Windows NT VDM Vulnerability Detected After 17 Years

I guess it’s Windows-flaw-week or something. First, we had the Internet Explorer vulnerability used in the Google attack, and now we have a bug that’s been sitting undetected in Windows NT for 17 years. The bug can be used to escalate privileges, but from what I understand, it only works locally (although that isn’t made clear).

The flaw exists in the Virtual DOS Machine, which is a system that allows Windows NT to run DOS and 16bit applications on 386 (and up) machines. Google security team member Tavis Ormandy discovered a vulnerability in the VDM and reported it to Microsoft in the summer of 2009, but since it still hasn’t been patched, he went full-disclosure.

Basically, what happens is that a 16 bit program can escalate its privileges and gain unrestricted access to the entire system, but as far as I can tell (please correct me if I’m wrong) this is a local exploit: you need physical access to the system. This usually means normal users have relatively little to worry about, but of course, it can be used in social engineering attacks, or someone might find a way to exploit it remotely.

The vulnerability is present in all 32bit versions of Windows NT, starting with NT 3.51 and ending with Windows 7. Since 16bit support was dropped from the 64bit versions of Windows, users of Windows 64bit are not affected. The work-around is extremely simple and straightforward: disable the 16bit subsystem on 32bit machines.

This can be done one of three ways (but they all do the same thing: edit the registry). First, you can use the Group Policy Editor to enable the “Prevent access to 16-bit applications” in Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. Second, you can also simply go rogue and edit the registry directly (backup! backup!) by placing a key in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat with a D-Word value of VDMDissallowed = 1.

The last method automates it all: create a text file called vdmdisallow.reg, and paste the following into the file, and double-click it:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat] “VDMDisallowed”=dword:00000001

Again, 64bit users needn’t worry. All this does raise a question we’ve sure raised before: at what point should Microsoft drop support for applications? How many people still use 16 bit applications? Wouldn’t it have made more sense to have it disabled by default on 32bit systems, and then enable it as soon as Windows detects someone is trying to load a 16bit application?

18 Comments

  1. 2010-01-20 8:45 pm
    • 2010-01-20 11:19 pm
      • 2010-01-21 1:31 am
        • 2010-01-21 1:37 am
        • 2010-01-21 2:19 am
          • 2010-01-21 2:28 am
          • 2010-01-21 4:14 am
        • 2010-01-21 6:24 am
          • 2010-01-21 9:38 am
  2. 2010-01-20 11:40 pm
    • 2010-01-21 1:32 am
  3. 2010-01-21 3:29 am
  4. 2010-01-21 4:18 am
    • 2010-01-21 1:14 pm
      • 2010-01-22 6:08 pm
  5. 2010-01-22 2:18 pm
    • 2010-01-22 2:58 pm
      • 2010-01-22 6:35 pm