back to article Windows plagued by 17-year-old privilege escalation bug

A security researcher at Google is recommending computer users make several configuration changes to protect themselves against a previously unknown vulnerability that allows untrusted users to take complete control of systems running most versions of Microsoft Windows. The vulnerability resides in a feature known as the …


This topic is closed for new posts.


  1. Andy Enderby 1

    well, well, well.....

    I think this supports the old descriptions of Windows as 32 bit extenstion to a 16 bit kludge, that used to sit on an 8 bit OS, and as much as anything demonstrates the need for MS to quit dicking around and start designing their products, rather than allowing them to evolve as a near biological entity. When was the last time the huge mound of legacy code recyled into currently supported products was actually audited in the context of where it is being used in XP/Vista/7 rather than where it was originally deployed ?

    Instead of pushing out the next version of code and having it stated by marketing folks that it's "new from the ground up", as has been the case with Vista and 7, how about it being literally true next time eh ? Designed on solid engineering practices, rather than recycling the same mistakes that have blighted the product lines history. The marketing dweebs may even have something to base their attack pieces on other than FUD. Right now though, I strongly suspect that most will be happy if they simply fix the problem immediately at hand.

    @Trixr - strongly agree.

    1. Eddie Edwards


      "I think this supports the old descriptions of Windows as 32 bit extenstion to a 16 bit kludge, that used to sit on an 8 bit OS, and as much as anything demonstrates the need for MS to quit dicking around and start designing their products"

      Yes, Microsoft should definitely abandon their DOS-evolved systems and rewrite the kernel from scratch, possibly using some of those clever VMS guys.

      Oh wait, they did.

      1995 called. They want their anti-Microsoft rant back.

    2. Anonymous Coward
      Anonymous Coward

      Windows NT isn't Windows 3.1 etc

      Windows NT is a separate codebase, entirely written from scratch, it was even initially written on non i386 machines in order to make sure that no old machine code could be included (mainly to ensure portabillity). The 16 Bit support is included into Windows by means of a separate execution subsystem, known as wowexec. This old cack about Windows being built on the old 16Bit DOS/Windows code comes from people not understanding the difference between Windows NT and the DOS/Windows 3.1->Me OSes. They are totally different.

      It should also be noted that UNIX, Mac OS, Linux and any OS you care to mention has a large amount of legacy code. Hell, even zOS still uses HASP to print - the Houston Automated Spooling Program, developed by NASA for the moon landings. Old code is not by definition bad code, often it is of much higher quality than new code.

    3. Anonymous Coward

      do you even know...

      what NTVDM and WOWEXEC are? Judging by your (it's all 16-bit underneath) rant I'm guessing you haven't got a clue.

      They provide the backwards compatibility BECAUSE it isn't 16-bit underneath (unlike Win95 , ME etc). They effectively provide a virtual machine to run DOS apps in, a sort of virtual DOS machine, running on NT, an NT virtual dos machine, NTVDM - geddit.

      FYI the WOW is Windows (16) on Windows (32), which add the graphical layer (like win95 did to Dos).

  2. Anonymous Coward
    Anonymous Coward


    Yet again Microsoft pwns itself by continuing to support manky old apps. 16 bit apps no less. "because businesses need them"

    Cry me a river. Christ why don't we all just go back to 8 bit while we're at it?

    If you want to run 16bit apps get your ass back to Windows 95 and let the rest of us concentrate on running code that was written this century.

  3. Daniel 1

    There are so many ways of escalating privileges on Windows systems

    Most IT professionals rely on them to subvert the restrictions visited on them by their IT centres. Please don't disable them, or we'll have to find new ones.

    Everyone likes to point the finger at the people in Window Division and call them out (as if any of us think that 50 layers of dependencies and multiple circular dependencies would be a doddle to fix) but the real reason most of the IT industry isn't actively clamouring for Linux workstations, is that it would become possible for any spotty sys admin in some distant call centre to lock down our machines and prevent us getting anything done. if you've become really quite good at fixing leaky, dangerous, unreliable machinery, with dodgey electrics, you might secretly buy Japanese, yourself, but you'll still tell everyone else to keep "buying British", won't you?

    1. mumm-ra
      Paris Hilton

      Good point, well made..

      ...and a big grain of truth in it.

      I'm just happy that I have root on my own work desktop, and our IT guys aren't arses. Most of them are tolerable people that you could stand being in a room with, and in general, they do a great job. Even the people who look after the Windows users are friendly and nearly sane. Result, I feel :)

      (Sorry, that was a bit smug, wasn't it? Daniel 1 was pretty on the money though, in the general case)

  4. Watashi

    Google point-scoring?

    "Regrettably, no official patch is currently available," he wrote. "As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch."

    Has anyone told MS? It is not uncommon for an IT issue where I work to be raised through senior management, rather than through the helpdesk, by frustrated staff whose systems don't work. When asked why we haven't yet fixed the issue we have to explain that we can't fix problems that we don't know about.

    To balance things up a little, I see that Google has just added free Avast AntiVirus to their Google recommended software Pack. Last week MS beta AV software spotted a threat on my PC that Avast has missed for the last two years. Can anyone see Google suggesting people use MS free antivirus even if it is better than other free products?

    1. Daniel 1

      RE: Google point-scoring?

      Watashi asks:

      "Has anyone told MS?"

      However, the very article itself contains the line:

      "He (Ormandy) said he informed Microsoft security employees of the vulnerability in June."

      Now, admittedly, reading all the way down to the third from last paragraph of a story before hitting "comment" is a bit much, for some commenters to The Register - but unless you meant "has anyone told Marks & Spencers?", then the answer to your question appears to be enclosed in the original text, and appears to be a "yes".

  5. Version 1.0 Silver badge

    Windows vs Linux vs Windows vs Linux

    Please - can we start shooting some of these people?

    1. John 211
      Thumb Up

      why only some?

      Type your comment here — plain text only, no HTML

  6. Neal 5

    Pllagued by proof of concept

    OK, I give up, which one is it then?

    Proof of concept or plagued?

    proof of concept means plagued now does, fuck I've gotta buy one of those goddamned fucking Yankee dictionaries.

    next thing I'll know is that athletes foot is something you get from watching athletes.

  7. Bilgepipe

    They don't like it up 'em

    The Windows apologists, ever ready on the trigger to abuse users of other OS's, really don't like people giving them a few home truths, do they? Heaven forfend they admit the shortcomings of their system of choice or the rambling, inept dinosaur that produces it. Wahh, SSH has a bug too, waahhh.

    Keep it up, Penguin people!

  8. EvilGav 1

    To all the haters . . .

    . . . who are intent on continually stating that "this shows Linux/OS of choice is better", "shoddy Windows" and so on.

    It's taken 17 years for this vulnerability to be found.

    Doesn't it strike you that, if the vuln's being pointed out are in 17 year old code, that the *new* code is maybe not so bad ?

    1. matt 83

      "17 years to be found"

      no it has taken 17 years for this vulnerability to be made public. Who know how many people have been using this before now.

    2. Anonymous Coward
      Anonymous Coward

      New code old code, all the same to me

      "Doesn't it strike you that, if the vuln's being pointed out are in 17 year old code, that the *new* code is maybe not so bad ?"

      Not really. Vulns are found in their new code every other day so it seems.

      The two things that do strike me though are that MS doesn't seem to have learnt much about secure coding in the last 17 years and what is a 17 year old bit of code that is used by 16bit DOS applications still doing in Windows 7!?

    3. boltar Silver badge


      "Doesn't it strike you that, if the vuln's being pointed out are in 17 year old code, that the *new* code is maybe not so bad ?"

      Why would that follow? The Windows NT codebase is tiny compared to Win7 yet they still didn't find this bug (and hadn't after 17 years - what does that tell you about their testing). What makes you think they'll find serious bugs in a codebase 10 times the size?

    4. Anonymous Coward
      Black Helicopters

      Unknown to the wider world..

      .. but who knows how many people know, but are not letting on that they know! Microsoft, maybe? CIA black hats? Chinese whatever?

      We just don't know, and probably never will, such is the way with closed systems.

    5. Paul RND*1000

      2 minute^W^W 17 year hate

      "It's taken 17 years for this vulnerability to be found."

      You forgot the punchline - "... by someone who wanted Microsoft to fix it. Which they still haven't done after, oh, like half a year. But what's half a year compared to 17 years really?"

      "Doesn't it strike you that, if the vuln's being pointed out are in 17 year old code, that the *new* code is maybe not so bad ?"

      That's the best laugh I've had all week!

      More likely people were too busy pointing out or exploiting the many, many, many flaws in the newer code to notice a gaping hole in some mostly pointless prehistoric subsystem.

  9. Anonymous Coward
    Anonymous Coward

    "ALL" versions?

    "The exploit has been tested on all versions of Windows except for 3.1."

    I'm surprised they tested it on Windows 1 and 2 before bothering with 3.1, which has a much bigger user base.

  10. Anonymous Coward
    Anonymous Coward

    Jesus people...

    Lets not get up our own arses with 'My computers operating system is better than yours' crap. Its supposed to be a news site, not a cock-waving forum.

    1. No, I will not fix your computer


      Betamax owner : "My technology is much better than yours"

      VHS owner : "Whatever, VHS is far more popular and has more films available"

      With a 2% market share Linux is in the same place as Betamax, FLAC is better than MP3, SACD is better than CD etc. etc. better doesn't mean more popular.

  11. adnim Silver badge

    @AC: Jesus people

    I bet my cock's bigger than yours ;-)

    1. Anonymous Coward



  12. NogginTheNog

    Bedtime soon?

    Can all the children bickering about how much better 'their' operating system is (like it's yours anyway, like any of you ever actually contributed any code to any of them, in fact how many of you never even paid for them?) please go away and watch CBeebies or Nick Junior until your mum tells you to get your jammies on and get to bed?

    Then perhaps the adults can just get on with reading a grown up website with a grown up comment section.

    1. James Hughes 1

      All very well...

      But since when do grown up websites have to put up with adults who call themselves NogginTheNog?

    2. Anonymous Coward

      Grown-up web site?

      The British Medical Journal? The Gruaniad? What is this website that you're alluding to, you fiend?

  13. Robert Carnegie Silver badge

    Anyone know a lightweight 32-bit spreadsheet then?

    I have a Windows PC with limited memory, and I've been using As-Easy-As (abandonware) to log Internet quota use. I'm pretty sure it's a 16-bit Windows version.

    This vulnerability seems to be about escalating from the local user's privileges to administrator rights - which is generally unauthorised access but not from malweb coming through the browser (for me, Opera), unless malicious web content has another way to sneak onto your PC. Another heoole in the system. Which would be bad by itself.

    Is it possible to disable these features for particular user accounts? Sandbox the browser? Or better, sandbag it. Of course I can run a Windows application as not my main user...

  14. Anonymous Coward

    oh ffs....

    get a grip people......

    This so called vulnerability has been in existence for 17 years..... i assume as it was hidden for 17 years that it hasn’t been exploited? Well now its public it very soon will be....

    The fact it has been unknown for so long, in my eyes means didily squat. It’s been found now, it’s how its dealt with from this point on with that is important. Ok, so Microsoft may have known about it for a while, but there are still not mass outbreaks of computers screwed over from this hole so maybe they are correct in thinking it’s not something that needs immediate attention.

    It makes me laugh that windows 7 is not affected.... it reminds me of a security issue with windows xp that was brought to light a week before sp2 was released.... it would only be fixed by sp2 and sp2 would only install on proper licensed versions of windows (for a week or two anyway)...

    I suspect Microsoft will recommend the fix will be to upgrade to windows 7.....

    Microsoft knows a lot more about producing an OS than I do, and probably most of you lot reading this. Windows did not become the standard desktop OS for no reason. Maybe a few dirty tricks here and there but I dare any of you to say given the opportunity you would have done things much different....

    Windows is good for what it is.... a desktop for the masses, Linux has a long way to go to be able to challenge this. The average Joe Blogs does not have the skills needed to get a Linux distro up and running compared to a windows install. Apple computers are good if you want style over function and have money to waste,

    Linux had the perfect opportunity to take over the market place on netbooks, but Joe Blogs public spoke and would sooner buy a windows based netbook than a Linux flavoured one. Why? Because it works. my Linux aspire one was soon upgraded (some say downgraded) to windows to make it more functional for me as a photographer.... a lot less hassle to get my pictures from my Nikon to a computer to email to the news desk than to arse about with gimp....

    Mines the one with a flame proof lining...

    1. Anonymous Coward
      Anonymous Coward

      This title thing is getting to be a pissflap....

      "but I dare any of you to say given the opportunity you would have done things much different...."

      I sure as hell would have! Christ on a bike! I have ethics some way above that of a total shitbag breadhead, thanks just the same.

  15. boltar Silver badge

    @anon coward

    "i assume as it was hidden for 17 years that it hasn’t been exploited? "

    Yes , because obviously black hats publish their findings in public forums.

    It would only take 1 other person with malicious intent to have found this in that whole 17 years for a tool to be produced that exploited this. You can't prove a negative - you can't prove no one has written one.

    1. Anonymous Coward

      @ Boltar

      so if it was around all the black hat forums for up to 17 years, and not one of them explioted it in a malicious way, then i assume the vunrability is ether too hard to make any use of in the real world or they were saving it up for somthing special...

  16. Jimbob 3
    Thumb Down

    So says Google

    "according to this writeup penned by Tavis Ormandy of Google"

    Ahhh I see now. Google saying Microsoft has poor security.

    Nothing wrong with that because they are right on some levels, just slants the viewpoint of the article that is all.

  17. John F***ing Stepp

    Is this even a Linux / Windows issue?

    Just wondering because I have recently went over to the dork side (Debian) on my laptop.

    "I see dead zombies in the pipe; and sometimes they don't even know they are geeky."

  18. Anonymous Coward
    Anonymous Coward

    This info may help newbies BUT be CAREFUL !

    This will help those that want to do what is suggested in the article and turn of WOWEXEC and MSDOS. Just a point, to amateurs not to mess around with the Registry or you could lose access to your computer and everything on it !!. Unless you know what you are doing dont do it.

  19. John Smith 19 Gold badge
    Thumb Down

    17 years to find, but *no* black hat ever found it

    Does this sound plausible?

    Just hyperthetically would it be an idea that the *longer* a software component stays in an OS the *more* it should be checked.

  20. John F***ing Stepp

    A tale of two computers.

    Well three, actually.

    I ran xp sp1 for some years on my (very old) laptop; no antivirus but some half way decent hacks.

    It finally got three trojans (which caught my attention.)

    My wife (barefoot and on dialup) runs 2000; she got four trojans; one of which was a keylogger.

    Good-by Outlook express.

    (in retrospect I should have removed that when I installed the OS.)

    I have a friend who I fixed a computer for; he was pwoned within a week. I am still working that out in my mind. HOW IN THE HELL DID THAT HAPPEN?

    In the years since I started in this field, on an Amiga, in the 80s (and Amiga viri were cool) I have found that nothing is safe; nothing at all is safe. Yes, I know how to make it safe, write the OS to a CD and Boot new every time.

    Just another way of working without a net.


  21. nick 30

    maximum adressable memory

    The Pentium introduced 36-bit addressable memory giving upto 64gig of ram. The 3gig limit in 32-bit XP is a MS created limit for old legacy driver support and because of a small performance hit.

    1. Anonymous Coward


      Since we are so knowledgable please enlighten us thickies as to why a 32bit OS w2000- / Linux needs to run PAE to achieve 8Gib of addressable RAM? I know it is something to do with a 36bit messaging addressing fudge

  22. John Smith 19 Gold badge

    Just for the record here is what a CMM level 5 company should do

    Fix the bug.

    Work out the form of bug and check the code base to find any similar instances.

    Fix them.

    Identify the faults in their development process that let them in the first place.

    Fix the process.

    Mine's the one with the old IBM J of Systems reprints in the pocket.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019