Microsoft investigating ZeroDay impacting Windows NT Kernel

by Steve Ragan - Jan 19 2010, 22:35

On the heels of Microsoft announcing an out-of-cycle patch for the ZeroDay vulnerability in Internet Explorer, researcher Travis Ormandy has released details on another ZeroDay that exists in the Windows NT Kernel on every system version from Windows NT 3.1 to Windows 7.

According to Ormandy, his research and subsequent disclosure are aimed at security professionals and domain administrators, as few users rely on NT security. The flaw itself is a privilege escalation vulnerability that, if exploited, would allow an attacker to switch the Kernel Stack to an address of their choosing.

In addition to detailing the flaw in his post, Ormandy has offered up example code that will trigger the stack switch, which has been tested on Windows XP, Windows Server 2003 and 2008, Windows Vista, and Windows 7. However, it is believed that all 32-bit x86 versions of Windows NT released since 1993 are affected.

“Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning,” Ormandy noted in his post on Full Disclosure.

In addition, as the vulnerability affects support for 16-bit applications, using GPO to deny access to legacy 16-bit applications was also listed as another mitigation step.

“If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface,” he said.

Microsoft was informed about the problems in the NT Kernel last June, and while it acknowledged Ormandy’s work, an official patch has not yet been forthcoming from the American software behemoth.

“As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch,” Ormandy said.

Considering that access to legacy applications is used on a limited basis, there shouldn’t be a need to panic over this disclosure. The Full Disclosure post, with complete details and extensive mitigations, can be found here.

The Tech Herald has reached out to both Microsoft and Travis Ormandy for more information on the matter.

“Microsoft is investigating new public claims of a possible vulnerability in Windows. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” offered a Microsoft spokesperson in a statement. 

“Once we're done investigating, we will take appropriate action to help protect customers,” they added. “This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”

If we hear anything else, we'll be sure to update the story.

Around the Web