Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Hacking Challenge Answered

Posted by ryuzaki0 on from the still-some-work-to-be-done dept.

debiansid writes "Microsoft's most secure Operating System yet has been compromised at the Black Hat hacker conference. We all know that Andrew Cushman, Microsoft's director of security outreach invited the Black Hats over to touch and feel Vista in order to showcase the superiority of this OS. Joanna Rutkowska, from Coseinc, a Singapore-based security firm, obliged and showed how it is possible to bypass security measures in Vista that prevents unsigned code from running with the help of a little software she calls the 'Blue Pill.'" To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.

25 of 388 comments (clear)

  1. Only works as an administrator but... by mcguiver · · Score: 5, Insightful

    show me the average home user who doesn't runs XP as administrator. Do they think that anything is going to change for Vista?

    1. Re:Only works as an administrator but... by EmbeddedJanitor · · Score: 2, Insightful

      But they'll change that as soon as they need to install some drivers etc.

      --
      Engineering is the art of compromise.
    2. Re:Only works as an administrator but... by Reverend528 · · Score: 4, Insightful
      But they'll change that as soon as they need to install some drivers etc.

      Short term administrator usage to install a driver isn't that big of a threat. The real problem will be legacy applications that won't run without administrator priviledges. That's what keeps most people from running everything as a user.

      --
      Badass Resumes
    3. Re:Only works as an administrator but... by tcc3 · · Score: 5, Insightful

      Legacy apps my ass. I've seen plenty of new, professional grade software that is hamstrung by user level permissions. Sometimes Power User wont even satisy. Sloppy development is a big problem.

      You shouldnt be allowed to say "NT/2k/Xp compatible" if your software cant correctly handle user permissions.

    4. Re:Only works as an administrator but... by just_another_sean · · Score: 2, Insightful

      I've been using the Beta for a while now and what this low priveleged account amounts to is a dialog popping up when elevated privaleges are required and asking "Do you want to continue?". My understanding is you can now call CreateProcess such that it will load this dialog if elevated privaleges are needed.

      Yes it's a great way to alert a knowledgable user that some background process may be playing where it doesn't belong but I still see thousands of end users blindly clicking "Continue" as with the old Active X warnings.

      I think MS has made some great strides in this area. But they're going to have to "innovate" a lot more then this to solve the clueless user problem.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    5. Re:Only works as an administrator but... by FLEB · · Score: 3, Insightful

      Perhaps the computer just shouldn't turn on.

      There's a point where you have to blame people for their own actions. That's roughly at the point where they start making explicit choices based on available information. Anything more, and the OS (or any other program) just starts becoming useless under the weight of handholding and artificial restrictions.

      About the only thing I could see worth adding (if it isn't already... I haven't kept up on the Vista betas) is some sort of good central logging function, so when people like you 'n' I get called in to decraptivate the machine, there's a way we can look and go "Here. This is the point at which you were an idiot. Don't do this again."

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
    6. Re:Only works as an administrator but... by G+Morgan · · Score: 2, Insightful

      This is the problem though. Most Windows users are unwilling to accept that their ease of use is getting in the way of security.

  2. Ok, so the machine was in Admin mode... by twofidyKidd · · Score: 3, Insightful

    Unfortunately, I think it's been established that many "average" users run in that mode, regardless of security concerns. I wonder if Vista will be an exception to this.

    --


    Hades, PoD: Official Advocate
    1. Re:Ok, so the machine was in Admin mode... by TWX · · Score: 3, Insightful

      That's because they have to run as a member of the Administrators group in order to do fairly mundane tasks like install software or make use of otherwise-mundane consumer hardware.

      I've had accounts on POSIX-compliant systems for years. I've found that with only user-level access I'm quite able to compile or install applications for my own user account in my own home directory without much difficulty, and still maintain the system integrity. As long as Microsoft holds on to the registry they'll never achieve such.

      --
      Do not look into laser with remaining eye.
    2. Re:Ok, so the machine was in Admin mode... by OverflowingBitBucket · · Score: 4, Insightful

      That's because they have to run as a member of the Administrators group in order to do fairly mundane tasks like install software or make use of otherwise-mundane consumer hardware.

      Bingo.

