—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.
CVE-2010-0232 – Schwachstelle im Windows on Windows Subsystem des NT
Kernels
Die NT Virtual DOS Machine (NTVDM) ist ein Teil des Windows NT
Kernels, mit dem MS-DOS und 16-Bit Windows Programme auf 32-Bit
Windows NT Systemen ausgefuehrt werden koennen. Die NTVDM wird von den
Windows MSDOS und WOWEXEC Subsystemen verwendet.
Das NTVDM Subsystem ueberprueft bestimmte BIOS Aufrufe nicht
ausreichend, die aus der virtuellen DOS Maschine heraus abgesetzt
werden. Ein lokaler Angreifer kann diese Schwachstelle dazu ausnutzen,
beliebigen Code mit SYSTEM Rechten auf dem betroffenen System auszufuehren.
Von der Schwachstelle sind vermutlich auch aeltere Windows NT Versionen
(3.1, 3.5 und 4.0) betroffen. Die 64-Bit Plattformen (x64 und Itanium)
sind nicht betroffen. Exploits fuer die Schwachstelle sind veroeffentlicht.
Betroffen sind die folgenden Software Pakete und Plattformen:
Windows Kernel
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows Server 2003 Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Server 2008 fuer 32-bit Systeme
Windows Server 2008 fuer 32-bit Systeme Service Pack 2
Windows 7 fuer 32-bit Systeme
Vermutlich auch aeltere Versionen wie Windows NT 3.1, 3.5 und 4.0
Weiterhin existieren Workarounds:
Als Workaround kann der Zugang zur NTVDM deaktiviert werden.
Fuer Windows 2000 und neuer:
In der Group Policy Console (gpedit.msc):
Gehen Sie ueber “Administrative Templates” -> “Windows Components” ->
“Application Compatibility” -> “Details” -> “Prevent Access to 16-bit
Applications”
Setzen Sie den Wert auf “Enabled” (Default: “Not Configured”).
Fuer Windows NT 4.0 (und aelter):
Bearbeiten Sie im Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW die Werte
“CMDLINE” (fuer MS-DOS Anwendungen) und “WOWCMDLINE” (fuer 16-bit
Windows Anwendungen) und fuegen Sie ein beliebiges Zeichen am Anfang der
Strings ein, so dass das Subsystem nicht mehr ausgefuehrt werden kann.
Stoppen Sie evtl. laufende NTVDM Prozesse.
Hersteller Advisory:
https://www.microsoft.com/technet/security/advisory/979682.mspx
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
17. DFN Workshop “Sicherheit in vernetzten Systemen” 09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html
Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Published: January 20, 2010
Version: 1.0
General Information
Executive Summary
Microsoft is investigating new public reports of a vulnerability in the Windows
kernel. We are not aware of attacks that try to use the reported vulnerability
or of customer impact at this time.
We are actively working with partners in our Microsoft Active Protections
Program (MAPP) to provide information that they can use to provide broader
protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate
action to help protect our customers. This may include providing a security
update through our monthly release process or providing an out-of-band security
update, depending on customer needs.
Top of sectionTop of section
Advisory Details
Issue References
For more information about this issue, see the following references:
References Identification
CVE Reference CVE-2010-0232
Top of sectionTop of section
Affected and Non-Affected Software
This advisory discusses the following software.
Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows Server 2003 Service Pack 2
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit
Systems Service Pack 2*
Windows 7 for 32-bit Systems
Non-Affected Software
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based
Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for
Itanium-based Systems Service Pack 2
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
*Server Core installation affected. This advisory applies, with the same
severity rating, to supported editions of Windows Server 2008 as indicated,
whether or not installed using the Server Core installation option. For more
information on this installation option, see the MSDN article, Server Core.
Note that the Server Core installation option does not apply to certain
editions of Windows Server 2008; see Compare Server Core Installation Options.
Top of sectionTop of section
Frequently Asked Questions
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Windows kernel.
This affects the operating systems that are listed in the Affected Software
section.
Is this a security vulnerability that requires Microsoft to issue a security
update?
