Google finds 17 year old Windows vulnerability

A Google security technician has found a 17-year-old access flaw in the Windows operating systems there from 1993 to the present day.

The vulnerability, found in the Windows kernel and around since the release of Windows NT 3.1, affects all 32-bit versions of the OS on the market including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. The flaw works through the Virtual DOS Machine used to support 16-bit applications, says Ars Technica. Unprivileged 16-bit programs can work through the kernel stack of processes, meaning an attacker would be able to execute any code at the highest system privilege level.

The bug does not affect 64-bit versions of Windows.

Google security whizz Tavis Ormandy found the exploit and claims to have notified Microsoft way back in June 12 last year. The company confirmed the bug, but so far has not managed to fix the problem. Microsoft yesterday announced that it is investigating the matter, perhaps 17 years too late.

EyeSee: When Microsoft launched Vista years ago, I was personally given a stern and assured talking-to by the head of security in Seattle, who told me that he had been involved with Windows security for 20 years, as if that was boast-worthy. If his claims were true, he would surely have been around for the launch of NT 3.1 in 1993.