Slashdot Mirror
Vista Hacking Challenge Answered
debiansid writes "Microsoft's most secure Operating System yet
has been compromised at the Black Hat hacker conference. We all know that Andrew Cushman, Microsoft's director of security outreach invited the Black Hats over to touch and feel Vista in order to showcase the superiority of this OS. Joanna Rutkowska, from Coseinc, a Singapore-based security firm, obliged and showed how it is possible to bypass security measures in Vista that prevents unsigned code from running with the help of a little software she calls the 'Blue Pill.'" To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.
show me the average home user who doesn't runs XP as administrator. Do they think that anything is going to change for Vista?
Yes, it is going to change for Vista. The default user will not have admin privileges.
...but the user has to PERMIT the program to run.
Yes, many users are just stupid and will automatically click "yes" on things, but at that point it's their own damn fault. The hack won't work without the user letting it work.
Yes, it WILL change if microsoft stops assuming that everyone can act as a full administrator, which they're going to do based on the latest beta.
7 80&p=7
http://www.anandtech.com/systems/showdoc.aspx?i=2
The above article details a new "User Account Control" system. From TFA: "The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that compromised applications could be used as a vector to attack the system. As a result, even an administrator isn't really an administrator under Vista."
http://www.TheGamerNation.com/Forums
Yes. The true administrator account is hidden and disabled by default. Most people won't even know it's there, and you have to go through a rigmarole to enable it if you really want it (these a how-to guide at http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9001970). The "administrator" account that Vista creates by default is actually a standard user that can temporarily elevate to admin privelages on a task-by-task basis -- that's what UAC is about.
What's purple and commutes? An Abelian grape.
>Vista might be running in user mode by default.
m mand=viewArticleBasic&articleId=9001970). The "administrator" account that Vista creates by default is actually a standard user that can temporarily elevate to admin privelages on a task-by-task basis -- that's what UAC is all about.
Correct, it will. The true administrator account is hidden and disabled by default. Most people won't even know it's there, and you have to go through a rigmarole to enable it if you really want it (these a how-to guide at http://www.computerworld.com/action/article.do?co
What's purple and commutes? An Abelian grape.
This "trick" uses a hardware bug, not a sofware bug, to exploit Vista. It should affect other OSes like Linux, Solaris, BSDs, etc.
I'm not surprised that they focused on being able to break Vista. A nice marketing move for the "researcher" (like there're not papers that explain how virtualizing environments aren't 100% safe in the x86 architecture)
Except it's already been patched.
s p?kc=EWRSS03119TX1K0000594
http://www.eweek.com/article2/0,1759,1999241,00.a
By default, the true administrator account is hidden and disabled by default. Most people won't even know it's there, and you have to go through a rigmarole to enable it if you really want it (these a how-to guide at http://www.computerworld.com/action/article.do?com [computerworld.com] mand=viewArticleBasic&articleId=9001970). The "administrator" account that Vista creates by default is actually a standard user that can temporarily elevate to admin privelages on a task-by-task basis. It pops up a dialogue box like http://www.winsupersite.com/images/showcase/winvis ta_ff_uac_13.jpg, letting you press a big button that says 'allow' if you know it's something you initiated (e.g. you're trying to install something). You don't need to logout and relogin.
What's purple and commutes? An Abelian grape.
This is the way it works:
You can either be a limited user or an "administrator". By default in the current beta you're an "administrator".
What this means is that everytime an action is undertaken that actually requires administrative rights, Vista will pop up a dialogue (a la security warnings in Internet Explorer) and make sure you really wanted to do that. If you think this would be annoying (and would just train users to click yes) let me tell you that it was actually worse in Beta1.
There it popped up ALL the time and even if a background task does something that requires it, the entire system would stop and pop up the dialogue. At least now it'll just block and wait for you to notice the new task button and deal with it.
If you're on a limited account, you'll have to run whatever it was you were trying to run with the context menu "Run as admin" item. Then you'll have to type the admin password. Then when the program does something that actually requires the rights, it may or may not pop up the UAC dialogue.
At least MS is putting hoops for us to jump through.
