Errors in the way Windows NT schedules concurrently running applications leave it vulnerable to a simple, but very effective, denial of service attack, according to a Windows NT expert.
"This is a wide-open hole just waiting for exploitation by an ActiveX control," said Mark Russinovich, a consulting associate with Open Systems Resources Inc. who discovered the vulnerability this week. The flaw is particularly serious, since it can be easily exploited by an ActiveX control or by a Netscape plug-in.
Russinovich wrote a simple utility that, while running with no special security privileges, is able to take complete control of any Windows NT server or workstation, rendering it useless for any other applications. The algorithm used by Windows NT to protect itself against such CPU-hogging attacks appears to be seriously flawed and ineffective, Russinovich said.
The source code for the utility, which is called CpuHog, is available on the Web at www.ntinternals.com.
How it works
Basically, Russinovich's program exploits a vulnerability in the way Windows NT schedules the execution of processes.
Applications can set their own priority level, which affects how often Windows NT allows those applications to run. An application running under a user account with administrative privileges can set its priority to any of 32 levels, with the highest level giving it more time slices. Applications running under accounts without administrative privileges can set their priority to any of the first 16 of those levels.
CpuHog sets its priority to the highest level available, which is level 16 when run by a normal user. Windows NT attempts to deal with CPU-hogging applications by boosting the priority of other applications. However, Russinovich found that Windows NT will only boost applications as high as level 15. Thus, all other applications - even system utilities such as Task Manager - never get a chance to execute while CpuHog is running.
PC Week Labs was able to duplicate Russinovich's findings. When run on Windows NT 4.0, for example, the only way to regain control once CpuHog was executed was to reset the PC.
Hogging the CPU is one of the oldest known forms of denial of service attack. So old, in fact, that many operating systems have developed a defense. Many forms of Unix allow administrators to set limits on CPU usage by user - limiting any one user to 50 percent of available CPU cycles, for example.
Almost all forms of Unix also automatically decrease the priority of the highest-priority processes when applications become starved for CPU time, which is the opposite of what Windows NT does.
Russinovich said Microsoft could get around the problem fairly easily in one of two ways: Either increase the maximum priority given to other, CPU-starved applications above level 15, or increase the priority of the Task Manager above level 16, so that it can be used to end CPU-hogging applications.
Microsoft officials contacted for this story did not have a comment, other than to say they are researching the problem.