DOS ain't dead

There have been some changes applied to Windows XP today.
The update KB2724197 will prohibit the use of EMS memory for 16-bit applications used in XP.

http://technet.microsoft.com/en-us/security/bulletin/ms12-068

> There have been some changes applied to Windows XP today.
> The update KB2724197 will prohibit the use of EMS memory for 16-bit
> applications used in XP.

Where they wrote that it has anything to do with EMS?

---
DOS gives me freedom to unlimited HW access.

> Where they wrote that it has anything to do with EMS?

They don?t, but I assume it is hidden in this text:

The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.


> > Where they wrote that it has anything to do with EMS?
> They don?t
Have you seen DOS code or EMS mentioned anywhere??? I haven't after lots of digging.

> but I assume it is hidden in this text:
>
> The vulnerability could allow elevation of privilege if an attacker logs on
> to the system and runs a specially crafted application. An attacker must
> have valid logon credentials and be able to log on locally to exploit this
> vulnerability.

Well according to securelist: 50862 and iss.net: 75934 Microsoft's KB2724197 is "related to the handling of String Atom Class Name by the kernel-mode driver (win32k.sys). By persuading a victim to browse a directory containing a specially-crafted application, a local attacker with valid login credentials could exploit this vulnerability to execute arbitrary code on the system with elevated privileges."

win32k.sys is a Kernel mode driver which officially provides GDI (graphics) support. The
long list of win32k.sys exports makes interesting reading though... (love destroyphysicalmonitor!)

The String Atom flaws apparently being further fixed by KB2724197 were reported (publically) back in June, see osvdb.org: Microsoft Windows win32k.sys String Atom Class Name Handling Local Privilege Escalation

This presentation has more info: (open at own risk!)
http://mista.nu/research/smashing_the_atom.pdf
(or http://www.azimuthsecurity.com/resources/recon2012_mandt.pptx )

Long story short yes 16bit stuff but scan reading through it all I can't see anything re EMS methods. Not that I care myself to be honest as I have always hated EMS and long ago (early 90's) learned to mostly live without it.


EDIT: I have seen 1 post in Japanese (which I translated) by Seiji Miyamoto which basically mentions having problems with being "unable to start a DOS EMS program due to lack of memory" after installing KB2724197 . I spotted that via a search "EMS KB2724197" - of the few results, most were to this forum! I have seen nothing official saying that EMS support has been dropped via KB2724197 which you'd expect to see if it actually had.

> Have you seen DOS code or EMS mentioned anywhere??? I haven't after lots
> of digging.

The "no more support" could be a side effect, or an unintentional bug for all I know. I notice the "no memory" after installing the update, and I did a brief test. There was something installed at int 67h, but the EMMXXXX0 string was missing. I then removed the KB2724197, so this is the limit of my knowledge about it.

> containing a specially-crafted application

EMS has the capability to survive a hot boot, and code could be executed there, so maybe that?s the reason they block it, but, again, this is only assumption.

The update is (auto) installed today, so I think we have to wait a few days and see what happens.

> Long story short yes 16bit stuff but scan reading through it all I can't
> see anything re EMS methods. Not that I care myself to be honest as I have
> always hated EMS and long ago (early 90's) learned to mostly live without
> it.

I also don't care much, as I just looked in my CONFIG.NT I even didn't enabled the EMM and can live without it for long years...

Can somebody suggest some program using EMS that worked under XP before patch to test?

---
DOS gives me freedom to unlimited HW access.

> EMS has the capability to survive a hot boot, and code could be executed
> there, so maybe that?s the reason they block it, but, again, this is only
> assumption.

The EMS of a dosbox on XP will be totally virtualized, so I doubt this is true for XP.

> The EMS of a dosbox on XP will be totally virtualized, so I doubt this is
> true for XP.

Agreed, it doesn?t make much sense.

> be able to log on locally

Meaning: they have to break in to your house and plant a "specially-crafted 16-bit application" for this to work. Sounds like paranoia.

I guess it?s a bug or something else.

> I also don't care much, as I just looked in my CONFIG.NT I even didn't
> enabled the EMM and can live without it for long years...

My config.nt:
dos=high, umb
device=D:\windows\system32\himem.sys
files=40
I think it's in the .PIF file you define EMM?

> Can somebody suggest some program using EMS that worked under XP before
> patch to test?

Most applications will use EMS if available, but I think few of them depend on this to work.

The test to see if EMS is avilable is to look for the string 'EMMXXXX0' at adress [67h*4+2]. A search for the string 'EMMX' (*.com *.exe) gives this result:

EMSTEST.COM
PERUSE.COM
THELP.COM
VC.COM
123VIEW.EXE
7ZDEC.EXE
ARCVIEW.EXE
ASMEDIT.EXE
BSCMAKE.EXE
BSCMAKEV.EXE
COMPDIR.EXE
CONNECT.EXE
CSXHFS.EXE
CV.EXE
CVPACK.EXE
CWSDPMI.EXE
CWSDSTUB.EXE
DBVIEW.EXE
DCC.EXE
DEBUG.EXE
DOSBOX.EXE
DOSLYNX.EXE
DOSLYNXP.EXE
DOSLYNXS.EXE
DOSX.EXE
DOSXNT.EXE
DPMIINST.EXE
DXSTRESS.EXE
EDITSCR.EXE
EMM386.EXE
EMSSTAT.EXE
FW110.EXE
FWIZARD.EXE
GZIP386.EXE
H2ASH.EXE
INSTALLD.EXE
JEMM386.EXE
JEMMEX.EXE
JLOAD.EXE
LINK.EXE
LOADLIN.EXE
MEM.EXE
NCCLEAN.EXE
NCDD.EXE
NCEDIT.EXE
NCFF.EXE
NCLABEL.EXE
NCMAIN.EXE
NCNET.EXE
NCSF.EXE
NCSI.EXE
NCZIP.EXE
NDD.EXE
NMAIL.EXE
NMAKER.EXE
PACKER.EXE
PARAVIEW.EXE
PMINFO.EXE
PVCS_SS.EXE
PWB.EXE
Q&AVIEW.EXE
Q.EXE
RAR32.EXE
RBVIEW.EXE
RECOVER.EXE
REFVIEW.EXE
RMINFO.EXE
SAVER.EXE
SBTALKER.EXE
SCMAIN.EXE
SETUP.EXE
SI.EXE
TC.EXE
TD.EXE
TD286.EXE
TD286INS.EXE
TDMEM.EXE
TDREMOTE.EXE
TDW.EXE
TDX.EXE
TFREMOTE.EXE
TPROF.EXE
TPROFW.EXE
TURBO.EXE
TXT2HTM.EXE
UNRAR.EXE
UPX.EXE
WGET.EXE
WPVIEW.EXE


> > Can somebody suggest some program using EMS that worked under XP before
> > patch to test?
I'd suggest using an EMS/XMS MCB walker program and comparing the results. e.g. one came with the book PC Intern: The Encyclopedia of System Programming. PC Magazine created one as well I think... and alternatives.


> A search for the string 'EMMX' (*.com *.exe) gives this result:
>
> EMSTEST.COM
>
That one is a surprise

Regarding the rest I suspect 1 or 2 of them are testing for EMS to complain if it's installed. I think turbo debugger for example doesn't want EMS loaded? Note: I can't remember 100% off hand re TD.EXE but I vaguely remember this?!?

> Regarding the rest I suspect 1 or 2 of them are testing for EMS to complain
> if it's installed. I think turbo debugger for example doesn't want EMS
> loaded? Note: I can't remember 100% off hand re TD.EXE but I vaguely
> remember this?!?

I think TD use EMS to load symbolic debug info, hence my problem:

Is anybody really surprised? MS hasn't fixed even obvious NTVDM bugs in years, esp. with Vista and 7, and their priorities these days are with Win8, Metro, tablets, phones, C++, HTML5, XBox360, etc. They long ago gave up DOS support. Rumor already says that Win9 Home editions will be 64-bit only, and I have no idea how well Hyper-V 64-bit will work, even in Win8 (only two weeks away).

Anyways, I read a while back that some machines made these days were incapable of EMS under NTVDM anyways, which is probably why it's disabled by default. For sure, NTVDM is "ancient" code to them, basically unmaintained. I think DPMI has been heavily preferred over EMS for years, which makes such DPMI bugs all the more painful as it was the only reliable way.

Anyways, nidud, have you tried the http://www.emsmagic.com/ TSR? It should still work, so that's probably your best bet.

> Is anybody really surprised?

I am a bit surprised. So much attention on this ancien code. Why?

> They long ago gave up DOS support.

Hence the reason for my curiosity.

> Rumor already says that Win9 Home editions will be 64-bit
> only, and I have no idea how well Hyper-V 64-bit will work, even in Win8
> (only two weeks away).

XP?s popularity may be a problem for this 64-bit venture?
Some scientific research: (google hits)

16-bit  1 170 000 000
32-bit    799 000 000
64-bit    539 000 000


> Anyways, nidud, have you tried the http://www.emsmagic.com/ TSR? It should
> still work, so that's probably your best bet.

Think it will be a lot easier to just uninstall the update, if you not afraid of all these 16-bit coders lurking in the bushes with their crafty code that is

> I think TD use EMS to load symbolic debug info, hence my problem:

In my case TD 4.0 still run after hotfix installeed.
emstest wrote:
Expanded Memory Manager Software not found.
Expanded Memory not found or unusable - Program halted.
even if I had enabled EMS in pif file.

With EMS Magic it works fine - Thx Rux, I didn't know it.

EDIT: I can confirm, that after removing the hotfix the emstest works again.
So the result is: don't install the patch or use EMS Magic.

