January 21, 2010, 10:10 AM — Microsoft late yesterday issued its second advisory of the last week, warning users that a 17-year-old bug in the kernel of all 32-bit versions of Windows could be used by hackers to hijack PCs.
The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed Tuesday by Google engineer Tavis Ormandy on the Full Disclosure security mailing list. Coincidentally, Ormandy received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday.
The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft's first fully 32-bit operating system. VDM allows Windows NT and later to run DOS and 16-bit Windows software.
Yesterday's advisory spelled out the affected software -- all 32-bit editions of Windows, including Windows 7 -- and told users how to disable VDM as a workaround. Windows' 64-bit versions are not vulnerable to attack.
It was Microsoft's second advisory in seven days; last week, the company posted a warning of a critical flaw in Internet Explorer after Google said its corporate computers had been hacked by Chinese attackers. That bug is to be patched later today .
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," said the newest advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Jerry Bryant, a program manager with the Microsoft Security Response Center (MSRC), said that the company had not seen any actual attacks using the vulnerability, and also downplayed the threat if hackers do exploit the flaw. "To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system," Bryant said in an e-mail.
Typically, Microsoft ranks this kind of vulnerability -- which it classified as an elevation of privilege flaw -- as "important," the second-highest of the four ratings in its four-step system.
Ormandy said that the vulnerability goes back nearly 17 years to Windows NT 3.1's release, and exists in every version of Windows since. He reported the bug to Microsoft more than seven months ago.