Reports have surfaced about a new security hole that has been in Windows since the release of Windows NT 3.1 on July 27, 1993. The vulnerability is present in all 32-bit versions of Windows released since then, including all supported versions: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Microsoft has issued Security Advisory (979682) to address the elevation of privilege vulnerability in the Windows kernel, making sure to note that 64-bit versions of Windows, including Windows Server 2008 R2, are not affected.

Thankfully, the flaw isn't in a commonly used application but in the Virtual DOS Machine (VDM) used to support 16-bit applications. There are several vulnerabilities in this implementation, according to Google security team member Tavis Ormandy, who found the issues.

An unprivileged 16-bit program can manipulate the kernel stack of each process, potentially enabling attackers to execute code at system privilege level. The exploit can be used to open a command prompt with the highest privilege level.

Ormandy claims he informed Microsoft of this hole on June 12, 2009, and the company confirmed receiving his report 10 days later, but it has yet to fix the issue.

"Microsoft is investigating new public claims of a possible vulnerability in Windows," a Microsoft spokesperson told Ars. "We are currently not aware of active attacks against this vulnerability and believe risk to customers, at this time, is limited. To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system. To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem." Microsoft will either provide a security update on Patch Tuesday or issue an out-of-band security update (less likely).

Despite the fact that there is no patch available from Microsoft, Ormandy decided to publish the information because he believes the workaround is simple enough: disable the MS-DOS subsystem.

"As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch," he writes in his disclosure. "It should be noted that very few users rely on NT security; the primary audience of this advisory is expected to be domain administrators and security professionals."

To enable the workaround, use the policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" within the group policy editor to prevent unprivileged users from executing 16-bit applications.