Although file and registry virtualization does make many legacy apps work fine. It doesn't fix the ones that needlessly checked directly for the administrator group being enabled in the token, but apps that write to system32 and program files and all work fine as a user now with virt.
You are probably thinking of the AMD hypervisor she discussed for designing Vista rootkits.
"How is this any different from sitting down at a Linux system with root access and running amok?"
Because linux (without something like selinux) isn't designed to not let you run unsigned code in ring0. Vista is. Yet by using this security hole, you can push unsigned code into ring0. Therefore, it is only as secure as linux; their extra security requiring cryptographically signed binaries to run in ring0 didn't work.
The revolution will not be televised... but it will have a page on Wikipedia
Except it's already been patched.
Probably because she already published enough details of how it works over a month ago.
And, although he says its patched, the patch has not been released and so one must question how well patched - it would not be the first time MS released a patch to close front door that left the back door wide open.
My slightly-humble opinion is that Rutkowska's general approach can only be completely thwarted if the OS itself installs its own "hypervisor" kernel. I've got my fingers crossed that MS hasn't gone that far because if it has - it will make rehosting Vista under linux impossible and without such a hypervisor, it should be possible to thoroughly crack any DRM scheme that MS comes up with.
I am really looking forward to subscribing to "Urge" with its all you can download service for about a month and then freeing all the music to play wherever and however I want. I say, a company that lives by DRM dies by DRM.
When information is power, privacy is freedom.
The "idea" (I don't know how far vista goes towards this) is that you have a 'trusted' ring, where everything yes, does have to be signed. You may still have an unstrusted ring, for running unsigned code, but it will not be able to access anything protected within the trusted ring.
It's basically like two seperate sandboxes, both kept seperate, and one of them highly controlled so you can trust (as much as you trust the key issuer) that it's safe and secure. The other... use at your own risk.
The revolution will not be televised... but it will have a page on Wikipedia
This is about x64 driver signing. In Vista 64, drivers *cannot* run if they are not signed by a corporation who has paid the "VeriSign Tax" *. Even if the administrator requests it, they will not run. This is retarded "security", and it will keep being broken until Microsoft either gives up or forces everyone to have TPM bootup (more likely the latter).
/dev/hda) and overwrite the MBR, then call NtShutdownSystem to reboot. If you take away raw disk access to user mode, then you get more esoteric. Detect when a blank CD or DVD has been inserted. When the user requests to burn it, intercept the write request and burn something else instead. Act like a system crash and reboot after it's done. Most computers are configured by default to boot from CD first.
It infuriates developers, yet doesn't do anything for preventing rootkits, as Joanna has demonstrated. As long as user-mode programs have raw disk access, they will be able to attack whatever they want.
I have a feeling that Microsoft's response to this will be to lock out raw disk access to user mode regardless of privilege. Keep in mind that even SELinux does not do this. All disk utilities would have to be written as signed drivers. The problem here is that developers won't stand for it, and will make signed drivers that grant access again. Then the rootkits can just copy these signed drivers then use them to do the same thing.
Even if Microsoft encrypts the page file or removes the ability for the kernel to page itself out, raw disk access is still an issue. You can always open \Device\Harddisk0\Partition0 (NT's
The real reason for driver signing appears to be DRM. The easiest way to "crack" song DRM is to install a fake audio driver that logs to disk. With the DMCA, it's illegal to make such a driver, and with driver signing, it's impossible to do it anonymously. If you temporarily disable driver signing - which is possible if you press F8 each boot - Vista's Windows Media Player refuses to play protected songs. Gee I wonder why.
By the way, I thought of the same pagefile hack as Joanna on my own and posted it on my weblog in early June. I'm sure Joanna figured it out long before me though.
* There are other root certificate companies that are countersigned, but this is a well-known phrase.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Well, this is wrong, but seriously, now. Didn't anyone do a GIS for her?
1 65482_64981000.jpg
http://www.spiz.ae.krakow.pl/uploaded_images/1123
I think we need a new security officer here....
I'm sorry for that. I know I'm part of the problem.