---
DOS gives me freedom to unlimited HW access.

It?s now getting a bit funny.

According to Microsoft the attacker have to log on locally to insert this mysterious applications for this to work. This means that he has break in to you house, boot your computer and log on with all privileges in order to do this.

This crafty person is of course also capable to uninstall a previously installed program on you PC, so the update KB2724197 will not protect you from this type of attac.

Has this ever happened? According to Microsoft: No.

So who came up whit this idea then?
If you scroll to the bottom of the page above, it was an anonymous person from the
US IDEFENSE SECURITY INTELLIGENCE SERVICES:

Microsoft thanks the following for working with us to help protect customers:
An anonymous researcher, working with VeriSign iDefense Labs, for reporting the Windows Kernel Integer Overflow Vulnerability (CVE-2012-2529)


Here is the real reason:
SPEAKER: James Bidzos, Executive Chairman, VeriSign, Inc.:
http://www.youtube.com/watch?v=FV2iEtG-9so

Conclusion:
It is not Microsoft who?s pushing this issue, but the US government.

>
> Conclusion:
> It is not Microsoft who?s pushing this issue, but the US government.

Why should anybody use automatic updates?
I always want to know what is installed on my machine
and to control it.
You can always go to Microsoft site and manually select
what is to be installed.

> Why should anybody use automatic updates?

I think the auto update function in Windows is good, at least compared to all the others out there (less annoying). For most people it works well, and the majority of them do not understand all the technical details of all these things. Even if you are a developer who does understand it, you still have to install them in order to test if this creates a problem for your application, since your customer probably will.

With regards to the problem described above, they basically convert Windows XP to Vista, and that is a problem: There is a reason why XP become so popular compare to Vista.

There may be issues about the corporate structure of this company, and the monopoly the currently have in this marked, but it is still a business based on trust. If they chose to take advantage of this situation by reducing the functionality of the product you already paid for, they will bad business, and that makes no sense.

The alleged problem with 16-bit code is not new, and they have known about this from the beginning. The ability to block 16-bit code has been around since Win95.

> I always want to know what is installed on my machine
> and to control it.
> You can always go to Microsoft site and manually select
> what is to be installed.

I normally read the headlines of these updates, but I don?t apply much time digging into all the details of all of them. The one in question is supplied with a "Microsoft thanks the following". I haven?t seen this before, but then again, irony is not something you normally expect coming from the US.

> According to Microsoft the attacker have to log on locally to insert this
> mysterious applications for this to work. This means that he has break in
> to you house, boot your computer and log on with all privileges in order to
> do this.

Did you heard about trojan horse software? Nobody doesn't need to break someone's house. He just spread his malware by email and stupid users will run it themselves (most of them are logged as admin already). Of course the same could be done with regular win32 program :)

---
DOS gives me freedom to unlimited HW access.

> Did you heard about trojan horse software? Nobody doesn't need to break
> someone's house. He just spread his malware by email and stupid users will
> run it themselves (most of them are logged as admin already). Of course the

It seems the aim for these programs is to hawk out emails selling penis enlargements and the likes. It takes some effort to make these programs, so one may wonder why they not use their skills for some more constructive things.

I thing there is to much paranoia around these days, and the people who is assign the job to protect us from imaginary problems is gaining to much strength. Their income seems to be based on coming up with new ideas on how you could be victimised by wicked peoples craft, and you don?t need to be very crafty to see what that leads to.

> same could be done with regular win32 program :)

And then distributed through Windows update system.

Just to clarify: Which Win XP update is problematic and is there anyway to rollback/ workaround whatever problem that presents itself?

> Just to clarify: Which Win XP update is problematic and is there anyway to
> rollback/ workaround whatever problem that presents itself?

Simply don't install the KB2724197

---
DOS gives me freedom to unlimited HW access.

Dang it! I think I applied that before reading this thread. Is there anything I could possibly do to fix this?

> Dang it! I think I applied that before reading this thread. Is there
> anything I could possibly do to fix this?

This update should only replace the windows kernel (one of this files: ntkrnlmp.exe ntkrnlpa.exe ntkrpamp.exe ntoskrnl.exe). You can restore it from install CD od some previous hotfix containing newer version (hotfix can be extracted using /x option to see what's inside, you can also copy file manually when windows not running).

---
DOS gives me freedom to unlimited HW access.

Tito,

Open the Control Panel and select Install/Uninstall programs, check the [x] Show Updates box.
Brows down and select KB2724197, click uninstall.

This will remove the update, but if you have the update on Auto, it will download and install it again.

Set the Control Panel->Updates to Download only.
The yellow icon will then show when updates are available.

Here is the tricky part (you need to install it again):
Click on the icon and select advanced (I think, or not auto)
You will now see a window of available updates to install (in this case only one).
Uncheck the [x] KB2724197 update and click install.

The yellow icon will now disappear.