Windows Privilege Escalation Bug

2010-01-20

Tavis Ormandy, a security researcher at Google, has posted the details of a previously unknown vulnerability that allows untrusted users to take complete control of systems running most versions of Microsoft Windows.

Dan Goodin, The Register, writes that the vulnerability resides in a feature known as the Virtual DOS Machine, which Microsoft introduced in 1993 with Windows NT. Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system.

A Full-disclosure published by Ormandy states that the vulnerability is said to exist in all 32-bit versions of Microsoft OS's released since 1993, and a proof-of-concept code works on the XP, Server 2003, Vista, Server 2008 and 7 versions of Windows. Ormandy also stated that the security hole can be easily closed by turning off the MSDOS and WOWEXEC subsystems.

Ormandy stated that he informed Microsoft security employees of the vulnerability in June, but "Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch."