The zero-day Internet Explorer bug, 979352, was discovered after Google and others reported a concerned attack against their intellectual property from Chinese servers. The bug allows the execution of arbitrary code using a corrupted memory reference that can be mounted from a malicious website.
"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment, Microsoft will release a security update out-of-band for this vulnerability," said George Stakhakopoulos, general manager of Microsoft's Trusted Computing Security team. The timing of the release will be announced on January 20.
However, even as Microsoft posted that message to reassure its users, another flaw was discovered that affects all versions of Windows, from NT 3.1 through to Windows 7. Posted on the Full Disclosure mailing list, the vulnerability lies with the segment of the Windows NT kernel that allows 16-bit applications to run. This segment uses Virtual-8086 mode, and it can be manipulated to allow tasks to escalate their privileges, becoming very trusted by the system.
The researcher who found the flaw, Tavis Ormandy, advises IT administrators to disable 16-bit application support in their client systems, which will have minimal effect on most systems because most modern applications use 32 bits. The change can be made by applying the policy template "Windows Components\Application Compatibility\Prevent access to 16-bit applications" in the Windows group policy editor.
"Microsoft was informed about this vulnerability on 12-Jun-2009, and they confirmed receipt of my report on 22-Jun-2009," Ormandy posted. "Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals."