My next class:

New Microsoft Advisory: Vulnerability in Windows Kernel Privilege Escalation (CVE-2010-0232)

Published: 2010-01-21. Last Updated: 2010-01-21 01:03:17 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Yesterday, we reported about a new Windows Kernel vulnerability [1] . The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7) unless 16-bit application support is disabled. If exploited, the vulnerability will lead to privilege escalation.

Today, Microsoft released an official response in the form of a Security Advisory [2]. The advisory (KB Article 979682) states that Microsoft is investigating the report, and is not aware of any use of the vulnerability in current exploits.

According to Microsoft's list of vulnerable and non-vulnerable systems, 64 bit version of the Windows OS are not vulnerable, but 32 bit versions are. In part this is due to the fact that 64 bit versions of Windows do not include the vulnerable feature (16 bit compatibility).

The workaround outlined by Microsoft matches the workaround proposed in the advisory: Disable access to 16 bit applications. This should work well for the vast majority of systems. But be aware that there is a reason for this feature: Some old (very old) applications do require 16 bit support. This may in particular affect old custom software and support for odd hardware configurations. A standard office desktop should not require any 16 bit applications. As always: Test first.

The CVE number CVE-2010-0232 has been assigned to this issue [3].

[1] http://isc.sans.org/diary.html?storyid=8023
[2] http://www.microsoft.com/technet/security/advisory/979682.mspx
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232 (not live yet as of this writing)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 comment(s)
My next class:

Comments

For the love of god, isn't it time MS stopped supporting this old crap. Yes, they're scared of losing customers but their just as likely to lose them with stuff like this - fixing holes in 20 year old code!
Not everyone has thousands of dollars to replace their software. We still use Autocad R13 (16-bit)for CAD drawings because the company doesn't want to spend $2000 a PC to replace R13 with 2009.
Ditto here. We still use and old version of Ultra Master for control of drive motor servos on one of our printing presses here at work. Cost outweighs the need to stay up to date. Having to support an old Windows 95 machine. It's on a seg'd network with only specific TCP access in/out for exactly what we need.
Correction: Win 3.11 ... what was I thinking.

Diary Archives