

Microsoft to patch 17-year-old computer bug - marklittlewood
http://news.bbc.co.uk/1/hi/technology/8499859.stm

======
btilly
Mistake in the article. The hole was not discovered last month, it was
announced last month. It was actually discovered and reported in June, 2009.
See [http://jordanopensource.org/freeplanet/article/microsoft-
con...](http://jordanopensource.org/freeplanet/article/microsoft-
confirms-17-year-old-bug-windows) for confirmation of that.

~~~
pmjordan
Also: the photo shows boxes of Windows 95, which isn't part of the Windows NT
line and thus doesn't contain the buggy code. Of course, on Windows 95 there's
no such thing as privilege escalation, as all users have full access to the
system anyway.

~~~
btilly
Actually the bug had to do with support for 16 bit code and _was_ present in
the Windows 9x line as well. It might not have mattered so much there, but the
bug existed.

------
mckilljoy
The exploited is detailed here:
<http://seclists.org/fulldisclosure/2010/Jan/341>

My favorite part comes at the end. The last step involves predicting where a
specific BIOS handler lies in memory. It is a static address in all pre-Vista
OS.

Starting in Vista, Windows introduced address space layout randomization to
make hacks like this more difficult.

However: "Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module
list via NtQuerySystemInformation()."

Whoops.

