nsane.forums Posted January 20, 2010 Share Posted January 20, 2010 A hole in the code for processing 16-bit programs allows users with restricted access to escalate their privileges to system level. Affected are Windows NT 3.1 up to Windows 7. No update is yet available View: Original Article Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 20, 2010 Administrator Share Posted January 20, 2010 Somehow this makes me feel that my PC is infected by it.Many times ntldr.exe or similar process starts running suddenly where as I don't have a 16bit software installed. And there's no way I'm able to locate that process. :( Link to comment Share on other sites More sharing options...
Atasas Posted January 20, 2010 Share Posted January 20, 2010 ^ Try http://technet.microsoft.com/en-us/sysinternals/bb896653.aspxor http://process-manager.en.softonic.com/ Link to comment Share on other sites More sharing options...
DreamHaters Posted January 20, 2010 Share Posted January 20, 2010 The title made me laugh... Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 20, 2010 Administrator Share Posted January 20, 2010 No, process manager, process explorer nor task manager with prio shows it. Link to comment Share on other sites More sharing options...
shajt Posted January 20, 2010 Share Posted January 20, 2010 Interesting <_< Link to comment Share on other sites More sharing options...
Night Owl Posted January 20, 2010 Share Posted January 20, 2010 I'm running Windows 7 Ultimate 64-bit so no 16-bit processes can run on my PC.Proof Link to comment Share on other sites More sharing options...
*dcs18 Posted January 20, 2010 Share Posted January 20, 2010 The title made me laugh...Yeah, it brought me into this thread Link to comment Share on other sites More sharing options...
HX1 Posted January 20, 2010 Share Posted January 20, 2010 Somehow this makes me feel that my PC is infected by it.Many times ntldr.exe or similar process starts running suddenly where as I don't have a 16bit software installed. And there's no way I'm able to locate that process. :(Did you go to the original article and add the registry entry? There is a fix.. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 20, 2010 Administrator Share Posted January 20, 2010 Well I missed that one. :blink:Done. Lets see if it starts again. Link to comment Share on other sites More sharing options...
HX1 Posted January 20, 2010 Share Posted January 20, 2010 I found two conflicting bits about the particular EXE..http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotgs.htmlMay want to look around at some of the others which are sing the same name and identified as..on the other hand..http://en.wikipedia.org/wiki/NTLDRI could be wrong but I don't think it is supposed to be running while your operating your PC.. So something else could be wrong or you may have remnants of an infection. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 20, 2010 Administrator Share Posted January 20, 2010 Ops I think I mixed it all. I wrote a boot component's name instead of a file that allows 16bit programs to run on 32bit PC. :frusty:No ntldr is not the name. It's something else. Link to comment Share on other sites More sharing options...
HX1 Posted January 20, 2010 Share Posted January 20, 2010 Maybe wowexec.exe running under another EXE file.. but Tabbed or indented slightly over.. IF so this is a typical process of Windows XP which helps in optimizing programs which run run/operate areas of the OS.. seldom but does happen.. Best thing to do is allow it to do ts thing and finish on its own.. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 20, 2010 Administrator Share Posted January 20, 2010 Bingo it's wowexec.exe. And yes its Tabbed or indented slightly over. So there is no need to worry. :think: Link to comment Share on other sites More sharing options...
Bizarre™ Posted January 20, 2010 Share Posted January 20, 2010 16-bit in Windows 7... :lmao: Link to comment Share on other sites More sharing options...
Night Owl Posted January 20, 2010 Share Posted January 20, 2010 16-bit in Windows 7... :lmao:16-bit applications can run in Windows 7 32-bit.16-bit applications cannot run in Windows 7 64-bit, because there is no 16-bit subsystem. Link to comment Share on other sites More sharing options...
Bizarre™ Posted January 21, 2010 Share Posted January 21, 2010 @Night Owl:I know. It's just that 16-bit programs are at the verge of extinction ^_^ Link to comment Share on other sites More sharing options...
implague Posted January 22, 2010 Share Posted January 22, 2010 Ohh S**t i have been F***ed for many Years :frusty: :frusty: :frusty: :frusty: :frusty: :frusty: Link to comment Share on other sites More sharing options...
humble3d Posted January 22, 2010 Share Posted January 22, 2010 Here is the non-guru version: :frusty: Microsoft confirms 17-year-old Windows vulnerabilityOne day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials.The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009. After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public.As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group Policy.The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.If you believe you may be affected, you should consider applying the workarounddescribed below.Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attackfrom functioning, as without a process with VdmAllowed, it is not possible toaccess NtVdmControl() (without SeTcbPrivilege, of course).The policy template "Windows Components\Application Compatibility\Preventaccess to 16-bit applications" may be used within the group policy editor toprevent unprivileged users from executing 16-bit applications. I'm informedthis is an officially supported machine configuration.Administrators unfamiliar with group policy may find the videos belowinstructive. Further information is available from the Windows ServerGroup Policy Homehttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspxMORE & SOURCES:http://blogs.zdnet.com/security/?p=5307&tag=nl.e589http://seclists.org/fulldisclosure/2010/Jan/341http://www.microsoft.com/technet/security/advisory/979682.mspx ;) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.