Researcher Finds 17 Year-Old Windows Vulnerability…in MS-DOS


Security researchers—and, of course, cybercriminals, attachers, and maybe even governments—are always looking for new ways to break into Microsoft Windows, since it’s long-established itself and the lowest common denominator of operating systems. Sometimes, these research efforts uncover bugs that have been round for a long time, but Google security engineer Tavis Ormandy may have taken the cake: he found a security hole in Windows that’s so old it could be graduating from high school this year.

The bug impacts all versions of Windows from the brand-new Windows 7 all the way back to Windows NT 3.1, which originally shipped in 1993. The issue is in the Virtual DOS Machine used to support 16-bit applications originally implemented to support MS-DOS applications and 16-bit applications from Windows 3.1 days; according to Ormandy’s findings, the Virtual DOS machine can be exploited to enabled unprivileged 16-bit programs to manipulate kernel stacks so attackers could get their own code executed at system privilege levels. In theory, this could let attackers take over the computer and do anything they like. And, yes, the problem has been there for 17 years.

In a security advisory, Microsoft says it is not aware of any attacks that exploit the vulnerability, and Windows users are believed to be at low risk. However, users who are concerned can disable their system’s MSDOS and WOWEXEC subsystems (which correspond to CMDLINE and WOWCMDLINE services) to block the problem—at least, provided they don’t need to use any 16-bit applications.

Microsoft hasn’t made any statement on when it plans to release a patch; however, Microsoft is already planning on a record patch Tuesday for February 2010, with 13 security issues set to be shored up.