Vista Protected Processes Bypassed

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

Other OSes

[tsa]

Is it possible to do this in other operating systems?

Re:Other OSes

No, this feature is available only in Windows Vista.

Re:Other OSes

[diegocgteleline.es]

No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.

Re:Other OSes

[I(rispee_I(reme]

Actually, Windows versions as early as 2000 use a whitelist method of "protecting" processes: If the process name matches a hardcoded list, then task manager will refuse to kill it. This is so broken it's ludicrous- simply rename your process to any of the ones on the list, and it becomes unkillable. Programs such as PSkill will kill all processes, regardless of name.

In related news

[tinkertim]

A spokesperson for Microsoft was quoted as saying :

This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

Re:In related news

[_KiTA_]

A spokesperson for Microsoft was quoted as saying :

        This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

Re:In related news

[cduffy]

The only infection my home Windows system has ever had came from a MySpace page my wife was browsing. Both of us appreciate good porn, and use that system for viewing it -- and, as I said, the only infection we've ever had was from MySpace.

The parent is not necessarily too uptight to admit surfing porn.

Re:In related news

[tinkertim]

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

It was a joke, just a joke and only a joke.

The link given is to Microsoft Bob, which Microsoft gave up on shortly after launching it and (according to Wikipedia) later admitted the product was their single largest failure in their company history.

You'd need to remember Bob in order to appreciate that Vista is well on its way to being "Bob 2".

I suppose any joke could be taken as flamebait lol, but really, its just a joke. Better put in /. terms :

its funny, laugh. .. or perhaps not, since I had to explain it :)

Re:In related news

[LighterShadeOfBlack]

You're wrong. The "collective observations of thousands of admins" is in fact little more than assumptions and anecdotes perpetuated by people such as yourself.

Do a significant proportion of porn sites have malware? Probably.

Is there a greater risk of getting infected by malware when surfing for porn than doing "wholesome" surfing? Perhaps.

Is a malware infection reason enough to presume that they got it from browsing porn and/or piracy-related sites? Not in the slightest in my experience. If you've got differing experiences that prove me wrong, by all means collate your data and present your findings because I and I'm sure many other people working in admin or IT roles would love some hard numbers on the nature of malware sources online. Until then I'll have to assume the "observations of thousands of admins" you speak of are in fact nothing more than your own pre-conceptions.

Re:In related news

Yeah, I mean only sickos search for song lyrics online - good people never do that!

Re:In related news

[erroneus]

I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

Vista goes way ot of its way to reduce functionality for the user in order to make content providers happy. Think of what that really means. Company A sells something to Consumer A but that something is disabled in order to make Company B happy. Company B is happy because they can continue their old business model and maintain their dominance if and when they finally move into new business models when they feel ready. Meanwhile, companies C, D and E through M move to create, innovate and design new things only to be prevented by both Company A and Company B. Depending on how this is done and how much evidence can be produced, this is illegal behavior.

Re:In related news

[PingXao]

It's the same way with spam. Too many people are content to say it's only a problem if you're not using spam filters. They completely ignore the point that the spam exists in the first place and is transmitted hither and tither across the net, stealing bandwidth far and wide.

Re:In related news

[StinkyGeek]

I have to ask. If both you *and* your wife enjoy porn, how do you find time to post on /.?

Re:In related news

[gemada]

or you could just not give the users admin rights to their machines. this virtually eliminates the possibility of spyware infections.

Re:In related news

[Randseed]

Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

I've seen that too many times to count. In fairness, though, the times I've seen it has not been with major ad companies, but rather more "shady" advertising companies. However, that doesn't mean that the user was doing anything "shady," and yes, the assertion that they must have been doing that is absurd.

I suggest people check out Privoxy.

Re:In related news

[phobos13013]

Spot on in the analysis, if i follow it correctly... just one thing.

Where does Consumer B come into all this? Maybe Consumers B through E will invest in the technologies of Companys C through E and thus, allow them to dominate over Company's A and B shrinking market share over Consumer A. Thus desroying the buisness model that allowed them to do this in the first place!

Re:In related news

[cduffy]

She's out of town right now; gets back 11:30 this evening. Don't expect to see me posting much tonight or tomorrow.

Which reminds me -- I need to check the levels on the hot tub. *wanders off*

Re:In related news

[udippel]

I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

True, amazing and pretty recent.
I bet Microsoft has some whores lurking around, being paid for bulwarking criticism of Vista.

I don't even doubt that some users are satisfied with it, but they wouldn't usually sit around just waiting to 'share' their positive experiences with the Slashdot crowd. There are, on the other hand, Apple fanboys who do just that.
But MACs are good enough to create a followship, keen on being fanboyish in here. Vista isn't.

Re:In related news

[cyphercell]

I bet Microsoft has some whores lurking around, being paid for bulwarking criticism of Vista.

Did you notice that they aren't here today? :)

Re:In related news

[ozmanjusri]

I bet Microsoft has some whores lurking around, being paid for bulwarking criticism of Vista.

At least their spin control's getting better even if their OS isn't.
http://www.theregister.co.uk/2001/09/28/ms_spinmei sters_invent_huge_demand/

Re:In related news

[Master+of+Transhuman]

I'll tell you, personally I think porn sites don't need malware. They KNOW what you're there for - they don't need to slap adware on your system to get you to come there. I've always had some spyware protection back when I was running mostly on Windows 2000 and XP, and I surfed porn sites frequently (albeit with Opera originally and later Firefox, more than IE, so my exposure to ActiveX was minimal) and I very rarely got any spyware according to my utilities.

Basically ANY sleazy commercial outfit will slap spyware on your system. I have clients whose kids or spouses spend a lot of time on sports sites and retailers of sport shoes - and they get tons of spyware from those sites. Porn definitely isn't the primary problem.

Re:In related news

[udippel]

Did you notice that they aren't here today? :)

It is a Sunday. They're off to the great cathedral of Redmond, worshipping the Master of The Chairs.

Oh wait, there is an emergency poster around:
http://it.slashdot.org/comments.pl?sid=229863&cid= 18647371

Re:In related news

[revengebomber]

His "wife" is primarily composed of polyurethane.

Re:In related news

[MadMidnightBomber]

Or worse, trying to download Asus drivers.

Re:In related news

[Lost+Engineer]

I am writing on a lappy running Vista. I worked on my grandparents' Windows ME machine earlier tonight. Vista is no ME. Yes, Vista is slow to startup and shutdown, but I've seen no Aero-related slowdown, save for playback of video which is easily worked around by using VLC instead of Media Player. Machines that can run it all, it seems, can handle the load.

I haven't seen a reduction in functionality. Of course, I haven't played any HD-DVDs either, mostly because I don't have an appropriate drive. Vista is not ME, it's XP Second Edition.

Re:In related news

[Net_Wakker]

The male refractionary period.

Re:In related news

[Ruddykins]

koffix blocker has a pretty good list of sites that do shady things with browser weaknesses... I just figure that if a site is shady enough to be on their list, I don't care to browse there...

Can we have Source?

I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?

Re:Can we have Source?

[lskovlund]

Not only that, but discovering how it works is trivial, using a tool like IDA Pro, of which I am a happy costumer. Refusing to give out source for this, citing security reasons, reminds me of certain proprietary software companies running scared.

Re:Can we have Source?

[Randolpho]

Not only *that*, but making the program available for download makes it easily included in malware -- unprotecting a process is just a simple command line call, after all.

Re:Can we have Source?

[antonyb]

Not only that, but discovering how it works is trivial, using a tool like IDA Pro, of which I am a happy costumer. Refusing to give out source for this, citing security reasons, reminds me of certain proprietary software companies running scared.

Really? What do you make it wear?

ant.

