Microsoft issues alert on Windows kernel bug

On the eve of releasing an out-of-band Internet Explorer patch, Microsoft has issued a new security advisory involving an obscure Windows kernel bug.

According to the advisory, an elevation-of-privilege exploit has been present in all 32-bit Windows versions since Windows NT. This bug possibly has been accessible for about 17 years, although someone exploiting it would need a network account to accomplish the deed.

The advisory says the bug affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7.

"Microsoft is investigating new public claims of a possible vulnerability in Windows," wrote Jerry Bryant, Microsoft's senior security program manager, in an e-mailed statement. "We are currently not aware of active attacks against this vulnerability and believe risk to customers, at this time, is limited."

Bryant added that to exploit this vulnerability, an attacker must "already have valid log-on credentials and be able to log on to a system locally." The attacker would need to have an account established on the system and then run a program to take advantage of the flaw. Possibly, it might be exploited by a company insider or someone already trusted.

In any case, the attacker could elevate his privileges on the network to the administrative level, Bryant said.

The bug is based on the MS DOS system, first introduced in 1993. Computers using Windows for x64-based and Itanium systems aren't affected. Microsoft describes a workaround in the security advisory that will prevent access to 16-bit applications as a consequence of avoiding the bug.

Microsoft plans to "provide a security update on an upcoming Patch Tuesday release," according to the security advisory.

Google security team member Tavis Ormandy, who publicized the bug, said in numerous reports that he informed Microsoft of this hole on June 12, 2009. Security experts have noted the long time it has taken for Microsoft to respond. However, to Microsoft's credit, it has dealt with more than 80 vulnerabilities affecting Windows through 2009.

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Reader Comments

Tue, Feb 16, 2010 Todd

Microsoft did not "acquire" the rights to DOS. Microsoft was looking to provide an operating system for the new IBM PC. Originally, Microsoft (Bill Gate and Bill Balmer) approached Digital Research (DR) to license DR-DOS to them. When DR refused, Microsoft wrote a new operating system, MS-DOS. The rest is history.

Sat, Feb 6, 2010

The bug is based on the MS DOS system, first introduced in 1993.¡Not even close!

Fri, Jan 29, 2010 DEFENDER OF THE FREE WORLD

What MS-DOS first introduced in 1993? Try 1981... You need to get your facts straight... I bet the author of this article wasn't even born when Microsoft acquired the rights to DOS.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above