January 20, 2010, 2:41 PM — One of the reasons I've never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there's a 17-year old security hole that's been in Windows since NT and it's still present today in Windows 7.
Wow. Even I'm shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows' foundation is built on sand and not on the stone of good, solid design.
Tavis Ormandy, a Google security engineer, uncovered this new 'old' hole while digging around Windows. Ormandy found that way back in 1993 in Windows NT that Windows included a 'feature' to support BIOS service routines in legacy Windows 16bit applications.
Think about that for a moment this 'feature' was put in to support software that was already out of date in 1993. Guess what? It's been in every version of Windows since then up to, and including, Windows 7. Honestly, is there anyone on Earth who's running Windows 3.1 applications on Windows 7? Or, Vista? Or, XP... you get the idea.
Be that as it may, the code's still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that's totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.
A security company called Immunity has already released an add-on to its program Canvass that can be used to show if your computer is vulnerable to attacks using this method. You don't need to worry with that though. If you're running 32-bit Windows, congratulations, you can be successfully attacked.
The important point about Immunity's work is that if they can build a test that demonstrates the problem, a criminal hacker can build a program that will exploit it. It's only a matter of time.
There's no patch for this. You can, however, block it by switching off your computer's MSDOS and WOWEXEC subsystems. Unless you're running pre-historic 16-bit MS-DOS or Windows programs you won't see any problems.
How you do this varies from one version of Windows to another. The basic idea though is always the same: you want to turn off two services: CMDLINE, for MS-DOS applications, and WOWCMDLINE for 16-bit Windows programs.
In Windows XP, you do this by running the Registry Editor (Regedt32.exe) from Window's Run command. Before doing this though, or making any other change to a Windows registry, you should make a backup of the registry. That done, get regedt running, and head over to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
Once there, find the CMDLINE and WOWCMDLINE items and right click on them. This will give you the option to edit their value. Choose this and add a character in front of their values. You could, of course, just delete them, but this way, if for some reason, you ever do need to run an obsolete program you can just zap the character and they'll be back and ready to go. These are dynamic changes so once you've exited regedt you won't need to reboot your computer for the changes to take effect.
Congratulations. You're now immune to attacks using the latest, but oldest, Windows security hole.
