Posted on 01/21/2010 11:31:58 AM PST by ShadowAce
One of the reasons I've never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there's a 17-year old security hole that's been in Windows since NT and it's still present today in Windows 7.
Wow. Even I'm shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows' foundation is built on sand and not on the stone of good, solid design.
Tavis Ormandy, a Google security engineer, uncovered this new 'old' hole while digging around Windows. Ormandy found that way back in 1993 in Windows NT that Windows included a 'feature' to support BIOS service routines in legacy Windows 16bit applications.
Think about that for a moment this 'feature' was put in to support software that was already out of date in 1993. Guess what? It's been in every version of Windows since then up to, and including, Windows 7. Honestly, is there anyone on Earth who's running Windows 3.1 applications on Windows 7? Or, Vista? Or, XP... you get the idea.
Be that as it may, the code's still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that's totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.
A security company called Immunity has already released an add-on to its program Canvass that can be used to show if your computer is vulnerable to attacks using this method. You don't need to worry with that though. If you're running 32-bit Windows, congratulations, you can be successfully attacked.
The important point about Immunity's work is that if they can build a test that demonstrates the problem, a criminal hacker can build a program that will exploit it. It's only a matter of time.
There's no patch for this. You can, however, block it by switching off your computer's MSDOS and WOWEXEC subsystems. Unless you're running pre-historic 16-bit MS-DOS or Windows programs you won't see any problems.
How you do this varies from one version of Windows to another. The basic idea though is always the same: you want to turn off two services: CMDLINE, for MS-DOS applications, and WOWCMDLINE for 16-bit Windows programs.
In Windows XP, you do this by running the Registry Editor (Regedt32.exe) from Window's Run command. Before doing this though, or making any other change to a Windows registry, you should make a backup of the registry. That done, get regedt running, and head over to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
Once there, find the CMDLINE and WOWCMDLINE items and right click on them. This will give you the option to edit their value. Choose this and add a character in front of their values. You could, of course, just delete them, but this way, if for some reason, you ever do need to run an obsolete program you can just zap the character and they'll be back and ready to go. These are dynamic changes so once you've exited regedt you won't need to reboot your computer for the changes to take effect.
Congratulations. You're now immune to attacks using the latest, but oldest, Windows security hole.
I wish I could run a copy of the old DOS game called F-29 Retaliator ( i think) it was way too fun
x64 OK?
Not to mention Space Goose!
I haven’t heard about x64 systems one way or the other.
Thanks. The article implies it’s only 32 bit but...? I’m not overly worried about this one.
I am not saying this as a home hobbyist, but as a professional, degreed, computer scientist.
There are no such services as "CMDLINE" or "WOWCMDLINE" in Windows, nor any reasonable variations that I could think of.
I’m running Windows XP SP3, and the keys are there as listed in the post above.
“I’m Janet Napolitano, and Windows 7 was my idea!”
Mark
The VDM (Virtual DOS Machine) is NOT a Windows Service, it's a subsystem. The two "service" names he lists are actually Windows registry values in the WOW key, as described.
I'm not buying that this is a huge security hole, else every Windows machine would be compromised by now, and (all jokes aside) they are not.
Smells like another Windows-bashing rant to me.
The article starts with “One of the reasons I’ve never liked Windows “ so you know its a hit piece. Article is hogwash to sell copies of their software.
Unless of course you are still running msdos or 16 bit apps.
Except that he never tries to sell anything, but does show the reader step-by-step how to fix it--without buying anything.
I’m running windows xp sp3 and the keys are not there and the services are not running.
Of course I’m not running a terminal server or archaic software.
“Smells like another Windows-bashing rant to me. “
Its also an attempt to hawk this loser company.
I first looked at all the services in the Services Manager and in the Registry before I got to the end of the article. :-/
At any rate, I really doubt that this is as big of a problem as he describes. It's very typical of the "you're all idiots and I'm the smartest guy in the room" kind of thing we IT geeks are sometimes known for.
“A security company called Immunity has already released an add-on to its program Canvass that can be used to show if your computer is vulnerable to attacks using this method.”
NOT an attempt to sell anything????? Wanna rethink that?
There are no such services as "CMDLINE" or "WOWCMDLINE" in Windows, nor any reasonable variations that I could think of.
It's not a Windows service itself, but a built in part of the ntvdm subsystem. It was built in as part of MS-DOS compatibility mode.
Mark
“I blame the author’s misuse of the term “service”. In Windows, that word has a very specific meaning, and what he was talking about is NOT it.”
You would think this “expert” would realize this, unless of course he’s trying to stir up fear and sell more software.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.