Microsoft is currently working to determine the appropriate action to take to
help protect our customers. This may include developing a security update for
Windows to address this vulnerability. If a security update is developed,
Microsoft will release the security update once it has reached an appropriate
level of quality for broad distribution.
What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides
system-level services such as device management and memory management,
allocates processor time to processes, and manages error handling.
What is the Windows Virtual DOS Machine (NTVDM) subsystem?
The Windows Virtual DOS Machine (NTVDM) subsystem is a protected-environment
subsystem that emulates MS-DOS and 16-bit Windows within Windows NT-based
operating systems. A VDM is created whenever a user starts an MS-DOS
application on a Windows NT-based operating system.
What causes this threat?
The vulnerability is caused by the Windows kernel not properly handling certain
exceptions.
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary
code in kernel mode. An attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the
system. An attacker could then run a specially crafted application that could
exploit the vulnerability and cause the system to stop responding and restart.
Top of sectionTop of section
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice,
existing in a default state, that could reduce the severity of this issue. The
following mitigating factors may be helpful in your situation:
? An attacker must have valid logon credentials and be able to log on locally
to exploit this vulnerability. The vulnerability could not be exploited
remotely or by anonymous users.
? Windows operating systems for x64-based and Itanium-based computers are not
affected.
Top of sectionTop of section
Workarounds
Workaround refers to a setting or configuration change that does not correct
the underlying issue but would help block known attack vectors before you apply
the update. Microsoft has tested the following workarounds and states in the
discussion whether a workaround reduces functionality:
? Disable the NTVDM subsystem
1. Click Start, click Run, type gpedit.msc in the Open box, and then click OK
.
This opens the Group Policy console.
1. Expand the Administrative Templates folder, and then click Windows
Components.
2. Click the Application Compatibility folder.
3. In the details pane, double click the Prevent access to 16-bit
applications policy setting. By default, this is set to Not Configured.
4. Change the policy setting to Enabled, and then click OK.
Impact of Workaround: Users will not be able to run 16-bit applications.
Top of sectionTop of section
Additional Suggested Actions
? Protect your PC
We continue to encourage customers to follow our Protect Your Computer
guidance of enabling a firewall, getting software updates and installing
antivirus software. Customers can learn more about these steps by visiting
Protect Your Computer.
? For more information about staying safe on the Internet, visit Microsoft
Security Central.
? Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help
make sure that their computers are as protected as possible. If you are not
sure whether your software is up to date, visit Windows Update, scan your
computer for available updates, and install any high-priority updates that
are offered to you. If you have Automatic Updates enabled, the updates are
delivered to you when they are released, but you have to make sure you
install them.
Top of sectionTop of section
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability
information to major security software providers in advance of each monthly
security update release. Security software providers can then use this
vulnerability information to provide updated protections to customers via their
security software or devices, such as antivirus, network-based intrusion
detection systems, or host-based intrusion prevention systems. To determine
whether active protections are available from security software providers,
please visit the active protections Web sites provided by program partners,
listed in Microsoft Active Protections Program (MAPP) Partners.
Top of sectionTop of section
Feedback
? You can provide feedback by completing the Microsoft Help and Support form,
Customer Service Contact Us.
Top of sectionTop of section
Support
? Customers in the United States and Canada can receive technical support from
Security Support. For more information about available support options, see
Microsoft Help and Support.
? International customers can receive support from their local Microsoft
subsidiaries. For more information about how to contact Microsoft for
international support issues, visit International Support.
? Microsoft TechNet Security provides additional information about security in
Microsoft products.
Top of sectionTop of section
Disclaimer
The information provided in this advisory is provided “as is” without warranty
of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable for
any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such damages. Some states
do not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
Top of sectionTop of section
Revisions
? V1.0 (January 20, 2010): Advisory published.
Top of sectionTop of section
Top of pageTop of page
Manage Your Profile
© 2010 Microsoft Corporation. All rights reserved. Contact Us |
Terms of Use | Trademarks | Privacy Statement Microsoft
*
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFLWZOAWmhIvjFb90URAoe5AJ4/M4VoVJVGTAq8nucEttvGmoNT5gCggdRf
casVVe5te1+m4IlXpchjh0c=
=52bz
—–END PGP SIGNATURE—–
