BadTunnel Security Flaw Affected All Windows Versions For 20 Years

A Chinese security researcher has uncovered a serious vulnerability in all versions of the Windows operating system, from Windows 95 to Windows 10, meaning users have been vulnerable for more than 20 years.

The good news is that Microsoft has already fixed the flaw in its latest Patch Tuesday security update, allowing Yang Yu, the founder of Tencent’s Xuanwu Lab, to reveal details of what has been named ‘BadTunnel’ in an interview with Dark Reading.

BadTunnel Flaw

The bug is extremely serious as it affects all versions of Microsoft Windows, right from Windows 95 through to Windows 10. The seriousness of the bug meant that Yu reportedly earned Microsoft’s top bug bounty reward of $50,000 (£35.063).

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu is quoted as saying. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years. It can be exploited silently with a near perfect success rate.”

But what exactly is the BadTunnel? Well it is not a piece of malware. Rather it is a technique for NetBIOS-spoofing across networks due to bad coding within Windows. It allows the attacker to gain access to network traffic without being on the victim’s network. It also bypasses firewall and Network Address Translation (NAT) devices, and the flaw can allow any any program to run.

“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” Yu reportedly said.

Network Hijack

The way it works is the attacker gets the victim to visit a booby trapped web page using with Microsoft Edge or Internet Explorer. Or the victim could install a malicious flash drive or open a rigged Office document.

According to Dark Reading, the attacker’s site appears as either a file server or a local print server, and hijacks the victim’s network traffic – HTTP, Windows Updates, and even Certificated Revocation List updates via Microsoft’s CryptoAPI.

Essentially, BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses. When all of these flaws are taken together, it makes the network vulnerable to a BadTunnel attack.

Yu reportedly began uncovering the flaw during a flight last year. He was bored and began to imagine new attack scenarios, and once on the ground began testing his theory on different system configurations, and finally discovered this vulnerability in the Windows operating system.

He reported his finding to Microsoft in January, but has not come across any attacks of this nature in the wild.

The flaw was addressed this week by Microsoft in security bulletin MS16-077.

What do you know about Windows 10? Try our quiz?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

3 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

3 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

3 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

3 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

3 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago