32位Windows漏洞从NT3.1开始存在了17年

Win7之家（ www.win7china.com）：32位Windows漏洞从NT3.1开始存在了17年

据国外媒体报道，微软星期三晚上发布了关于上个星期事件的第二个安全公告。微软警告用户称，在所有32位版Windows的内核中有一个存在了17年的安全漏洞，黑客利用这个安全漏洞能够劫持用户的PC。

这个存在于Windows DOS虚拟机（VDM）子系统中的安全漏洞是谷歌工程师Tavis Ormandy星期二在“全面披露”安全邮件列表中披露的。碰巧的是Ormandy因为报告微软上个星期在例行性的补丁星期二修复的一个安全漏洞而受到了称赞。

这个VDM子系统是在1993年发布Windows NT的时候增加到Windows中的。那是微软的第一个完全32位的操作系统。VDM允许Windows NT和以后版本的Windows运行DOS和16位的Windows软件。

微软的安全公告明确说明了受到影响的软件是包括Win7、Vista在内的所有的32位版Windows，并且告诉用户如何关闭VDM作为一个绕过的措施。Windows的64位版本不会受到这个安全漏洞的攻击。

这是微软在七天之内发布的第二个安全公告。在谷歌称它的计算机遭到中国黑客攻击之后，微软发布一个安全公告，警告用户IE浏览器中存在一个严重的安全漏洞。微软本周四晚些时候要修复这个安全漏洞。

微软在第二个安全公告中说，成功地利用32位版Windows中的这个安全漏洞的攻击者能够以内核方式执行任意代码。然后，攻击者可以安装软件；查看、修改或者删除文件；或者创建拥有全部用户权限的新账户。

微软安全反应中心的计划经理Jerry Bryant说，微软还没有看到任何利用这个安全漏洞实施的实际攻击，并且说如果黑客确实要利用这个安全漏洞，威胁也不大。他说，要利用这个安全漏洞，攻击者必须已经拥有合法的登录证书，能够登录到本地系统。这就意味攻击者必须已经拥有这个系统的一个账户。

一般来说，微软把这种提升权限的安全漏洞分类为“重要”等级的安全漏洞。这是微软四个安全漏洞等级中的第二严重的等级。

谷歌的Ormandy说，这个安全漏洞可以追溯到将近17年前发布Windows NT 3.1的时候，从那以后，每一个版本的Windows都存在这个漏洞，他在7个月前已经向微软报告了这个安全漏洞。

32-bit Windows 7, Vista, XP Affected by 17-Year-Old EoP Vulnerability

Windows operating systems are in essence evolving from one release to another, with some pieces of code surviving across multiple iterations of the platform. It is the case of the BIOS calls in the Virtual-8086 mode monitor code which was introduced in Windows NT 3.1, released in 1993 and that survived until this day in Windows 7. In this regard, Microsoft has confirmed information made public detailing a vulnerability contained in every release of the Windows NT kernel and dating back 17 years.

The Redmond company released Security Advisory 979682 to help customers mitigate the vulnerability until a patch is made available. The Windows NT #GP Trap Handler security hole, discovered and documented by Google engineer Tavis Ormandy, can potentially allow an attacker to elevate an existing account on a 32-bit (x86) Windows machine to full administrative privileges. This is nothing more than an Elevation of Privilege (EoP) vulnerability affecting the Windows kernel. It only impacts versions of 32-bit Windows, including XP, Vista and Windows 7. 64-bit (x64) Windows flavors are in no way affected.

“The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability. It’s important to note that we are not currently aware of any active attacks against this vulnerability and the Microsoft believes risk to customers, at this time, is limited. It is recommended that customers review and implement the mitigations and workarounds detailed in the Security Advisory,” revealed Jerry Bryant, senior security program manager, Microsoft.

Users must understand that the risk associated with this vulnerability is extremely low. It is critical to note that the flaw cannot be exploited remotely. An attacker would already have to have access to a Windows computer containing a vulnerable version of the operating system. Moreover, the attacker would also need access to an account on that computer.

“To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications can disable the NTVDM subsystem. Information on this workaround can be found in the Security Advisory,” Bryant added.

Here are the steps necessary to disable the NTVDM subsystem, according to Microsoft:

“Click Start, click Run, type gpedit.msc in the Open box, and then click OK. This opens the Group Policy console. 1. Expand the Administrative Templates folder, and then click Windows Components. 2. Click the Application Compatibility folder. 3. In the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured. 4. Change the policy setting to Enabled, and then click OK. Impact of Workaround: Users will not be able to run 16-bit applications.”