Posted on 01/21/2010 11:31:58 AM PST by ShadowAce
One of the reasons I've never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there's a 17-year old security hole that's been in Windows since NT and it's still present today in Windows 7.
Wow. Even I'm shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows' foundation is built on sand and not on the stone of good, solid design.
Tavis Ormandy, a Google security engineer, uncovered this new 'old' hole while digging around Windows. Ormandy found that way back in 1993 in Windows NT that Windows included a 'feature' to support BIOS service routines in legacy Windows 16bit applications.
Think about that for a moment this 'feature' was put in to support software that was already out of date in 1993. Guess what? It's been in every version of Windows since then up to, and including, Windows 7. Honestly, is there anyone on Earth who's running Windows 3.1 applications on Windows 7? Or, Vista? Or, XP... you get the idea.
Be that as it may, the code's still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that's totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.
A security company called Immunity has already released an add-on to its program Canvass that can be used to show if your computer is vulnerable to attacks using this method. You don't need to worry with that though. If you're running 32-bit Windows, congratulations, you can be successfully attacked.
The important point about Immunity's work is that if they can build a test that demonstrates the problem, a criminal hacker can build a program that will exploit it. It's only a matter of time.
There's no patch for this. You can, however, block it by switching off your computer's MSDOS and WOWEXEC subsystems. Unless you're running pre-historic 16-bit MS-DOS or Windows programs you won't see any problems.
How you do this varies from one version of Windows to another. The basic idea though is always the same: you want to turn off two services: CMDLINE, for MS-DOS applications, and WOWCMDLINE for 16-bit Windows programs.
In Windows XP, you do this by running the Registry Editor (Regedt32.exe) from Window's Run command. Before doing this though, or making any other change to a Windows registry, you should make a backup of the registry. That done, get regedt running, and head over to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
Once there, find the CMDLINE and WOWCMDLINE items and right click on them. This will give you the option to edit their value. Choose this and add a character in front of their values. You could, of course, just delete them, but this way, if for some reason, you ever do need to run an obsolete program you can just zap the character and they'll be back and ready to go. These are dynamic changes so once you've exited regedt you won't need to reboot your computer for the changes to take effect.
Congratulations. You're now immune to attacks using the latest, but oldest, Windows security hole.
Not sure why he’s saying 16-bit Windows apps were out of date in 1993. He should probably cut back on the vinegar and stick with facts.
I’ve seen this guy’s columns/blogs/etc before. He’s a regular on (and perhaps employed by) IT World’s site, and is not affiliated with Immunity.
Sorry, I just don’t like fear mongering. At least he’s honest by revealing his agenda right up front.
I can guarantee you some schmo company is out there running 16-bit dos programs and not even in Windows.
I'm running Vista Home Premium and followed the author's instructions. I got to the WOW folder in the Registry but my OS does not have the CMDLINE or WOWCMDLINE keys.
So you may be right.
“Smells like another Windows-bashing rant to me.”
Yep, nothing but a liberal hit piece.
That was a good one!
I still think the Windows 3.x Terminal program was a far better basic VT-100 emulator than anything MS has included since. I got a lot of useful stuff done on a VAX by using it at a previous job, back in the early 90's.
And I’m as happy as can be with Windows on my 5 home PCs. Been using Windows since before 3.1 and would never buy a Mac. Mainly because I like to buy PCI cards of near any type/function and plug em in. I don’t know for sure but can I plug my 4 different tuner cards into a Mac and record and play back on (drive) my 58” plasma?
This is a superb application. It's used for pen-testing, and is basically a 'hacker in a box'. However, I wonder if they didn't take Metasploit, made a few changes, and called it their 'own'. lol
There are probably legacy applications out there that have a need for this, but in this day and age why in the world wouldn't you run such a subsystem in a vitrual machine?
I know of two very large financial organizations that still use MS-DOS machines running batch processes on IBM and DEC hosts, and FoxPro+ applications that process many millions of dollars every day. In these cases, there has never been any reason to change, for the simple reason that their programs work very well and have never had a hiccup. Plus they've got plenty of spare machines that will take care of them. And in one case, they've even virtualized 12 DOS PCs onto a single VMWare server.
I’m running Windows 7 64-bit and the registry key described does not exist.
I heard something was going to be issued this Saturday as a single patch??
Yup. And it's easy money till they want to change.
x64 systems address the kernel in a way where this won’t affect them. I checked all of my x64 systems (2 at work and 2 at home), and none of them have these registry entries.
All of my 32-bit Windows OS had the registry entry, and I removed it.
The WOW stuff isn’t an explicit service. When you open a command line in Windows, the system drills down to the lowest common denominator for application execution—in this case 16 bit executions. Since most applications nowadays are written with x64 in mind, they don’t need to instantiate 16 bit compatibility mode, but since Microsoft is intent on backwards compatibility into the Stone Age, they left open this gaping hole.
Yup. One of the things virtualization was made for. The benefits of increased speed, and ease of backups are also nice.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.