      I've tried, I've tried so hard to get my family to run using user-level accounts. It doesn't work. I don't live with them, so at least one needs an account with Admin rights. The others get the password (usually by asking), and then reelevate themselves. They aren't doing it to spite me. When some games won't run without admin, they can't burn CDs, so forth, they will find a way to make it work. Security? What's that? They don't care. If they can't play games, or burn CDs, they don't care about security.

      I know it is nice and easy to blame developers. True, they should do better. Heck, the first two release versions of my software didn't run properly as a user under Windows either (be gentle, I didn't have XP then). But if you want developers to behave, it has to cost them if they don't. The admin-by-default situation in Windows is ludicrous. They took a step in the right direction with user accounts in XP, but with the default installation forcing the first user account to be admin, and then not letting you de-admin the account, makes the step almost pointless.

      When default users run as an ordinary user with a pretty graphical sudo, and the OS blocks running apps as administrator without some sort of painful confirmation process (eg. whitelist), and developers have access to decent commandline or API sudo and security equivalents, then developers will behave and make damn sure their app runs as an ordinary user.

      Legacy apps will break unless some sort of layer is put in to make it look like the app does have arbitrary permissions to do fun stuff like write into its installation directory or the top level of a drive. I've heard Vista does some of this funky stuff (I'd check if the a__holes at Microsoft actually let me get their beta version of Vista- another story), which I hope is true.

      Microsoft got themselves into this mess and they have nobody to blame but themselves (despite the way they love to blame third parties for their sloppy OS). They can dig their way out if they choose. It won't be easy, but give them a decade and they'll be where Unix was a decade ago. ;) Perhaps Vista will be another step in the right direction. Or maybe it will be another case of dialog overkill that does nothing for true security. Who knows?

      Personally I'm not too stressed one way or the other. I don't use Windows unless I absolutely must, and whilst it is a worm-ridden crash-prone security nightmare it does mean there will be work available to clean up the mess. The target market of my software mostly runs on Windows though, so I do have to keep aware of what is going on. It would be nice if they cleaned up their act, as it makes my work easier.

  3. Hypocrites by Umbral+Blot · · Score: 3, Insightful

    Lets see how long it takes for slashdot readers to swing into full hypocrisy mode. Specifically mocking windows because it is vulnerable to users running insecure software in administrator mode when every other OS has the exact same vulnerability. Of course windows users do have the unfortunate tendency to run as administrators, but 1- that is blaming the software for the problems of the user, and 2- Vista might be running in user mode by default.

    And no, before you ask, I am not a windows user, I am on a Mac PowerBook G4. I prefer the mac because it is easier to use and I am not a gamer, not because of some imagined speed or innate security edge over every possible windows product.

    --

    Philosophy.
    1. Re:Hypocrites by swissmonkey · · Score: 3, Insightful

      Even better, not only has the tool to run in administrator mode to work, but additionally, the user has to click "Yes" in a dialog box warning him that this program is touching sensitive parts of the system(that's the UAC part).

      Now if that's a security issue, then I guess rm -rf / is an enormous security hole on Unix systems

    2. Re:Hypocrites by TheUnknownOne · · Score: 2, Insightful

      Speaking as a linux user who happens to also use windows to play games, while yes running in administrator mode in windows is "technically" avoidable, in reality it isn't. It isn't avoidable for your average home user who isn't going to try and figure out how to get all of his programs working with the limited user accounts. Microsoft as well as the majority of developers of Windows applications do not make any effort towards the simplification of this process, and they are at fault, not the average computer user who just wants to be able to get work done, and communicate with friends and family.

    3. Re:Hypocrites by ldj · · Score: 2, Insightful
      ... but really if you know what your doing you soon relise Microsoft is WAY better than other OS's (Based on what you want to use it for)

      Wow! That's so insightful! With that conditional, you could replace "Microsoft" with any OS and still be correct! ;)

      I think I'll stick with what gives me the most flexibility, easiest installation of the tools I want, guaranteed free updates, access to the source code, has been relatively easily secured more or less since inception, and all at the lowest initial cost. That's what works best for me and that's what I support for family and friends (a group that keeps growing as people become more and more frustrated with MS Windows). You may not agree with these points *from your perspective* but that's my experience and thus my opinion.

      But I fully support your right to choose the system you want.

      --
      Open Source: I'll show you mine if you show me yours.
  4. Re:Would they tell anyway? by xilmaril · · Score: 2, Insightful

    If you're a truely vile blackhat, you'd probably go for choice #2.

