backtop

Print 43 comment(s) - last by fangwoo.. on Jan 25 at 5:51 PM
Elevation of privilege vulnerability has existed exclusively on 32-bit Windows versions since Windows 3.1

Usually Microsoft is a pretty quick patcher.  With over a billion users of Windows operating systems, both new and old worldwide, Microsoft is under tremendous pressure to patch security flaws in all of its current and past operating systems.

However, every now and then one slips through the cracks.  That appears to be the case with a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications.  The flaw in the VDM could allow a user to alter the kernel stack of processes, allowing them to run code with system level privileges.  Thus the attack falls in the "elevation of privilege" (EOP) attacks class.

The flaw has been around since the release of Windows NT 3.1 in 1993.  It continues to exist in all 32-bit versions of Windows to date.  It does not exist in 64-bit versions of Window.  Surprisingly, Microsoft claims that there have been no known attacks in the wild exploiting the flaw. 

After being called out by some security blogs, Microsoft has now issued a security advisory -- Microsoft Security Advisory (979682) -- on the topic.  It says it is working on a patch or update to fix the problem.

Jerry Bryant, Microsoft Security Program Manager confirmed the relative straightforward steps it would take to exploit the flaw for malicious use, writing:

To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.

Until the problem is fixed, Microsoft recommends customers who do not need the NT Virtual DOS Mode (NTVDM) or support for 16-bit applications disable the NTVDM subsystem, blocking any potential attacks.  Detailed instructions about how to do this can be found on the previously linked security advisory.

Most of the security attention surrounding Microsoft has been recently focused on a major hole in Internet Explorer, which allowed Chinese cyber attackers to steal data from Google, Adobe and others.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled
I hope they don't fix it
By dgingeri on 1/21/2010 10:32:51 AM , Rating: 2
This has been a tool I've used all through my career in computer support.

In one particular case, I have a user who edits something that came as an attachment in Outlook, but they just hit "Save" instead of "Save as" to put it elsewhere. So, the file they just edited is sitting in the Outlook temp folder. Well, through Explorer, you can't get to it because it is under the Temporary Internet Files folder. So, what I do is go to the command prompt, cd to the necessary folder, then use "start ." it opens the right window, and I can rescue the file. (I've done this many times over the years.)

This is just one example. As a support tech, this is something that I use to do my job. There need to be little loopholes sometimes so that fixes can be done.




RE: I hope they don't fix it
By Motoman on 1/21/2010 10:41:53 AM , Rating: 3
...or you can "show hidden files and folders" and you see it in Windows Explorer.


RE: I hope they don't fix it
By Devo2007 on 1/21/2010 12:14:00 PM , Rating: 2
Actually, the location of Outlook's temp files aren't accessible in Windows Explorer even if "Show Hidden Files" is selected.

I'd see this if people kept receiving attachments labelled "document.pdf" for example. After 99 of them are saved, Outlook freaks out. The only solution is to find out what the temp folder is (c:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\OLK###) and go from there. That OLK folder doesn't show up in Explorer, and without knowing the 3 numbers added to the folder name, you can't open it without a command prompt.


RE: I hope they don't fix it
By MrFord on 1/21/2010 2:27:37 PM , Rating: 4
Or you go again in Outlook, hit Save As on the same attachment, and generally the Save As window will point right to the OLKXXX folder. Right-click on the file you want to get and select Open. You'll probably have to hit Cancel on the window before Word/Excel/Acrobat/etc. opens your document, but it does work.

I saved many people's works that way in the past couple years. But it's still fun to see their face when you tell them they just lost 3 hours of work, then tell them that you're just kidding. Works every time.


RE: I hope they don't fix it
By Motoman on 1/21/2010 3:07:24 PM , Rating: 2
You're a mean one, Mr. Grinch.


RE: I hope they don't fix it
By chick0n on 1/21/2010 9:51:01 PM , Rating: 2
You failed.


RE: I hope they don't fix it
By WUMINJUN on 1/25/2010 9:14:42 AM , Rating: 2
http://www.brand-bar.com
New to Hong Kong : Winter Dress

---**** NHL Jersey Woman $ 40 ---**** NFL Jersey $ 35
---**** NBA Jersey $ 34 ---**** MLB Jersey $ 35
---**** Jordan Six Ring_m $36 ---**** Air Yeezy_m $ 45
---**** T-Shirt_m $ 25 ---**** Jacket_m $ 36
---**** Hoody_m $ 50 ---**** Manicure Set $ 20 ... ...
http://www.brand-bar.com


RE: I hope they don't fix it
By Smilin on 1/21/2010 11:07:11 AM , Rating: 5
I worry for your users a bit.

What do you mean you hope they don't fix it? You know the "loophole" you just described has absolutely nothing at all to do with this vulnerability .

The NTVDM does not launch for a CMD prompt.

Furthermore you really did things the hard way. Even if a folder is hidden you can jump directly to it in explorer by typing the path in the address bar. Better yet for some folders you can just jump to their environment variable ie Start | Run | %temp%. There is also a good chance your user's file was sitting in the "recent documents" on the start menu.


RE: I hope they don't fix it
By dgingeri on 1/21/2010 2:21:06 PM , Rating: 2
This is 2 points:

1. yes, it is part of this vulnerability because Explorer blocks the view of Temporary Internet Files for any user interface. the command prompt elevates the file and directory listing to a complete, unfiltered view. This is an aspect of the vulnerability. If you ever bring up cmd.exe, open Process Explorer, then end ntvdm.exe, it will close the cmd.exe process as well.

2. yes, you could type in the full path if you know it. The final folder is named OLK with some random 1-3 digit number after it, and it is under a filtered folder "Temporary Internet Files". That is easier to know if you go through the command prompt and use "dir". I can get to this eaiser and faster through the command prompt than you can with Explorer. How do I know this for certain? You can't get to it from Explorer. You'd have to know it before hand, which is also impossible unless you've already seen it from the command prompt.

Also, files edited in this way never appear in the "Recent Files" section because they are hidden by Explorer. It will list it, but if you try to access it, it won't come up, and it will simply say for the path "C:\Documents and Settings\%username%\Temporary Internet Files\doc.docx"


RE: I hope they don't fix it
By johnsonx on 1/21/2010 3:59:04 PM , Rating: 1
dgingeri, please stop. You're embarassing yourself.


RE: I hope they don't fix it
By fangwoo on 1/25/2010 5:51:06 PM , Rating: 2

1)show hidden files and folders
2)navigate to temp internet files
3)open it and notice how its got a bunch of crap in it and not the folders you want
4)in the address bar, after the last backslash add "desktop.ini", press enter
5)notepad opens and you select all and delete it, save.
6)refresh explorer and you can now see the hidden folders.


RE: I hope they don't fix it
By MrFord on 1/21/2010 2:30:20 PM , Rating: 2
quote:
The NTVDM does not launch for a CMD prompt.


It does. What you're thinking of is command. This one doesn't use NTVDM as far as I know, since it's the MS-DOS command line, and not NT command line. Used towork, at least in Windows 2000, maybe XP?


RE: I hope they don't fix it
By BikeDude on 1/21/2010 6:45:17 PM , Rating: 2
The other way around MrFord.

command.com is the 16-bit command line interpreter and executing this will make ntvdm.exe jump into action. You won't find command.com on a 64-bit Windows installation. (but you will certainly find command.com as part of any 16-bit MS-DOS OS)

cmd.exe is a Win32 executable. It has absolutely nothing to do with ntvdm.exe. Go ahead, launch it now if you do not believe me. cmd.exe IS part of a standard 64-bit Windows installation.


RE: I hope they don't fix it
By johnsonx on 1/21/2010 11:13:48 AM , Rating: 3
It's hard to imagine you actually think what you described is even REMOTELY related to the security flaw the article is talking about. However, it's clear you think yourself quite clever, so perhaps you really do imagine you've been exploiting a little known security hole all these years. You're quite the l33t hax0r, aren't you?


