32位Windows漏洞從NT3.1開(kāi)始存在了17年

Win7之家（ afsion.com.cn）：32位Windows漏洞從NT3.1開(kāi)始存在了17年

據(jù)國(guó)外媒體報(bào)道，微軟星期三晚上發(fā)布了關(guān)于上個(gè)星期事件的第二個(gè)安全公告。微軟警告用戶稱，在所有32位版Windows的內(nèi)核中有一個(gè)存在了17年的安全漏洞，黑客利用這個(gè)安全漏洞能夠劫持用戶的PC。

這個(gè)存在于Windows DOS虛擬機(jī)（VDM）子系統(tǒng)中的安全漏洞是谷歌工程師Tavis Ormandy星期二在“全面披露”安全郵件列表中披露的。碰巧的是Ormandy因?yàn)閳?bào)告微軟上個(gè)星期在例行性的補(bǔ)丁星期二修復(fù)的一個(gè)安全漏洞而受到了稱贊。

這個(gè)VDM子系統(tǒng)是在1993年發(fā)布Windows NT的時(shí)候增加到Windows中的。那是微軟的第一個(gè)完全32位的操作系統(tǒng)。VDM允許Windows NT和以后版本的Windows運(yùn)行DOS和16位的Windows軟件。

微軟的安全公告明確說(shuō)明了受到影響的軟件是包括Win7、Vista在內(nèi)的所有的32位版Windows，并且告訴用戶如何關(guān)閉VDM作為一個(gè)繞過(guò)的措施。Windows的64位版本不會(huì)受到這個(gè)安全漏洞的攻擊。

這是微軟在七天之內(nèi)發(fā)布的第二個(gè)安全公告。在谷歌稱它的計(jì)算機(jī)遭到中國(guó)黑客攻擊之后，微軟發(fā)布一個(gè)安全公告，警告用戶IE瀏覽器中存在一個(gè)嚴(yán)重的安全漏洞。微軟本周四晚些時(shí)候要修復(fù)這個(gè)安全漏洞。

微軟在第二個(gè)安全公告中說(shuō)，成功地利用32位版Windows中的這個(gè)安全漏洞的攻擊者能夠以內(nèi)核方式執(zhí)行任意代碼。然后，攻擊者可以安裝軟件；查看、修改或者刪除文件；或者創(chuàng)建擁有全部用戶權(quán)限的新賬戶。

微軟安全反應(yīng)中心的計(jì)劃經(jīng)理Jerry Bryant說(shuō)，微軟還沒(méi)有看到任何利用這個(gè)安全漏洞實(shí)施的實(shí)際攻擊，并且說(shuō)如果黑客確實(shí)要利用這個(gè)安全漏洞，威脅也不大。他說(shuō)，要利用這個(gè)安全漏洞，攻擊者必須已經(jīng)擁有合法的登錄證書(shū)，能夠登錄到本地系統(tǒng)。這就意味攻擊者必須已經(jīng)擁有這個(gè)系統(tǒng)的一個(gè)賬戶。

一般來(lái)說(shuō)，微軟把這種提升權(quán)限的安全漏洞分類為“重要”等級(jí)的安全漏洞。這是微軟四個(gè)安全漏洞等級(jí)中的第二嚴(yán)重的等級(jí)。

谷歌的Ormandy說(shuō)，這個(gè)安全漏洞可以追溯到將近17年前發(fā)布Windows NT 3.1的時(shí)候，從那以后，每一個(gè)版本的Windows都存在這個(gè)漏洞，他在7個(gè)月前已經(jīng)向微軟報(bào)告了這個(gè)安全漏洞。

32-bit Windows 7, Vista, XP Affected by 17-Year-Old EoP Vulnerability

Windows operating systems are in essence evolving from one release to another, with some pieces of code surviving across multiple iterations of the platform. It is the case of the BIOS calls in the Virtual-8086 mode monitor code which was introduced in Windows NT 3.1, released in 1993 and that survived until this day in Windows 7. In this regard, Microsoft has confirmed information made public detailing a vulnerability contained in every release of the Windows NT kernel and dating back 17 years.

The Redmond company released Security Advisory 979682 to help customers mitigate the vulnerability until a patch is made available. The Windows NT #GP Trap Handler security hole, discovered and documented by Google engineer Tavis Ormandy, can potentially allow an attacker to elevate an existing account on a 32-bit (x86) Windows machine to full administrative privileges. This is nothing more than an Elevation of Privilege (EoP) vulnerability affecting the Windows kernel. It only impacts versions of 32-bit Windows, including XP, Vista and Windows 7. 64-bit (x64) Windows flavors are in no way affected.

“The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability. It’s important to note that we are not currently aware of any active attacks against this vulnerability and the Microsoft believes risk to customers, at this time, is limited. It is recommended that customers review and implement the mitigations and workarounds detailed in the Security Advisory,” revealed Jerry Bryant, senior security program manager, Microsoft.

Users must understand that the risk associated with this vulnerability is extremely low. It is critical to note that the flaw cannot be exploited remotely. An attacker would already have to have access to a Windows computer containing a vulnerable version of the operating system. Moreover, the attacker would also need access to an account on that computer.

“To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications can disable the NTVDM subsystem. Information on this workaround can be found in the Security Advisory,” Bryant added.

Here are the steps necessary to disable the NTVDM subsystem, according to Microsoft:

“Click Start, click Run, type gpedit.msc in the Open box, and then click OK. This opens the Group Policy console. 1. Expand the Administrative Templates folder, and then click Windows Components. 2. Click the Application Compatibility folder. 3. In the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured. 4. Change the policy setting to Enabled, and then click OK. Impact of Workaround: Users will not be able to run 16-bit applications.”