Jump to content

Windows hole discovered after 17 years


nsane.forums

Recommended Posts

A hole in the code for processing 16-bit programs allows users with restricted access to escalate their privileges to system level. Affected are Windows NT 3.1 up to Windows 7. No update is yet available

view.gif View: Original Article

Link to comment
Share on other sites


  • Replies 18
  • Views 1.6k
  • Created
  • Last Reply
  • Administrator

Somehow this makes me feel that my PC is infected by it.

Many times ntldr.exe or similar process starts running suddenly where as I don't have a 16bit software installed. And there's no way I'm able to locate that process. :(

Link to comment
Share on other sites


  • Administrator

No, process manager, process explorer nor task manager with prio shows it.

Link to comment
Share on other sites


Somehow this makes me feel that my PC is infected by it.

Many times ntldr.exe or similar process starts running suddenly where as I don't have a 16bit software installed. And there's no way I'm able to locate that process. :(

Did you go to the original article and add the registry entry? There is a fix..

Link to comment
Share on other sites


  • Administrator

Well I missed that one. :blink:

Done. Lets see if it starts again.

Link to comment
Share on other sites


I found two conflicting bits about the particular EXE..

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotgs.html

May want to look around at some of the others which are sing the same name and identified as..on the other hand..

http://en.wikipedia.org/wiki/NTLDR

I could be wrong but I don't think it is supposed to be running while your operating your PC.. So something else could be wrong or you may have remnants of an infection.

Link to comment
Share on other sites


  • Administrator

Ops I think I mixed it all. I wrote a boot component's name instead of a file that allows 16bit programs to run on 32bit PC. :frusty:

No ntldr is not the name. It's something else.

Link to comment
Share on other sites


Maybe wowexec.exe running under another EXE file.. but Tabbed or indented slightly over.. IF so this is a typical process of Windows XP which helps in optimizing programs which run run/operate areas of the OS.. seldom but does happen.. Best thing to do is allow it to do ts thing and finish on its own..

Link to comment
Share on other sites


  • Administrator

Bingo it's wowexec.exe. And yes its Tabbed or indented slightly over. So there is no need to worry. :think:

Link to comment
Share on other sites


16-bit in Windows 7... :lmao:

16-bit applications can run in Windows 7 32-bit.

16-bit applications cannot run in Windows 7 64-bit, because there is no 16-bit subsystem.

Link to comment
Share on other sites


Ohh S**t i have been F***ed for many Years :frusty: :frusty: :frusty: :frusty: :frusty: :frusty:

Link to comment
Share on other sites


Here is the non-guru version: :frusty:

Microsoft confirms 17-year-old Windows vulnerability

One day after a Google security researcher released code to expose a flaw that affects

every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including

Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and

warn of the risk of privilege escalation attacks.

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code

in kernel mode. For an attack to be successful, the attacker must have valid logon

credentials.

The flaw does not affect Windows operating systems for x64-based and Itanium-based

computers, Microsoft said.

According to Tavis Ormandy, the Google researcher who released the flaw details,

Microsoft was notified about the issue in June 2009. After waiting several months and not

seeing a patch, he decided it was in the best interest of everyone to go public.

As an effective and easy to deploy workaround is available, I have concluded that it is in the

best interest of users to go ahead with the publication of this document without an official

patch. It should be noted that very few users rely on NT security, the primary audience of

this advisory is expected to be domain administrators and security professionals.

Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and

WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group

Policy.

The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.

If you believe you may be affected, you should consider applying the workaround

described below.

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack

from functioning, as without a process with VdmAllowed, it is not possible to

access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows Components\Application Compatibility\Prevent

access to 16-bit applications" may be used within the group policy editor to

prevent unprivileged users from executing 16-bit applications. I'm informed

this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below

instructive. Further information is available from the Windows Server

Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

MORE & SOURCES:

http://blogs.zdnet.com/security/?p=5307&tag=nl.e589

http://seclists.org/fulldisclosure/2010/Jan/341

http://www.microsoft.com/technet/security/advisory/979682.mspx

;)

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...