RE: I hope they don't fix it
By VooDooAddict on 1/21/2010 11:19:33 AM , Rating: 2
Not even getting into the other ways to do this task...

Runtime vulnerabilities should be fixed, period.

There are non-vulnerability ways to do things, and if they aren't user friendly. Write a simple application to make it user friendly.


RE: I hope they don't fix it
By dgingeri on 1/21/2010 2:28:57 PM , Rating: 2
The problem is that most software engineers don't know how to write a simple program. They "wallow in complexity" as the current American educational system pushes them to do, then screw everything up because their programs are more complex than they should be.

If they were to keep things simple, then the software industry might actually make some headway instead of having to spend more money fixing issues with current programs than developing better software for future releases.


RE: I hope they don't fix it
By Spookster on 1/21/2010 5:12:57 PM , Rating: 4
quote:
by dgingeri on January 21, 2010 at 2:28 PM

The problem is that most software engineers don't know how to write a simple program. They "wallow in complexity" as the current American educational system pushes them to do, then screw everything up because their programs are more complex than they should be.

If they were to keep things simple, then the software industry might actually make some headway instead of having to spend more money fixing issues with current programs than developing better software for future releases.


I'm a software engineer. Is this simple enough for you?

#include <stdio.h>

int main(void)
{
printf("You're an idiot\n");
return 0;
}

Or try this. Paste it into your browser address bar:

javascript:alert("You're an idiot");


RE: I hope they don't fix it
By johnsonx on 1/21/2010 7:39:47 PM , Rating: 2
oh OUCH.


RE: I hope they don't fix it
By OKMIJN4455 on 1/24/2010 6:37:47 AM , Rating: 1
http://www.brand-bar.com
New to Hong Kong : Winter Dress

---**** NHL Jersey Woman $ 40 ---**** NFL Jersey $ 35
---**** NBA Jersey $ 34 ---**** MLB Jersey $ 35
---**** Jordan Six Ring_m $36 ---**** Air Yeezy_m $ 45
---**** T-Shirt_m $ 25 ---**** Jacket_m $ 36
---**** Hoody_m $ 50 ---**** Manicure Set $ 20 ... ...
http://www.brand-bar.com


Lawsuit
By bradmshannon on 1/21/10, Rating: 0
RE: Lawsuit
By Lonyo on 1/21/2010 10:26:46 AM , Rating: 5
And then have MS sue Adobe for vulnerabilities which have caused harm to their business?


RE: Lawsuit
By bradmshannon on 1/21/2010 10:30:28 AM , Rating: 2
Ya, I know. Interesting thought like I said. I really hope that sort of thing isn't possible or we will be hearing about it daily!


RE: Lawsuit
By mmntech on 1/21/10, Rating: 0
RE: Lawsuit
By HrilL on 1/21/2010 4:46:27 PM , Rating: 2
Adobe had an update out before snow leopard was released. Apple was a fault not using the latest version. When people upgraded to snow leopard it would downgrade their flash to an older version. While adobe does seem to make some buggy apps your example is wrong because it was not their fault apple used an older version.


RE: Lawsuit
By jwdR1 on 1/21/2010 10:31:35 AM , Rating: 3
*#%@#! I knew I should have become a lawyer! It wouldn't matter which side I was on, I'd make a killing!


RE: Lawsuit
By dgingeri on 1/21/2010 10:33:45 AM , Rating: 5
therein lies the biggest problem in the country.


RE: Lawsuit
By ClownPuncher on 1/21/2010 11:33:26 AM , Rating: 2
I thought the largest problem was illegal immigration, drugs, capitalism, communism, china, russia, EU, recession, wall street, unions, corporations, taxes, people, video games, farming subsidies, environmentalists, industrialists, outsourcing, H1B's, television and David Hasselhoff's drinking problem?


RE: Lawsuit
By thefrozentin on 1/21/2010 1:07:19 PM , Rating: 2
You forgot Tiger Woods.


