BadTunnel Security Flaw Affected All Windows Versions For 20 Years

A Chinese security researcher has uncovered a serious vulnerability in all versions of the Windows operating system, from Windows 95 to Windows 10, meaning users have been vulnerable for more than 20 years.

The good news is that Microsoft has already fixed the flaw in its latest Patch Tuesday security update, allowing Yang Yu, the founder of Tencent’s Xuanwu Lab, to reveal details of what has been named ‘BadTunnel’ in an interview with Dark Reading.

BadTunnel Flaw

The bug is extremely serious as it affects all versions of Microsoft Windows, right from Windows 95 through to Windows 10. The seriousness of the bug meant that Yu reportedly earned Microsoft’s top bug bounty reward of $50,000 (£35.063).

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu is quoted as saying. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years. It can be exploited silently with a near perfect success rate.”

But what exactly is the BadTunnel? Well it is not a piece of malware. Rather it is a technique for NetBIOS-spoofing across networks due to bad coding within Windows. It allows the attacker to gain access to network traffic without being on the victim’s network. It also bypasses firewall and Network Address Translation (NAT) devices, and the flaw can allow any any program to run.

“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” Yu reportedly said.

Network Hijack

The way it works is the attacker gets the victim to visit a booby trapped web page using with Microsoft Edge or Internet Explorer. Or the victim could install a malicious flash drive or open a rigged Office document.

According to Dark Reading, the attacker’s site appears as either a file server or a local print server, and hijacks the victim’s network traffic – HTTP, Windows Updates, and even Certificated Revocation List updates via Microsoft’s CryptoAPI.

Essentially, BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses. When all of these flaws are taken together, it makes the network vulnerable to a BadTunnel attack.

Yu reportedly began uncovering the flaw during a flight last year. He was bored and began to imagine new attack scenarios, and once on the ground began testing his theory on different system configurations, and finally discovered this vulnerability in the Windows operating system.

He reported his finding to Microsoft in January, but has not come across any attacks of this nature in the wild.

The flaw was addressed this week by Microsoft in security bulletin MS16-077.

What do you know about Windows 10? Try our quiz?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Joins Others In Ending Diversity Initiatives

Google becomes latest tech firm to scrap some of its diversity hiring targets, and cites…

29 mins ago

Ofcom Grants License For Amazon Kuiper To Challenge Starlink In UK

New challenger for Elon Musk's Starlink in UK, after Ofcom grants earth station network licence…

4 hours ago

Openreach Tests 50Gbps Broadband Connection With Nokia

Possible broadband speed of the future? Openreach and Nokia test UK’s first live 50Gbps fibre…

5 hours ago

Jeff Bezos’s $10bn Earth Fund Halts Climate Group Backing – Report

Amazon founder and one of the world’s richest men, Jeff Bezos, has been accused of…

6 hours ago