Recently Tavis Ormandy has published an interesting vulnerability that affects all 32bit x86 versions of Windows NT (x64 systems are not affected) released since 27 Jul 1993 to 2009, including also the latest Windows Seven.
The vulnerability lets local users obtain elevated privileges on the target system, by exploiting a flaw in the Virtual-8086 mode, that is able to bypass security controls and execute arbitrary commands with elevated privileges. Upon successful exploitation the #GP trap handler (nt!KiTrap0D) allows a local user to switch the kernel stack to a address controlled by the user.
This is a screenshot of the PoC in action:
To mitigate the issue we can disable the MSDOS and WOWEXEC subsystems that will prevent the functioning of the attack. In other words it is possible to disable 16-bit applications to avoid unprivileged users from executing 16-bit applications.
Microsoft has released a automatic fix solution to enable or disable the NTVDM subsystem and mitigate the issue. More details on the fix are provided in the workarounds section from the Microsoft website.
Other info on the exploit taken from Microsoft Security Bulletin:
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and cause the system to stop responding and restart.