|
Microsoft Security Advisory (979682)Vulnerability in Windows Kernel Could Allow Elevation of PrivilegePublished: January 20, 2010 | Updated: January 22, 2010 Version: 1.1 Executive SummaryMicrosoft is investigating new public reports of a vulnerability in the Windows kernel. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-band security update, depending on customer needs. Issue ReferencesFor more information about this issue, see the following references: Affected and Non-Affected SoftwareThis advisory discusses the following software. Microsoft Windows 2000 Service Pack 4 | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Windows Server 2003 Service Pack 2 | Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 | Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* | Windows 7 for 32-bit Systems | Windows XP Professional x64 Edition Service Pack 2 | Windows Server 2003 x64 Edition Service Pack 2 | Windows Server 2003 with SP2 for Itanium-based Systems | Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 | Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 | Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Windows 7 for x64-based Systems | Windows Server 2008 R2 for x64-based Systems | Windows Server 2008 R2 for Itanium-based Systems |
*Server Core installation affected. This advisory applies, with the same severity rating, to supported editions of Windows Server 2008 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options. | Frequently Asked Questions |
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Windows kernel. This affects the operating systems that are listed in the Affected Software section. Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft is currently working to determine the appropriate action to take to help protect our customers. This may include developing a security update for Windows to address this vulnerability. If a security update is developed, Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution. What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling. What is the Windows Virtual DOS Machine (NTVDM) subsystem?
The Windows Virtual DOS Machine (NTVDM) subsystem is a protected-environment subsystem that emulates MS-DOS and 16-bit Windows within Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system. What causes this threat?
The vulnerability is caused by the Windows kernel not properly handling certain exceptions. What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and cause the system to stop responding and restart. Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation: | • | An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | | • | Windows operating systems for x64-based and Itanium-based computers are not affected. |
Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: | • | Disable the NTVDM subsystem Note See Microsoft Knowledge Base Article 979682 to use the automated Microsoft Fix it solution to enable or disable this workaround.
1. | Click Start, click Run, type gpedit.msc in the Open box, and then click OK. |
This opens the Group Policy console. 1. | Expand the Administrative Templates folder, and then click Windows Components. | 2. | Click the Application Compatibility folder. | 3. | In the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured. | 4. | Change the policy setting to Enabled, and then click OK. |
Impact of Workaround: Users will not be able to run 16-bit applications. |
| Additional Suggested Actions |
| • | Review the Microsoft Knowledge Base Article that is associated with this advisory
For more information about this issue, see Microsoft Knowledge Base Article 979682.
| | • | Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. | | • | For more information about staying safe on the Internet, visit Microsoft Security Central. | | • | Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Microsoft Active Protections Program (MAPP)To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners. FeedbackSupport| • | Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support. | | • | International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support. | | • | Microsoft TechNet Security provides additional information about security in Microsoft products. |
DisclaimerThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions| • | V1.0 (January 20, 2010): Advisory published. | | • |
V1.1 (January 22, 2010): Added links to Microsoft Knowledge Base Article 979682 in the Issue References table and Additional Suggestion Actions section. Added a link to Microsoft Knowledge Base Article 979682 to provide an automated Microsoft Fix it solution for the workaround, Disable the NTVDM subsystem.
|
|