RE: Lawsuit
By ClownPuncher on 1/21/2010 4:05:52 PM , Rating: 2
I consider him a help rather than a hindrance, I mean his wife is available now, right? :)


RE: Lawsuit
By Motoman on 1/21/2010 10:41:13 AM , Rating: 3
No, having worked in the software industry for the past 14 years, I can tell you categorically that every software contract in the world has wording that specifically absolves the vendor of any such responsibility.

In fact, they all have clauses about "fitness for a particular purpose" - in that the vendor makes no claim or assertiong that the software you're buying is particularly fit for what you want to do with it. Which more or less absolves the vendor of responsibility for even having to abide by the notion that a word processor should process words.

Welcome to legaltopia.


RE: Lawsuit
By damianrobertjones on 1/21/2010 3:15:55 PM , Rating: 3
Or... MS could turn around and say, "Well, you could have UPDATED YOUR DAMN PC's!"


It never ends with DT...
By iFX on 1/21/2010 1:03:03 PM , Rating: 1
How more misleading can you get?

This quote speaks for itself. This is NOT news.

quote:
To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system.




RE: It never ends with DT...
By wrekd on 1/21/2010 2:29:32 PM , Rating: 2
Yeah, you have to have an account. But you don't want everyone to have full read/write access to everything on your system. So we have privilege levels like guest, user, administrator, and domain administrator.

This exploit circumvents the privilege level and is very much news worthy.


RE: It never ends with DT...
By iFX on 1/21/2010 5:46:50 PM , Rating: 1
Local accounts only, which most are already wide open because of dumb users.

Domain accounts, forget it, not going to happen. This exploit, if you can call it that, is NOT news.


RE: It never ends with DT...
By gstrickler on 1/22/2010 3:22:34 AM , Rating: 2
Wrong, read my reply to your other post and re-read the bulletin. It affects any account that can log into that computer, including domain users.


RE: It never ends with DT...
By Egglick on 1/21/2010 2:51:04 PM , Rating: 2
Any exploit that has existed for 17 years, across numerous consumer and business operating systems; is in fact NEWS , simply based on the duration and scope.


By damianrobertjones on 1/21/2010 3:17:26 PM , Rating: 2
How come it took this long to report it then? :)


RE: It never ends with DT...
By iFX on 1/21/2010 5:49:05 PM , Rating: 2
I guess if you don't understand how it works it probably sounds big and scary. I mean, you can pretty much toss out 85% of XP machines because they are on a domain and don't use local account. The rest of them are already wide open because users don't secure them and this "exploit" would never be needed.


RE: It never ends with DT...
By gstrickler on 1/22/2010 3:17:41 AM , Rating: 2
First, the vulnerability does NOT require a local account, it requires the ability to log on locally, which is not the same thing. Domain users have that permission or they wouldn't be able to use their computers.

Second, a domain user is a user of the machine when logged on. Joining a domain adds "Domain Users" to the local "Users" group, which makes that domain user a what? That's right, a local user. That should not be confused with a local (or more accurately locally managed) user account.


I don't understand..
By goku on 1/21/2010 7:32:41 PM , Rating: 2
If this flaw is 17 years old, why does the Microsoft page not mention Windows NT in the list of OS' that are affected? Where is my patch for these operating systems??




RE: I don't understand..
By gstrickler on 1/22/2010 3:18:56 AM , Rating: 2
Because NT is no longer in extended support. NT 4 and earlier are no longer supported.


fishy
By Ben on 1/21/2010 10:22:15 PM , Rating: 2
Why does this smell of "upgrade to Windows 7 or else"?

Microsoft has known about this all this time and said or done nothing?

Now they practically release instructions on how to exploit it?

Please...




RE: fishy
By gstrickler on 1/22/2010 3:20:51 AM , Rating: 2
Who said they've "known about it for all this time"? All what time? For how long?

That it's existed for 17 years doesn't mean it's been known for 17 years.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki