Microsoft issues alert on Windows kernel bug
On the eve of releasing an out-of-band Internet Explorer patch, Microsoft has issued a new security advisory involving an obscure Windows kernel bug.
According to the advisory, an elevation-of-privilege exploit has been present in all 32-bit Windows versions since Windows NT. This bug possibly has been accessible for about 17 years, although someone exploiting it would need a network account to accomplish the deed.
The advisory says the bug affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7.
"Microsoft is investigating new public claims of a possible vulnerability in Windows," wrote Jerry Bryant, Microsoft's senior security program manager, in an e-mailed statement. "We are currently not aware of active attacks against this vulnerability and believe risk to customers, at this time, is limited."
Bryant added that to exploit this vulnerability, an attacker must "already have valid log-on credentials and be able to log on to a system locally." The attacker would need to have an account established on the system and then run a program to take advantage of the flaw. Possibly, it might be exploited by a company insider or someone already trusted.
In any case, the attacker could elevate his privileges on the network to the administrative level, Bryant said.
The bug is based on the MS DOS system, first introduced in 1993. Computers using Windows for x64-based and Itanium systems aren't affected. Microsoft describes a workaround in the security advisory that will prevent access to 16-bit applications as a consequence of avoiding the bug.
Microsoft plans to "provide a security update on an upcoming Patch Tuesday release," according to the security advisory.
Google security team member Tavis Ormandy, who publicized the bug, said in numerous reports that he informed Microsoft of this hole on June 12, 2009. Security experts have noted the long time it has taken for Microsoft to respond. However, to Microsoft's credit, it has dealt with more than 80 vulnerabilities affecting Windows through 2009.
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.