BadTunnel Security Flaw Affected All Windows Versions For 20 Years

A Chinese security researcher has uncovered a serious vulnerability in all versions of the Windows operating system, from Windows 95 to Windows 10, meaning users have been vulnerable for more than 20 years.

The good news is that Microsoft has already fixed the flaw in its latest Patch Tuesday security update, allowing Yang Yu, the founder of Tencent’s Xuanwu Lab, to reveal details of what has been named ‘BadTunnel’ in an interview with Dark Reading.

BadTunnel Flaw

The bug is extremely serious as it affects all versions of Microsoft Windows, right from Windows 95 through to Windows 10. The seriousness of the bug meant that Yu reportedly earned Microsoft’s top bug bounty reward of $50,000 (£35.063).

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu is quoted as saying. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years. It can be exploited silently with a near perfect success rate.”

But what exactly is the BadTunnel? Well it is not a piece of malware. Rather it is a technique for NetBIOS-spoofing across networks due to bad coding within Windows. It allows the attacker to gain access to network traffic without being on the victim’s network. It also bypasses firewall and Network Address Translation (NAT) devices, and the flaw can allow any any program to run.

“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” Yu reportedly said.

Network Hijack

The way it works is the attacker gets the victim to visit a booby trapped web page using with Microsoft Edge or Internet Explorer. Or the victim could install a malicious flash drive or open a rigged Office document.

According to Dark Reading, the attacker’s site appears as either a file server or a local print server, and hijacks the victim’s network traffic – HTTP, Windows Updates, and even Certificated Revocation List updates via Microsoft’s CryptoAPI.

Essentially, BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses. When all of these flaws are taken together, it makes the network vulnerable to a BadTunnel attack.

Yu reportedly began uncovering the flaw during a flight last year. He was bored and began to imagine new attack scenarios, and once on the ground began testing his theory on different system configurations, and finally discovered this vulnerability in the Windows operating system.

He reported his finding to Microsoft in January, but has not come across any attacks of this nature in the wild.

The flaw was addressed this week by Microsoft in security bulletin MS16-077.

What do you know about Windows 10? Try our quiz?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Norway Hit By DDoS Cyber Attacks From Pro Russian Group

Norwegian national security agency warns pro-Russian group has targetted private and public institutions in Norway…

16 hours ago

Google Tells Staff They Can Relocate After Roe v Wade Ending

After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…

17 hours ago

Taiwan Developing Own Digital Currency – Report

Central bank of Taiwan confirms it is still working on its digital currency, but has…

18 hours ago

Tesla Cuts 200 Autopilot Jobs, Closes San Mateo Office – Report

More restructuring at Tesla with hundreds of bob losses and California office closure, where staff…

20 hours ago

US FCC Commissioner Urges Apple, Google To Remove TikTok

Fresh worry for TikTok, after FCC Commissioner writes to Apple and Google about removing the…

21 hours ago

Airbnb Permanently Bans Parties, With Few Exceptions

Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…

21 hours ago