Google engineer discloses vulnerability to public security e-mail list one day before a Microsoft advisory and says he told Microsoft about it last June.
Microsoft is warning customers of a hole in the kernel of 32-bit versions of Windows that could allow someone to install programs, change data, or create new accounts with full user rights.
The vulnerability, caused by the Windows kernel not properly handling certain exceptions, affects 32-bit versions of Windows 7, Vista, XP, 2000, and Server 2003 and 2008, according to the security advisory released on Wednesday night. It does not affect 64-bit versions of Windows.
"We are not currently aware of any active attacks against this vulnerability, and Microsoft believes the risk to customers, at this time, is limited," Jerry Bryant, senior security program manager at Microsoft, said in a statement.
To exploit the vulnerability an attacker would need to have valid logon credentials and be able to log onto a system locally. Once logged on, the attacker could elevate privileges to the administrative level and run any programs, Bryant said.
Microsoft said it will work on a patch, but in the meantime suggested as a workaround that customers disable the Windows Virtual DOS Machine (NTVDM) subsystem that enables Windows NT and later versions of Windows to run DOS and 16-bit Windows software.
The Microsoft warning comes one day after Google engineer Tavis Ormandy disclosed the vulnerability in the Windows Virtual DOS Machine subsystem on the Full Disclosure security e-mail list. Ormandy said he informed Microsoft about the hole in June 2009.