A critical vulnerability that was introduced some 17 years ago with Windows NT has finally been exposed.
According to a post at Neohapsis, the hole in Windows' Virtual DOS Machine allows users with restricted access to change their privileges to system level. The flaw affects all 32-bit versions of Windows from Windows NT 3.1 to Windows 7. Virtual DOS Machine (VDM) was introduced with Windows NT in July 1993 to support 16-bit applications.
It's a serious problem. What is equally serious is that Microsoft was informed about the vulnerability on 12th June 2009. Receipt of the report was confrimed on 22nd June 2009, according to the poster, one Tavis Ormandy who happens to work at Google.
"Regrettably," writes Ormandy, "no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals."
Ormandy tried a sample exploit that he was able to run on Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7.
Temporarily disabling the MSDOS and WOWEXEC subsystems will apparently prevent the attack from working. The policy template "Windows Components\Application Compatibility\Prevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications, Ormandy writes.
Microsoft confirmed elderly exploitable here.