Re:Can we have Source?

Exactly what benefit will that have to the general community? You could argue that he should make the source available to MS so they can fix this exploit, but no-one else has the source to Vista to fix this.

Why do they even bother?

[Mr_eX9]

All of this "security" is just crap if it can apparently be exploited so easily.

Re:Why do they even bother?

[cyphercell]

no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.

Re:Why do they even bother?

[Surt]

Alternatively, it's great. By being so breakable we sucker the evil DRM lords into another copy protection regime that ultimately doesn't work.

Re:Why do they even bother?

[Rodness]

I agree.

The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

My inclinations against myself or my family running vista just got a +1 Justification.

Re:Why do they even bother?

Well, now I can honestly say "Wow!".

Re:Why do they even bother?

[cyphercell]

after a $b investment over five years from the dominant player in operating systems, yes "The WOW starts Now!"

Re:Why do they even bother?

[Blue+Stone]

Apparently if you peel off some of the stickers on the very first Vista boxes off the production line, underneath 'The Wow Starts Now' it says 'Mission Accomplished'.

Re:Why do they even bother?

[cyphercell]

That's funny, I got to get out of this country. God help me if I become successful at something.

Re:Why do they even bother?

[Master+of+Transhuman]

You're one hundred percent right - and the reason is simple: security doesn't make Bill any money, whereas "featuritis" - and deals with big content providers - does.

Microsoft needs to be put out of business. Now. They have all the brains and social conscience of Enron.

Can't beat em, join em?

[friend.ac]

Can you imagine if companies actually recruited these people who were skilled enough to break their OSs? I know I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!) and its far cheaper in the long run..

Re:Can't beat em, join em?

[Fallen+Kell]

The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Re:Can't beat em, join em?

>>Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Microsoft can.

Re:Can't beat em, join em?

[misleb]

Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

-matthew

Re:Can't beat em, join em?

I cant wait until someone creates an auction site where they sell off exploits.

Forcing companies to pay for flaws/exploits in their software might make them actually give a crap about securing them in the first place.

Re:Can't beat em, join em?

I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!)

Actually they found several and added another backdoor for good measure.

Re:Can't beat em, join em?

[friend.ac]

Hi Matthew..

I completely agree with you, and know that my priorities of securing peoples information and ensuring there are no holes far outweights Microsofts obligations ;-) It was fairly easy to manage the 'third person', any vulnerabilities were noted down and acted on immediately, and he was paid to find further vulnerabilities (which fortunately he didnt). My reasoning for this was someone, or he, was going to find any holes anyway, what better way for him to report them to me and get paid for doing it.

Sure, its only a small website with several thousand transactions a day, but I care about my users and wanted any security implications brought to my attention as soon as possible, and fixed as soon as possible, and our agreement worked fantastically - no further holes have been found, and lessons were learnt. Thats probably why me and Microsoft differ, I care about my end users - you only have to look at their reoccuring .ANI bug and refusal to fess up to realize the difference ;-)

Re:Can't beat em, join em?

[Surt]

I've seen plenty of exploits for auction on ebay over the years.

Re:Can't beat em, join em?

[Joe+The+Dragon]

I got it buy hackbay.com and put it up for sale.

Re:Can't beat em, join em?

if you're microsoft, you have a lot to lose.

Not as much as you would have had yesterday (if you were microsoft). And tomorrow there will be even less to lose.

Microsoft is circling the drain...

As the Gubenator once said, Hasta la Vista, Baby!

Re:Can't beat em, join em?

[ultranova]

You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

Why would anyone bother putting in more backdoors to the OS equivalent of Goatse ?

Re:Can't beat em, join em?

[AnonymousCactus]

It's a lot easier to break a system than to make sure it's totally secure.
If you're Microsoft, then it's even more difficult because you have to support tons of third-party outfits, legacy crap, and who-knows-what that the Office team requires.
I think you'd be amazed to see how many exploits they prevented pre-emptively.
Microsoft gets a lot of crap, but what they're trying is really hard. Implementing secure software is hard enough, now try doing so in a way that agrees with thousands of companies that you rely on, and which every hacker in the world will try to break. If Linux tried that, it wouldn't hold up either. Thank God, it doesn't...

Re:Can't beat em, join em?

[sjames]

That's MS's big problem. A LOT of people WANT them to fail because they're MS. Because fundamentally, a computer and it's OS is supposed to do what the user wants, not what Bill Gates, the RIAA and the MPAA want it to do. There are enough people out there who know how to hack it up so it actually does do what they want. The more pragmatic ones WANT MS to fail because that's how to crack the content they want.

Once the hacking is accomplished, a significant number of people will then abuse that code to get other people's computers to do what THEY want rather than what Bill wants (doing what the user wants is simply not up for discussion).

The real beauty here is that the "bad guys" are turning the OS's own features against the creator (the other bad guys). The divine appropriatness of that is simply irresistable.

Re:Can't beat em, join em?

[iminplaya]

Damn! With those kind of incentives, I wonder if pencil and paper are safe.

Re:Can't beat em, join em?

[B_un1t]

What Microsoft should be doing is pulling out a wad of cash for the hackers that are this good. They have the money to pay for their brilliant cracks to Microsoft's flawed code. Wouldn't it be considered a good investment to pay these hackers to work for MS? Won't they lose more money from all the hackers that buy the exploits in the long run? .02

Re:Can't beat em, join em?

[PingXao]

This is the Free Market at work. If there's a market for something then enterprising risk takers will rise to fill that need. I say this half in jest, but half seriously.

Re:Can't beat em, join em?

[SeaFox]

Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

What if they tried holding their programmers to higher standards in the security of the products they produce, and then paid the ones that made the cut twice as much?

Re:Can't beat em, join em?

[misleb]

Microsoft is circling the drain..

Nah, they're just on their way to becoming the next IBM. Big, but mostly harmless. :-)

Re:Can't beat em, join em?

[rts008]

Only if you have an eraser, friend, only with an eraser.

Re:Can't beat em, join em?

[iminplaya]

Actually the tool for hacking paper is scissors. The anti-virus is rock. Oops, does that mean the "protected process" is paper?

Re:Can't beat em, join em?

[Master+of+Transhuman]

I just read an article the other day about sites that are selling SUBCRIPTION services to exploits!

For $20 a month, you get new exploits.

Even if they don't deliver, how many script kiddies probably will pay these guys the $20 - even if just for one month? Those guys just made a few score thousand dollars...

Highly amusing!

[gweihir]

At the moment these people are doing great work. Just take the promises MS made and see them being invalidated pice by pice!

The bottom line is that no matter what OS, competent system administration is essentlial. However MS makes system administration a lot harder, than it is on other systems.

Re:Highly amusing!

What's a pice?

Didn't we see this before...

[NecroPuppy]

With that OS protected space in Windows ME?

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.

Re:Didn't we see this before...

[FutureDomain]

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it. Well, it looks like you might be doing it again. Helping a friend with a malware problem, finding out that he has Vista, and buying a copy of XP to replace it.

Source code

[iamacat]

The guy is a low life for not releasing the source code. We need administration tools to manage our own systems, and yes Symantec would be one company with legitimate use of this functionality.

Re:Source code

[Original+Replica]

yes, it would make a nice tool for you to administer your systems. or for anyone out there to "administer" for you.

Re:Source code

It's 7K, command line, and does only one job. Anyone could reverse this in their sleep.

Re:Source code

[cyphercell]

no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.

Re:Source code

[eddy]

Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.

Someone who cares should write out the compressed buffer and disassemble that.

Re:Source code

[iamacat]

True if it's actually your own code. If you find a security flaw in a widely owned product written by others, it's good net citizenship to explain it to said owners so that they can (hire others to) protect against it and make use of any implications that are in their favor. As it is, he is displaying a typical 1337 attitude. "Hahaha, I know how to compromise your system, but I am not going to tell you!".

Re:Source code

[cyphercell]

The boys in Redmond own this code, no one else. You don't know what his correspondence with them has been, personally I wouldn't let M$ off without a nice payout, aside from the fact that they will likely patch it on their own or write some software that does the same as lonescu's. What lonescu most likely gets out of this is nothing more than recognition and he deserves it. And tomorrow if you get some malware on your Vista box that simply can't be removed, you know where to get a tool that may help. On that note have you considered the fact that maybe he doesn't fully understand the depth of what he's discovered yet? Maybe releasing now, would be premature, what if his software is also vulnerable to this problem?

As it is, he is displaying a typical 1337 attitude. "Hahaha, I know how to compromise your system, but I am not going to tell you!".

This is not true, right now lonescu is a world class security expert on Windows Vista, if he didn't play his cards close to his chest he'd be a damn fool. He is elite, you're not, get over it.

Re:Source code

[lskovlund]

Indeed, and the driver simply gets the address of a data structure (using an API call) and flips a bit in it. I suppose this is vague enough to not constitute copyright infringement (but I have the code on my screen right now).

Re:Source code

[iamacat]

Discovering a security hole is elite. Sitting on it and gloating is lame. I guess it's Ok - both you and lonescu will most likely reach the level of maturity required to understand this by your mid-20th. Now, why would I want to be elite in anything related to Vista? That's like being a world class expert on security in prison showers.

Re:Source code

[udippel]

The boys in Redmond [...] will likely patch it on their own

Exactly. The results will be:
  - An ever more broken Windows by adding a hack around this exploit
  - A frenzy to hunt for more such exploits, since this can is open now

Re:Source code

[cyphercell]

Now, why would I want to be elite in anything related to Vista? That's like being a world class expert on security in prison showers.

ROFLMAO

Sitting on it and gloating is lame. I guess it's Ok - both you and lonescu will most likely reach the level of maturity required to understand this by your mid-20th.

This whole post is just flamebait, he can build a very lucrative consulting business out of this, or get hired by a company that will pay him the salary he's worth, I mean for all you know he's working at Kinkos. Besides don't you think this is a little odd considering Vista is shipping with it's own antivirus, almost seems like M$s AV could be guaranteed to work better than anything else. Either way the nature of the bug is beyond our understanding and you or I are really in no place to judge his merit.

Re:Source code

[cyphercell]

If you weren't using Microsoft's products you really wouldn't give a rats flippen ass about this. I don't.

Re:Source code

[cyphercell]

sorry, that was rude, point is though that in a proprietary world "good net citizenship" is just that. If good net citizenship is not profitable f*ck it, symantec or any other AV co. would be sitting on this getting their panties wet pushing for the cover of Time magazine or front page of WSJ, this kid sits on it for a day and you're ready to lynch him.

Re:Source code

[Master+of+Transhuman]

Well, no, he's not working at Kinkos. His blog has a post about his interviews at Google, Apple AND Microsoft (Microsoft was the only one that disappointed him, although he says the campus visit was awesome, since they give you $75 a day to blow any way you want while you're there for an interview.)

Re:Source code

[cyphercell]

Oh, he wants to work at Microsoft, this just reinforces my idea that he is holding on to this for heightened recognition. Had he released his info on day 1, it would be difficult to tell him apart from every plugger on /. running out to write their own version.

DRM in Vista is misunderstood

[MarkByers]

> Not only threatening Vista DRM and friends

The DRM in Vista is not intended to lock down your computer so that evil companies can control what you watch. This is impossible to do without a TPM chip. Microsoft knows this.

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

'Cracking' DRM is on about the same level as downloading illegal copies online. Useful in some cases (such as when you bought a DRM'd song by mistake and wish to play it on your MP3 player/iPod), but still illegal (in the US at least).

Now mod me down, Vista bashers!

Re:DRM in Vista is misunderstood

[jomas1]

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice. You can't possibly mean what you just wrote. Vista's DRM is needed to play DRM-encrypted files? Why can XP and Windows 2000 play encrypted files?

Re:DRM in Vista is misunderstood

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

Is that all?

Apple software allows DRM files to be played on both Windows and OS X. It's part of the application. So why is DRM enabling software a part of the OS again?

Re:DRM in Vista is misunderstood

[SanityInAnarchy]

Without this feature, you would not be able to play DRM'd songs.

There are plenty of ways to implement DRM, with or without OS support, with or without hardware support. Or you could turn off DRM altogether.

In fact, why doesn't Microsoft do that? They're certainly in more a position to deliver a big "fuck you" to the recording industry than Steve Jobs is.

Re:DRM in Vista is misunderstood

Just to fill in the blank left by your rhetorical question...

Or you could turn off DRM altogether. In fact, why doesn't Microsoft do that?

The DRM is there to lock users into Microsoft software and file formats. Using the sweet-sell by collusion from the entertainment industry, they hoped to gain complete control of the end-users computing environment.

DRM in Vista is only misunderstood by people like the grandparent who are incapable of basic comprehension or analytical thought.

Re:DRM in Vista is misunderstood

Because Microsoft has no incentive to placate users. Their internal directive is to make businesses happy, such as the ones who enjoy DRM-ming up music.

Re:DRM in Vista is misunderstood

[CFrankBernard]

And why do video download services such as http://www.netflix.com/WatchNow require Windows XP SP2? What's missing on Windows 2000 and Media Player 9? Do I really need millions of lines of unrelated bloat in XP to play the movie?

Re:DRM in Vista is misunderstood

[LO0G]

That's silly, the two most common types of DRM used on Windows aren't Microsoft's formats at all, one is Fairplay (owned by Apple), the other is CSS (owned by the DVD Copy Control Corporation).

DRM is there because if DRM wasn't there, you'd not be able to play DVDs, HDDVDs or BlueRay discs on Windows. The owners of those formats don't care about Windows, they're more interested in the consumer electronics manufacturers. And every single one of the consumer electronics vendors is more than happy to put whatever DRM the *AA wants.

Microsoft could say F-You to the *AA, the result would be that the *AA would simply take its toys and go home - or go to Apple or Sony, who have already made it quite clear that they're more than willing to put whatever DRM that the *AA wants in its products.

Re:DRM in Vista is misunderstood

[revengebomber]

Why can XP and Windows 2000 play encrypted files? A man named Jon, and later, a man not named Jon.

this is just an another step

[imbaczek]

...to start considering Vista as an usable OS.

Re:this is just an another step

...to start considering Vista as a real Microsoft OS.

There, fixed it for you.

Wait, wait...

[kripkenstein]

A typical process cannot perform operations such as the following on a protected process:
[...]
Access the virtual memory of a protected process

It's been a while since I knew squat about operating system internals, but aren't processes supposed to not be able to access other processes' memory anyhow? I assume, then, that this means that 'protected processes' are special in that they are also protected from any 'supervisor'-type processes, not just run-of-the-mill? In that case, are 'protected processes' meant to protect the kernel from itself, in some sense?

Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.

Re:Wait, wait...

[Guilly]

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.

Re:Wait, wait...

Even without reference to the hack in question, if you have permissions to open another process's memory, then there is a straightforward way of doing this.

Re:Wait, wait...

[kripkenstein]

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

Interesting.

This seems very non-secure to me. Any idea if this is standard on other OSes than Windows?

Re:Wait, wait...

[randyflood]

I could be wrong, but I think Windows (2000, XP) generally allows processes running under the same user to look at each other's memory and such. This is useful when you want to debug a program or whatever. It's generally designed to protect users from each other, rather than protect users from themselves.

Re:Wait, wait...

[misleb]

So basically this whole "protected processes" thing is just a hack to fix their orignal poor/insecure design? Imaging that. I seriously think Microsoft should just scrap Win32 and start from scratch (or adopt something that is known to be relatively secure and stable). Win32 blows.

-matthew

Re:Wait, wait...

root can read and write kernel and process memory under Linux. (Via /dev/kmem and /proc//mem.)

Re:Wait, wait...

[init100]

So basically this whole "protected processes" thing is just a hack to fix their orignal poor/insecure design?

If the ability for the admin to manipulate the memory of any process is a poor/insecure design, then most operating systems I know of are poorly designed and insecure. Do you want processes on your computer that you cannot manipulate, and that only obey Microsoft?

Re:Wait, wait...

sit. good boy! shake. good boy! now, don't be gay! don't be gay, sparky! don't be gay!

well, hope that sets you straight...

Re:Wait, wait...

It's not that it should be impossible to share memory - the idea is more that a program can't accidentally clobber another program, and can't do it without the OS's permission. Windows has APIs that allow processes to access other memory belonging to other processes, but it acts as a gate keeper.

Re:Wait, wait...

[lord_sarpedon]

Yes. Thank heavens they patched away "debugging." Nothing but a plague upon mankind... If you're going to hate on MS, get your facts straight.

Re:Wait, wait...

[kinkie]

Under Linux, it's /proc/pid/mem:

kinkie@loki:~$ll /proc/6282/mem
-rw------- 1 kinkie kinkie 0 Apr 7 22:02 /proc/6282/mem
kinkie@loki:~$echo $$
6296

see? I can alter my own processes' memory, no problem.

Re:Wait, wait...

[physicsnick]

Does that mean you could make a WoW hack in a protected process?

Re:Wait, wait...

[faragon]

You're right, it also work in Vista (the only intouchable processes are the "protected" ones, like Winlogon). Unfortunately, we are forced to use it, for achieve trivial tasks such grabbing the cursor icon used inside third party application window, and other "accessibility" hooks, as the officially provided by Microsoft are not enough. Personally, I hate to use these tricks, IMO it is the result of a bad OS design, as we are not using it for "evil" applications, just normal ones that make the average Joe's life easier.

Wow.

I thought vista was insecure because they rushed to bring it to market prematurely.

Looks like I'm completely wrong - It's flawed to the core and will NEVER be secure.

Not in 2 years, or 3, or 4, or even 5... but we'll have XP sp3 by then, so no worries.

THE 64,000 QUESTION - WHO WILL STEP UP? Now taking bets and holding cash for fools.

Re:Wow.

Wow. You're an idiot.

Ever since DOS

[Original+Replica]

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.

Re:Ever since DOS

You should try this new Linux thing out!

It's awesome. I type commands, it obeys them. It never patronises me. The security works FOR me, not against me.

Now THAT is user-friendliness.

Re:Ever since DOS

I miss the days when I gave my computer commands not suggestions.

You are becoming nostalgic, Deny or Allow?

Re:Ever since DOS

[syrion]

I installed Fedora Core 6 yesterday, and I have actually gotten a few "that operation is not allowed" messages trying to chown directory on a drive mounted by root. That's getting kind of annoying, I have to say. (Is there a good userspace mount utility?)

Re:Ever since DOS

[Kjella]

You are becoming nostalgic, Deny or Allow?

I much prefer the Windows XP auto-update dialog. "(blahblahblah) Would you like to reboot now?" with exactly one button: "OK". Where's my "No it's NOT fucking ok!"

Re:Ever since DOS

That message "permission denied" you get as root does not translate to a security check. It translates to "cannot change owner of files on a FAT-32 filesystem." Hot tip: try setting umask 0 before mounting said filesystem OR adding the "user" option to that filesystem's fstab entry and mounting it as that user.

The userspace mount utility you refer to is /bin/mount. Try man fstab for how to configure it.

Re:Ever since DOS

Then use a better OS nitwit. There are even free OS's that work the way you want and have lots of software to boot.

Re:Ever since DOS

[syrion]

Really? I'd done it before, I was pretty certain. I seldom have to mess with this issue, and thought there was a way for me to give a user write permissions on a mounted drive with either chmod or chown. chmod wouldn't take, though--the permissions didn't seem to "stick." So, I thought: "Maybe I did it with chown," but, as you say, no go. "mount -Uuid" also didn't work.

Re:Ever since DOS

[syrion]

Self-reply: looking back at the manpages, "-Uuid" isn't even supposed to be a switch for this purpose. Ugh. I need to stop trying to do things at 2 AM.

Re:Ever since DOS

[Udo+Schmitz]

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off. So, is using a Vista PC like talking to the bomb in Dark Star?

Re:Ever since DOS

[zippthorne]

I'd rather they needed only a little software to boot.

Re:Ever since DOS

[Skater]

Easiest way to handle it is in your fstab:

/dev/hda1 /mnt/win ntfs defaults,ro,gid=100,uid=1000 1 0

That's what I use to mount the Windows partition on my drive - now, I have it set to RO because it's NTFS and when I set it up we not could write safely to NTFS. The GID and UID specify my group and user IDs of course. Change that last 1 to a 0 if you don't want it to auto-mount on boot, and add the word "user" in there if you want regular users to be able to mount/dismount the device (such as for removeable media).

Re:Ever since DOS

[Skater]

not could

By which I meant "could not". Sigh. If you want something done right these days, you gotta contract it out...

Re:Ever since DOS

[Khyber]

I choose Fail, because that's usually the problem with the hardware, in the first place, and I just need to replace it ;)

Re:Ever since DOS

[syrion]

Thanks. I got it figured out eventually. I just have to learn not to mess around when it's after midnight. :)

Re:Ever since DOS

[revengebomber]

Deny or Allow? In my day, we had Abort, Retry, and Ignore. And we liked it.

Re:Ever since DOS

You can use pmount/pumount to manually mount/unmount removeable media on most distros these days, to save setting up an fstab entry for any removeable media you might want to use.

Re:Ever since DOS

[totally+bogus+dude]

I had the opposite problem a week or two ago on a Windows 2003 server (or is it a Windows Server 2003 server? I can never remember). It actually amused me enough to take a screenshot of it, but for those who don't want to view ad-supported screenshots of Automatic Update dialog boxes:

Updating your computer is almost complete. You must restart your computer for the updates to take effect.

Do you want to restart your computer now?

The two buttons, "Restart Now" and "Restart Later" are disabled. So is the close window ("X") button for the dialog itself.

I'm pleased that it's not offering to let this non-privileged user reboot our server; but I can't help but think it would be better to check if they're able to reboot the system before displaying the dialog. Also, why was the "restart later" option disabled? Maybe unprivileged users aren't allowed to interact with the Windows Update dialog at all, but if that's the case, why is it being displayed on their screen?

Full disclosure: I was setting up RDP access to the server for an external contractor, and logged in to add them to the "Remote Desktop" group. While I was there I installed updates from Windows Update, and it wanted a reboot - I deferred it for later and logged out so I could log in as the contractor's (non-admin) account to set up appropriate shortcuts on the desktop and make sure they had access to what they needed to access. The automatic updates dialog appeared immediately after I logged in as this unprivileged user. (I actually used Task Manager to close it.)

biting the hand that feeds you

[kv9]

He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.

not for long, I bet.

Re:biting the hand that feeds you

I'll bet a promotion is in is future.

Being able to duct-tape the Windows Kernel requires skill at this point. Let alone what he does.

Re:biting the hand that feeds you

[shawkin]

He just took a job at Apple with the kernel team. Heh.
He also interviewed with Microsoft and Google.

Paul Graham confirms it

Microsoft is dying

Sure dood...

6 month detention without charge is not intended as totalitarianism. Places like Gitmo exists to give people a choice about freedom and without them we wouldn't have any freedom.

Re:cmdrdildo

[dreamchaser]

Ballmer, we told you before not to post here as an AC. Now you're late picking up Bill's dry cleaning, so stop dicking around and get back to work!

You think so?

[Fallen+Kell]

Do you really think so? Why would MS pay someone $300,000-500,000 when they have people who get $70,000 that could simply scan the code itself? They won't upset their current pay scales and pay grades to place "hackers" into their business units. For one, many of those "hackers" are hackers because they have a record of conduct that does not work in a normal business environment. Be it social, societal or other issues (potentially and not limited to criminal and trust issues). In fact, some people many not even be employable due to said activities due to security reasons.

Again, MS sure isn't going to hire a hacker who is paid more then their bosses and that is for sure.

Re:You think so?

[sqlrob]

Right, like those code scanners that preemptively found the second ANI bug after the first was found. Those code scanners?

wtf moron?

learn to write code yourself instead of attacking people, retarded fsck.

New Meaning for "Genuine Advantage"

[BoRegardless]

Genuine Advantage seems to now benefit the bastards too.

possible silver lining

[Trailer+Trash]

Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...

Re:possible silver lining

[flyingfsck]

I wonder whether Cygwin runs on Vista yet. If it does, then that may be a solution for your copy problem.

Re:possible silver lining

[Trailer+Trash]

My copy problem? I don't use vista. Funny thing was, I was joking in the grandparent and got modded up to interesting. It actually is something to consider, though, to fix vista's problems by hacking it to bypass the bs.

No reason to run Vista

[JackMeyhoff]

Outside of being forced to use it at work, at home it brings nothing of VALUE.

Re:No reason to run Vista

[misleb]

Man, I love being on the IT side of things. I can run whatever I want. God help me if I ever take a job where the company I work for can actually dictate what I run on my desktop.

Re:No reason to run Vista

I work for Microsoft, while we target Vista for our "client" side applications (and longhorn for our server side) I personally prefer to use 2003 or XP 64 (Im a 2000 fan also). I have Vista on a machine and its s stinky peice of shit and even while I can use it for FREE and buy it at employee pricing, I steer friends and family away from it.

Surprising really?

[loconet]

If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.

Re:Surprising really?

this is more important then you realize!

Microsoft claims how much the Vista cost to build, but it doesn't provide any details of its construction. For example, it may have given each employee a gold toilet - costly, but useless. I believe the microsoft development process is similar. In this case replace golden toilet with middle managers...

Re:Surprising really?

[gEvil+(beta)]

If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.

Hah! Shows what you know. I don't have to paint my excrement to get it that pink color...

Re:Surprising really?

[l0b0]

And rounded edges. Don't forget the edges.

Disassemble it

[eddy]

Considering the executable is just about 6K and doesn't seem protected/compressed, reversing it ought to be fairly trivial. Try the demo version of IDA.

Again?

[Proudrooster]

VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.

Bill Gates wants more cheap labor to waste of useless software. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?

Re:Again?

[ConceptJunkie]

Bill Gates and company have successfully created the software version of Soviet Russia, where software runs you. I've always complained that Microsoft never understood that the software should work for you, not you work for it, and Vista seems like a step _further_ in the direction of making the user do work.

Of course, I guess that's better than something like Word, where it takes 3 times as long to get anything done as it should because of all the unpredictable and illogical "helpful" stuff that the program keeps doing for you.

I miss the the old days when software was a tool rather than a shackle. Oh wait, no I don't, there's always Linux.

Good, now MS cant dictate software advantage

[plasmacutter]

all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.

by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.

Re:Good, now MS cant dictate software advantage

[TheNetAvenger]

for this idea that microsoft is allowed to deny a company the ability to use process protection.


Um, no... Other companies are NOT denied the ability to use process protection. You can get software signed to be trusted and ran as protected processes.

The trick here is that the software example is able to access a 'protected process'.

Also this has been brought before the EU already by Symantec and McAfee. Symantec and McAfee want the right to be able to read 'any process' on the system, whether it is protected or not, so they can screw with every part of the OS that they have NO BUSINESS touching.

So this proof of example code is something that MS knew was possible, but did not openly disclose to Symantec, but I do believe they were forced to already.

Also of note, because this uses a driver trick, the ability to read protected processes on Vista as demonstrated in this proof of concept fails on Vista x64 because of the strict kernel driver signing requirements.

This whole thing is also not a break or a flaw in Vista whatsoever, as this is not a hardline security wall. So the *nix people thinking that Vista's security has been compromised are either really stupid or misleading people.

People here seem to think example code is some 'exploit' of Vista, or some 'security breach' of Vista, but it is nothing like that what so ever.

Vista introduces the concept of protected processes that 'try' to enhance security a bit more by creating a level of security that is 'process exclusive', so that no other security account can ever access it.

This type of 'security' DOES NOT EVEN exist in OSes like BSD or Linux, as 'root' or the highest security level always has 'power' to read and control all other processes on the OS.

So if *nix people think this is a security exploit in Vista, then the whole design model of security in *nix OSes would be a security exploit as well, since root has the ability to read/modify/end any process on the OS.

This security wall in Vista is also not a DRM issue. Why on earth people keep confusing this is borderline retarded. DRM could use a protected process flag, as the HDCP does use this, but it inherently has NOTHING to do with DRM whatsoever.

This is nothing but a new 'security wall' introduced in Vista to help further enhance basic system security so that the upper level system processes can not be touched by other processes, even if the other processes somehow obtain the equivalent to 'root' level security access.

So this is 'additional' security on top of the basic NT token based security mechanism, and is nothing more. This is a 'wall' or 'level' of security that DOES NOT EVEN EXIST in the *nix model, as a process cannot protect itself from 'root' level security.

Does everyone Understand?

Re:Good, now MS cant dictate software advantage

[angulion]

First, I have no personal experience with Vista.

This has everything to do about DRM. "Protected process" I see as nothing else than preventing you, the computer owner, from doing what ever please you with your computer. MPAA most likely require that their precious movie on a HD-DVD or Blue-ray disc only be played/viewed with a media player that is a "protected process", otherwise you, the owner of the system, might do something evil like attaching a debugger to the media player process or poking around in its memory to get the decryption key.

Is it a security flaw? Maybe, 1) you, owner or system, regain more control, 2) malware might use this to *stay* running and there is not a thing you can do to stop it (unless you know about this "trick").

Unix/Linux does not have this problem because it doesn't try to stop the owner doing as (s)he wishes, including the case when root want to kill a process belonging to a rootkit.

Re:Good, now MS cant dictate software advantage

[TheNetAvenger]

This has everything to do about DRM. "Protected process" I see as nothing else than preventing you, the computer owner, from doing what ever please you with your computer.

Um, no...

By definition you an call it that, but it doesn't have the 'intent' of protecting software from the user or the owner, like DRM does. The 'owner' of the computer can ALWAYS circumvent anything in Windows.

What protected processes are for is to specifically prevent 'important' processes from being touched by any other process, no matter what the permissions are.

Malware has this pesky little thing it does. If it can socially engineer the user to approve it, or if it can slide through a new exploit, then it could modify the core of the OS by having 'root' type authenication it could mess with anything.

Protected Processes are just 'another' wall to prevent this from happening. As there is no need for an application to ever modify the core OS system processes while they are running. (Remember this is just about when the user is booted into Window's Win32/Win64)

Applications that do this are a form of 'malware' to the OS, as the 'owner' of the computer is not modifying or controlling these processes, but ANOTHER process is trying to modify them.

There are fixed and standard APIs to work with other processes through a standard interfaces, actually modifying a process through OTHER means because you have security over it is not a great idea.

Unix/Linux does not have this problem because it doesn't try to stop the owner doing as (s)he wishes, including the case when root want to kill a process belonging to a rootkit.

Well, technically, all processes can be killed in Vista from an administrator account, although it may not be through the common interface of taskmgr or other tools.

And if the owner wants to modify Explorer.exe even, they can boot into the new Vista command prompt or 'recovery console prompt in previous versions', and then modify files, the registry, anything the owner wants to.

Hence, the owner does OWN the computer.

Protected processes are about adding security to applications/processes running, not what the user can modify.

For as much 'security' bashing MS has taken with Windows over the years, adding in a new layer of security to prevent exploits from harming the computer should be seen as a good thing to security experts.

Imagine this: Two viruses are released that target exploits in a *nix distribution and Windows Vista. Both can obtain root remotely or via social engineering. The *nix Virus can FUBAR anything it wants. In Vista, the OS is going to be left unharmed because of the protected process security wall.

(This is a bit extreme example, as Vista would not be totally unharmed, but it would hold up to anonymous changes to system core files and changes to the main operation of the OS.)

I'm not going to argue that this is the all time best or end game solution, but for what MS has been facing with security, it is a road they have to think outside the box.

Giving root level security uncontrolled access to every process is really stupid when there would be no reason for any process to EVER need to modify a system service or even monkey with ntdll.dll.

This would be different if MS didn't give the users the ability to circumvent or change anything about Windows they want to by booting into a limited environment to make the changes.

Good idea, bad implementation.

[Animats]

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.

If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

Re:Good idea, bad implementation.

[plasmacutter]

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

youre kidding right? securing the computer's processes against its own owner without any option for override is reasonable?
how about i do that to your house, and make you pay me rent on top of your mortgage for the "right" to use those extra bedrooms, kitchen cabinets, and garage space?

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

no.. debugging is not a "security" problem, and debugging is present in unix and linux. protected processes are designed specifically to lock out debuggers, and also to prevent non-incumbent vendors' software from interacting or competing with who microsoft arbitrarily designates as the incumbents.

Re:Good idea, bad implementation.

So the video decoder^W^W user can be protected, but doesn't have enough privileges to act as^W^W run an aimbot for some game

Fixed that for you.

I think the comment a few threads up ("Gee, I remember when I gave my computer commands, not suggestions,") says it all. What makes you think the authority to run an aimbot belongs in the hands of anyone except the owner of the computer? What makes you think that a trusted authority will behave any more responsibly than I would?

Re:Good idea, bad implementation.

[zippthorne]

"What makes you think the authority to run an aimbot belongs in the hands of anyone except the owner of the computer? What makes you think that a trusted authority will behave any more responsibly than I would?"

Counterstrike.

Re:Good idea, bad implementation.

[Spy+Hunter]

Protected processes are a terrible idea, and they have no analog in Unix. You have misunderstand the purpose of protected processes. It has nothing to do with protecting processes from each other for better security. It is *only* about protection from the *user* for media. Protected processes cannot be written by anyone but Microsoft and "trusted" partners (theoretically) and are supposed to be immune from tampering by every user, even one with the highest possible administrative rights. No Unix has this concept, because it is retarded. It removes your own control over what your computer is doing and hands it to Microsoft and a few "trusted" companies which are allowed to write protected processes.

Re:Good idea, bad implementation.

[kevinadi]

UNIX was made by researchers for their own security.
Windows was made by MS for their own "security".

There's a big difference there.

All the myriad of hooks you mentioned might just be intentional, for purposes that benefit some, and not so beneficial to many.

It's really Melinda's fault

[ColdWetDog]

Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

So get off your old, tired, 20th Century horse and get with the new paradigm.

Just a suggestion of course.

Re:It's really Melinda's fault

[Randseed]

Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

So get off your old, tired, 20th Century horse and get with the new paradigm.

Just a suggestion of course.

And if Microsoft has its way, just like women, the OS will have the option of deciding to stop working with you, then walk off, taking half your assets and any younger computers with it.

Re:It's really Melinda's fault

[Master+of+Transhuman]

Or you can do what the PUAs (Pick-Up Artists) recommend: always remember that women just want to be bent over.

How do you think trainers work?

[SmallFurryCreature]

What is not supposed to happen in "normal" circumstances, is that one process "accidently" accesses a part of memory not assinged to it. However plenty of programs work by doing this on purpose and as long as they behave, there is nothing wrong with it. It just so happens that trainers are a common example.

However typically with trainers, the user level is the same. There is no real problem with a trainer I run, modifying the memory of a program I am also running. It becomes more of a problem if user levels are not accepted (should I be able to read the memory of a program belonging to another user?).

In Vista/DRM case the problem is even more severe because there even processes belonging to you should still not be accesable to you. Why not? Well, because you are nasty mean piraty who steal the living from hard working people, you commie!

But no, traditionally OS'es do NOT protect process memory against deliberate snooping.

You're joking, right?

[MarkByers]

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...

Re:You're joking, right?

[jomas1]

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though... Ok so your original quote that suggested Vista's DRM, which is clearly different when compared to XP's and 2000's DRM mechanisms, is somehow a good thing was wrong? Or were you trying to say that some type of DRM is necessary? If the latter, then I don't know yet if I disagree. I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy. Ionescu did not make Vista any less secure than it was a week ago. He's simply let some of us know that Vista is really not ready for the mainstream market. Who knows, maybe he's even inspired Redmond to get Vista SP1 out the door earlier.

I still use Windows 2000 from time to time and don't yet see what advantages Vista has but I'll give the OS some time to mature.

Re:You're joking, right?

[Razed+By+TV]

I'm going to go out on a limb here, but I think GP's point was that we can already play drm files on WIN XP/2000. What functionality does vista add to that? We already had the ability to play DRM'd files. It's not like this is some new vista-only technology, so why pass it off like Vista is the only way to play files with DRM? Yes, vista can play DRM files. Also, the sun rises in the morning.

Was there a different point you were trying to make, perhaps relating to content providers and some sort of Vista only DRM?

WHat the heck? Windows processes are WEIRD

http://www.microsoft.com/whdc/system/vista/process _Vista.mspx

Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?

Processes can "inject threads" into other processes? Buhuh?

Here's apparently more of what processes can't do to Protected Processes do in Windows:

Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process

So yer telling me, normal processes can do this to other normal processes in windows?

Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.

The footnote at the end is the best though!

"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "

Please play nice with our restriction scheme!

I bet this is what our enterprising hacker has done.

Before MS sics their lawyers on me, the above quotes were used for the purposes of review.

Re:WHat the heck? Windows processes are WEIRD

[Tony-A]

what processes can't do to Protected Processes ...
Debug an active protected process


So, logically, we have undebuggable "Protected" Processes.
Figures.

This is how it's done

The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

Re:This is how it's done

[AndrewNeo]

And here everyone is complaining about UAC, while it's the only thing between you and installing that driver.

Re:This is how it's done

[Jesus_666]

You are forgetting about the boy who cried "wolf". Deny or Allow?

Re:This is how it's done

[SiliconEntity]

Very interesting. Thanks for that description. I note this rather amusing comment in the Microsoft document on protected processes:

Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. Yet that is basically exactly what this hack does.

Note that this will not work in 64-bit Vista because there, only signed drivers can be loaded. Only in 64-bit Vista are "protected processes" truly protected.

It does mean though that Ionescu is right that virus scanners and the like cannot assume that protected processes are benign, not in 32-bit Vista anyway. Malware could install a bad driver and get it to create a protected process to do its dirty deeds. It would seem that a tool like his is needed to get good AV protection in 32-bit Vista.

Re:This is how it's done

[cookd]

It's also important to note that both 32-bit and 64-bit Vista maintain a concept of kernel "taint". If you load an unsigned driver, the kernel is marked as tainted. Apps have the option of refusing to run if the kernel is tainted. It is expected that in the future, WinDVD and similar products will do this. (You CAN load an unsigned driver in 64-bit Vista, but you have to turn off the on-by-default restriction each time you boot.)

Of course, if you load a driver that is unsigned, it can try to mark the kernel as untainted again. Then Microsoft will issue a patch to prevent this, then the driver will be updated to work with the patch, then Vista will be updated again, then the driver will be updated again...

Re:This is how it's done

[lowe0]

Being vigilant is a pain in the ass. I'm sorry if people don't want to think about what their computer is about to do, but connecting a device containing your sensitive personal data to a worldwide network seems like a pretty bad time to go on mental autopilot.

The Philosophy of Protection

[The+Living+Fractal]

I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.

So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.

The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.

In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.

Looks like 32-bit

[figleaf]

I would like to see him do this in 64-bit.
32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.

Re:Looks like 32-bit

[Marton]

Wuhudutoomhum? You're mixing up what little knowledge you have.

The same thing will work in x64 if you go the extra step and bother to sign the driver that allows for this trick.

It is worth noting however that - while the trick is extremely simple - it doesn't really get you much. Turning off the protection flag on a process? Big deal. The interesting DRM stuff is in the kernel anyway. Turning ON the protection flag on something with malicious intent? Well now that the cat's out of the bag anyone can turn off that flag again just as easily... and like the docs say, the system can (and does) rely on the fact that the protected flag is only turned on for specially signed code. Turn on the flag for a non-MS signed process and watch calls to CreateThread, LoadLibrary, and God knows what else fail with weird error codes. Pretty useless, wouldn't you say?

This is just a silly hack with little-to-no practical use.

That man is a cyber ninja.

[Unknownk+Kadath]

Someone give him an internet!

User competence

I have been using ME for years without ANY problems with spyware or malware. Zip.
I still use ME for one and only one purpose, to play World Of Warcraft (incidentally WoW officially does not support ME, but it runs great). For all other things I use my linux box (and I use THAT competently as well).

Why am I not infected? Simple: I am a very competent user. I know how to configure my router and my system properly, and I know how to avoid doing the sorts of things that get a system compromised. ME was one of Microsoft's weakest releases...but when used intelligently it is quite solid and safe.

The problem is that Microsoft is trying to make the OS protect its users from their own incompetence. It is a noble idea, but it is doomed to failure. No matter how secure they make it, their users will fall victim to the socially-engineered exploits of malicious developers every time. Furthermore, the attempts made to protect the user from this will actually make it harder to fix the system after it has been compromised, and will make it harder for competent administrators to do their job.

Microsoft winds up with the worst of both worlds.

Computers are not like cars. The complexity that they represent cannot be neatly tucked away under the hood. I know that people would prefer to avoid dealing with this complexity (it is tedious and uninteresting to most people, and I sympathize), however, the reality of the situation is that computers are and will remain complicated. Those who don't learn the details are and will always remain a danger to themselves and to everyone on the net, despite Microsoft's best efforts.

Re:User competence

[bhtooefr]

Why not run 98 instead? It's faster and more stable... and largely the same damn thing as ME. :)

Re:User competence

I like the comparison to cars.

Everyone wants to have a car. But to use it you need to get a driver's license. You learn how to handle your car, to not damage it, you learn what that blinking lights tell you and you learn how to change oil and keep your car in a good state. You learn the rules to drive on the highway and you learn about the risks. Your car is made for driving, not for flying, cooking, washing, etc and that's what you learn.

Computers are different. Still everyone wants to have one, and everyone wants to browse the www. But you you don't need a license. You just buy one, and then use it. The user-friendlyness of modern OSes implies that everything is soo easy and noone ever looks under the hood. The problem is that OSes are made to do a lot of different tasks and the normal user has no clue about what his machine can do and what not. They use it for browsing the internet and playing some games. And when suddenly something goes wrong, people tend to blaming their ISP, because all they notice is that internet doesn't work anymore.

With computers, it's like giving a 3 year old child a trycicle with a 100 PS engine and a rocket launcher and pointing him out to the highway.

Easy Attack Vector

Offer a free copy of Windows Vista to anyone who goes to your infected site. Wait that only works for Mac users.

Debugging..

[Henk+Poley]

It's not like debuggers couldn't have special privileges, instead of all processes having access rights to other programs memory space.

Access this...

Security101::securityByObscurity(); //This class has been demoted and replaced by modern understandings of programming

No, debuggers can't have special privileges

[DeadCatX2]

When you start a process, you start it with a certain set of privileges. If you're logged on as administrator, your calls to CreateProcess can start processes with a different set of privileges.

When you make a Windows API call to something like CreateRemoteThread, you need a handle to the process you're interested in. If the right security bits aren't set (and they get set by the call to CreateProcess), CreateRemoteThread returns unsuccessfully.

Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?

Re:No, debuggers can't have special privileges

[AvitarX]

Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?

This is obvious, you give them the permisson but run them as protected. This prevents other apps from mdifying them.

Re:No, debuggers can't have special privileges

[DeadCatX2]

Yeah, but whatever you do to make a debugger special, someone else can do with a non-debugger.

Re:No, debuggers can't have special privileges

[Henk+Poley]

Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?

Only make programs 'unprotected' if they are started by a debugger. For example, run them in VM in the debugger address space. This way you can't hijack already running programs.

But yeah, I am aware that there always is an 'outside' to a thread, program, kernel or computer. From the outside you could read values directly. Ex: a computer that is not running could have it's kernel changed so it gives memory dumps of certain programs.

What criticism?

[MarkByers]

> I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy.

In which part of my post did I criticize Ionescu? I think his work is admirable, though I hardly find it surprising that a flaw was found in such a complex and new piece of software as Windows Vista. All complex software contains flaws.

I think that claiming that DRM is 'broken' is an overstatement. Its not broken, it still works fine. The security I accept needs more work, but the DRM works. It is a misleading summary.

I think you misunderstood me.

Re:What criticism?

[jomas1]

> I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy.

In which part of my post did I criticize Ionescu? I think his work is admirable, though I hardly find it surprising that a flaw was found in such a complex and new piece of software as Windows Vista. All complex software contains flaws.

I think that claiming that DRM is 'broken' is an overstatement. Its not broken, it still works fine. The security I accept needs more work, but the DRM works. It is a misleading summary.

I think you misunderstood me. I guess I did misunderstand you. I don't abhor DRM with every fiber of my being like some here do but I believe DRM needs to be non-intrusive and stable. It is rarely either right now.

which version

[bl8n8r]

Tell me Bill, which version of Vista are you referring to?

"We made it way harder for guys to do exploits," said Mr. Gates. "The number
[of exploits] will be way less because we've done some dramatic things
[to improve security] in the code base."

http://www.toptechnews.com/story.xhtml?story_id=49 854

Non-news

[Toreo+asesino]

The tool need Admin priveledges to work, and guess what you can do with that? Yes! Anything you like! The same goes for Linux too - oddly, with root access you too can do/inject/patch anything at all too.

Tags like: 'haha, defectivebydesign' Show how immature and unwilling to be unbiased some of you lot are. Shame on you. /endRant

Re:Non-news

[lskovlund]

Only it is defective by design, because "protected processes" are supposed to be immune to debugging, for example. Even if the current user has elevated privileges.

Re:Non-news

[Slashcrap]

The tool need Admin priveledges to work, and guess what you can do with that? Yes! Anything you like!

The whole fucking point is that you're not supposed to be able to do anything to protected processes no matter how many priveleges you have.
Your total failure to grasp this simple fact is what makes your smug little comment so deliciously humiliating.

Shame on you.

If you had any sense of shame you would never post anything on the Internet again.

Apparently you haven't heard of ptrace()

[Myria]

Apparently you haven't heard of ptrace() on Linux or vm_write() on OS X, which are more or less the equivalent of the operations in Windows.

Windows processes have access control lists like files do; you can't inject a DLL into winlogon.exe without LocalSystem ("root") access. Linux and OS X go by the associated UID; if the requesting UID is unequal and is not zero (root), the attempt is denied.

As for SELinux, many systems can get around the ptrace() lockout. Pipe a connection to gdb and have it do the dirty work on your behalf. Locking down what operations are allowed on a per-program basis rather than user privilege level is not a good way to secure a system. (Flagging a program as setuid root is somewhat different, and acceptable given a security model designed for it.)

Melissa

Annoying?

[SLi]

Malware is not annoying. It's downright hostile. Once untrusted code has run as administrator/root/system/whatever on your computer, it's the end of the game. You need to reinstall and never trust the compromised data again, as any competent security expert will tell you. Only the anti-malware corporations, unsurprisingly, tell you otherwise.

ignore malware, now i can use ext2 drivers

[Phil+Urich]

Personally this sounds like exactly what I've been looking for to get drivers that'll read my Ext3 partitions installed and loaded without all the Vista SDK nonsense required to get past the signing crap. If I'm scared of malware and virii, I'd use something by a company I trust and respect (Kaspersky is my personal favourite, especially since it's easy to exclude files/folders on the basis of "if you detect X here, ignore" so I can keep false positives or test samples or anonymail or etc), not Microsoft! From Microsoft I just want the bare OS, at most. The good things about Windows have always been programs that run ontop of it (EAC, Powertab, Nero, games), anything that restricts what can get installed is another reason for me to use something else.

Job protection for this guy.

[zymano]

Just trying to hold on to his job by helping out the trojan and virus writers.

not trust activity.. its just "industry standard"

[plasmacutter]

Depending on how this is done and how much evidence can be produced, this is illegal behavior.

collusion happens all the time, and thanks to republican sellou.. i mean our fine pro market saviors, their activities are dismissed as "industry standards" and/or "the free market in action", and anyone who comes out calling a spade a spade is immediately plastered as a pinko communist.

examples include rediculously unreasonable eulas, the incorporation of broadcast flag-like rules in the QAM cable standards (leveraging the DMCA to expand their monopoly powers from music to all electronics), and the microsoft's fine new program requiring hollywood approved DRM on any I/O device or program before it's given a logo and a signature.

basically.. until the apathetic and sheepish public stops buying the newspeak of "free market" and "industry standard" the minority of us who have more than 3 brain cells will be screwed rediculously.

Re:cmdrdildo

[Khyber]

Bill Clinton or Bill Gates, speaking of dicking around? Ballmer, you been under Bill's desk, again?

Just fuckin' great:

[Sfing_ter]

Great, just fuckin' great... so M attempts to make a MORE SECURE operating system and instead makes a MORE SECURE OPERATING ENVIRONMENT for malware... M, keeping me in business forever...
They are kind of like a perpetual motion machine for Computer Techs...

Not just Vista

[thethibs]

This code is specific to Vista, but it doesn't exploit a Vista vulnerability.

The technique is applicable to any platform and exploits the well understood fact that if you can get a system to run your code at boot time, you can do anything you want with it, assuming you are willing to do the work it takes to do it without triggering wards (e.g. full disk encryption). Alex spent months on this.

I have all the reasons I need to give Vista a pass and wait for the OS Microsoft builds when they come to their senses and go back to a market-driven business model. This isn't one of those reasons.

Re:not trust activity.. its just "industry standar

[erroneus]

People are accustomed to ordering from the menu. It's a rare person who doesn't. The problem here is that the menu is being controlled in market-manipulated ways.

with linux you can inject code and replace kernel

[thisispurefud]

This is pure fud because this tool requires administrative privileges and this is possible also in linux using the root account. With linux a malware can replace the whole linux kernel with a single command line!!! Linux is unsafer than Vista

I can't imagine this is surprising...

[failrate]

... as every implementation thus far of this kind of walled garden implementation has ended in a single engineer or small group of engineers finding that one critical flaw that busts the entire thing open. Surely, all of these solutions are naive implementations of security through obscurity, which becomes obsolete the moment a sophisticated cracker obtains enough clock cycles to guess enough things about the implementation... i.e., trivial.

Protected processes. Sheesh.

[FoamingToad]

Agree with you. If I am the computer _administrator_, I want complete and utter control over what is running on the machine. It's all or nothing.

The vista model of watered-down administrator may make life easier for migrants from Win 9x, but ultimately restricts the functionality for high-end users.

I'd rather they still allowed full, uber-privileged rights to one account - be it administrator or whatever, irrespectve of what additional restrictions MS choose to place on other "administrator" accounts (which are apparently degraded to "power user" accounts these days anyway).

Anyway, as I may have stated previously, Windows 2003 Server for the win.

F_T

MS advertising world of warcraft?

[cheekyboy]

Doesnt WOW stand for World of Warcraft...

Yeah, but...

[DeadCatX2]

But what's to stop my program from pretending to be a debugger?

Also, what if a process outside of a debugger crashes, and you want to attach the debugger to find out why? Your suggestion completely eliminates this possibility.

Never heard of AppArmor, eh?

[spun]

AppArmor does much the same thing as protected processes. It just does it right.

Re:Never heard of AppArmor, eh?

[diegocgteleline.es]

Apparmor is a completely different thing.

Re:Never heard of AppArmor, eh?

[spun]

I do actually work with AppArmor. It's a mandatory access control system. Of course it is not exactly the same thing, but it is usually used to keep a program from accessing any but a select list of files and services. You could use it to set up a system that works exactly the same as Vista's "protected process" thingy if you wanted to.

Mod parent -1 asshole

...you insensitive clod!

Linus doesn't tell the MAFIAA Linux can stop it.

[argent]

The Linux community hasn't been telling the MPAA and RIAA that they can prevent copyright violations by implementing technical measures like protected mode.

Microsoft wants people to believe that this mechanism can be used to create a secure environment for DRM applications to present protected content without their output being hijacked by the computer's owner (who of course has Administrator access). They have justified many appalling design decisions in Vista by saying they are required to provide this protection... and if it can be bypassed this easily then DRM has become Microsoft's WMDs.

its all very simple

[Kyle+Bates]

Guys, its all very simple. When you realize that fanatic MS users are the same idiots who keep paying taxes, and *helped* Bush into power, you will then understand why all this is happening. You need to face the facts: behind any conjob there is a MJIC (master joo in charge, in this case Gates), and he's just part of the "suck your money and time" scheme to make you into powerless obeying tax-paying sheep that can easily be confused and controlled. Be a man!, install linux, say bye bye to the submentals rowing their dhingy on their way to insanity !.

Re:its all very simple

Guys, its all very simple. When you realize that fanatic MS users are the same idiots who keep paying taxes, and *helped* Bush into power, you will then understand why all this is happening. You need to face the facts: behind any conjob there is a MJIC (master joo in charge, in this case Gates), and he's just part of the "suck your money and time" scheme to make you into powerless obeying tax-paying sheep that can easily be confused and controlled. Be a man!, install linux, say bye bye to the submentals rowing their dhingy on their way to insanity !.

Ha-ha! "Dhingy."

Yeah. Sort of...

[boltik]

Vista is the Next Edition of XP sp2. In the same way that winME was for win98 se.