| Friday May 27th 2016

Windows hole discovered after 17 years… Affects 3.1 through to Windows 7

Just to clarify, that’s Windows NT 3.1, not the old 16-bit Windows 3.1. I was wondering how the hell you could have a privilege escalation bug on an OS with only one level of privilege.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.


Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.