[wpkg-users] Windows NT VDM Vulnerability - wpkg package

Paul Griffith paulg at cse.yorku.ca
Thu Jan 21 15:35:43 CET 2010 

Hi,

With all the talk about the NT VDM vulnerability, I am posting my wpkg
package file.

Note: I was able to reproduce this vulnerability within a VirtualBox
single CPU host, but on a multiple CPU host I get a blue screen of
death, followed by a reboot.

http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-Update-908917.html


--snip---
The vulnerability is present in all 32bit versions of Windows NT,
starting with NT 3.51 and ending with Windows 7. Since 16bit support was
dropped from the 64bit versions of Windows, users of Windows 64bit are
not affected. The work-around is extremely simple and straightforward:
disable the 16bit subsystem on 32bit machines. 

This can be done one of three ways (but they all do the same thing: edit
the registry). First, you can use the Group Policy Editor to enable the
"Prevent access to 16-bit applications" in Computer Configuration
\Administrative Templates\Windows Components\Application Compatibility.
Second, you can also simply go rogue and edit the registry directly
(backup! backup!) by placing a key in HKEY_LOCAL_MACHINE\SOFTWARE
\Policies\Microsoft\Windows\AppCompat with a D-Word value of
VDMDissallowed = 1. 

The last method automates it all: create a text file called
vdmdisallow.reg, and paste the following into the file, and double-click
it: 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
----snip ---

Watch for line wrap!

----
<?xml version="1.0" encoding="UTF-8"?>

<packages>
	<package
        id="vdmdisallow"
        name="Disable Virtual DOS Machine (VDM)"
        revision="1"
        priority="0"
        execute="once">
		
		<check type="registry" condition="equals" path="HKLM\SOFTWARE\Policies
\Microsoft\Windows\AppCompat\VDMDisallowed" value="1" />

		<install cmd='reg add HKLM\SOFTWARE\Policies\Microsoft\Windows
\AppCompat /t REG_DWORD /v VDMDisallowed /d 1 /f' />        
		<update cmd='reg add HKLM\SOFTWARE\Policies\Microsoft\Windows
\AppCompat /t REG_DWORD /v VDMDisallowed /d 1 /f ' />
		<remove cmd='reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows
\AppCompat /v VDMDisallowed /f '/>

    </package>
</packages>
-----

Regards,
Paul

More information about the wpkg-users mailing list