    Most of these people at the blackhat con aren't of ill intent, though. They're just hackers who won't let microsofts convenience get in the way of their fun.

    Besides, with Microsofts history, I'd say it's pretty unlikely this hole will be patched if vista comes out before 2008. They certainly didn't patch any other verison of windows with that kind of speed.

  5. To be fair to MS by walnutmon · · Score: 5, Insightful

    This article is a little slanted towards, "MS said you can't get into their OP, and black hats said, 'bitch please!'". But really, MS probably expected this, and was hoping that they could learn something from watching a collection of hackers test their system. The more problems that are caught now, the less when it is released.

    Microsoft doesn't care about impressing Linux users, they care about releasing something that A LOT of normal users can install and forget about. Every iteration they get more stuff right, and their operating system becomes better (except ME, that sucked dick).

    --
    You take it, I don't want it...
  6. Blue Pill seems insincere by rufusdufus · · Score: 3, Insightful

    She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control.

    Seems to me this 'hack' gets the cart before the horse. If you are able to run malicious software in administrator mode, you can do anything at all, not just compromise signed code authorization. Heck you could replace the whole OS. The point of security is to prevent unknown persons from being able to run malicious software in the first place.

  7. These kinds of contests don't work. by Poromenos1 · · Score: 2, Insightful

    This contest doesn't make sense, if they find a vulnerability, it's some bad PR, but, well, how many vulnerabilities have been found and patched for XP? If they don't, it still doesn't mean it's unhackable, it just means they need more time.

    The only case where they DO work is when you're asking people to crack encryption, and then it's only CRACKING it that proves something, saying that noone could crack it doesn't mean it's uncrackable.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  8. Re:question by morgan_greywolf · · Score: 4, Insightful
    The real question is: will elevating oneself to administrator become common practice or not?


    That depends on how many legacy programs require Administrator priveleges to even run. (Hint: a lot)
    --
    My blog
  9. Re:Would they tell anyway? by rifftide · · Score: 5, Insightful

    Now this is really cynical - but they may have planned it this way. It looks like Vista may blow by even the latest (January 2007) deadline to resolve a raft of useability bugs, and this gives them the perfect cover to extend the ship date without looking totally inept. "We were ready to RTM at the end of 2006 but some late-breaking vulnerabilities were discovered, and we decided we couldn't take chances with the security of our customers' systems."

    This is not just a matter of losing face. If the Windows team blows the revised date by several months (say April or later) AND it ships what is considered to be a lackluster product, many people will start considering the Windows codebase as a sustaining mode project. They will assume that Microsoft is busy preparing a brand new code base (based on FreeBSD plus .NET and DirectX, let's say) to debut five years from now, and will work out a transition plan for Win32 apps. Windows will be a lame duck in the minds of both customers and MS engineers. Alternatives will be sought.

  10. Re:freeware? by dioscaido · · Score: 2, Insightful

    I'm trying to grasp you logic here... Why can't someone run free software without administrator privileges?

  11. Re:That is not Microsoft's fault (well, not really by TheUnknownOne · · Score: 2, Insightful

    I only blame Microsoft for not using their heavy hand to do good. They are well known for using their economic leverage to control other aspects of the computing world, why not something simple that would make it better for everyone?

  12. Re:Would they tell anyway? by andreyw · · Score: 3, Insightful

    If you paid attention, you'd realize you can't use SVM facilities without being in ring-0. Now how she got her payload from ring-3 to ring-0? That's the security hole.

  13. Re:Not only does it have to be in admin mode... by SnarfQuest · · Score: 2, Insightful

    ...but the user has to PERMIT the program to run.

    Aren't windows users trained to click yes? If you try to do anything, you are often slammed with warning boxes, confirm boxes, software license agreement boxes, reboot request boxes, etc. And I hear that vista is even worse in this regards. You get trained to click through them as fast as possible if you actually want to get anything done. The fact you click on that one out of a thousand that actually is malicious shouldn't be a surprise.

    --
    Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
  14. Re:Would they tell anyway? by Anonymous Coward · · Score: 3, Insightful

    RTFA. "She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control."

    There's also the description on her blog, which states, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform."

    If you paid attention, you'd realize the real issue is that this enables malware that cannot be detected, even when the algorithm it uses is known.