SleepyEgg

Reports have surfaced about a new security hole that has been in Windows since the release of Windows NT 3.1 on July 27, 1993. The vulnerability is present in all 32-bit versions of Windows released since then, including Windows 7.

Thankfully, the flaw isn't in a commonly used application but in the Virtual DOS Machine (VDM) used to support 16-bit applications. There are several vulnerabilities in this implementation, according to Google security team member Tavis Ormandy, who found the issues. 

An unprivileged 16-bit program can manipulate the kernel stack of each process, potentially enabling attackers to execute code at system privilege level. The exploit can be used to open a command prompt with the highest privilege level. 

Ormandy claims he informed Microsoft of this hole on June 12, 2009, and the company confirmed receiving his report 10 days later, but it has yet to fix the issue.

"Microsoft is investigating new public claims of a possible vulnerability in Windows," a Microsoft spokesperson told Ars. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

Despite the fact that there is no patch available from Microsoft, Ormandy decided to publish the information because he believes the workaround is simple enough: disable the MS-DOS subsystem. 

"As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch," he writes in his disclosure. "It should be noted that very few users rely on NT security; the primary audience of this advisory is expected to be domain administrators and security professionals."

To enable the workaround, use the policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" within the group policy editor to prevent unprivileged users from executing 16-bit applications.