?
------------------------------
Coming soon to Lulu.com --Tokusatsu Heroes--
Five teenagers, one alien ghost, a robot, and the fate of the world.
Biceps
January 21, 2010 at 4:48pm
That would depend what kind of information you keep on your systems, I suppose. If you have customer data, credit card info, ssn's, obviously you have to block 16-bit apps, regardless of impacts on productivity.
nekollx
January 21, 2010 at 5:03pm
actually if they want to be PCI compliant they can't store credit card info. Honestly i don't know what deal newegg cut so they could but normal companies cant have credit card info accessible via the internet
------------------------------
Coming soon to Lulu.com --Tokusatsu Heroes--
Five teenagers, one alien ghost, a robot, and the fate of the world.
dreamsburnred
January 21, 2010 at 2:03pm
I know toshiba has TONS of 16-bit software for its XP software. SD card manger, bluetooth, power saver...etc etc.
Hoster of http://canadiantechblogger.com
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 20 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 20 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 17 hours ago
