Vista Protected Processes Bypassed
Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."
The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.
Under the influence of Post-Cyberpunk Gonzo Journalism
http://nyamenation.org/
I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
We are all just people.
Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.
no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.
Under the influence of Post-Cyberpunk Gonzo Journalism
A spokesperson for Microsoft was quoted as saying :
This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.
People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.
all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.
by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.
Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.
In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.
If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.
I agree.
The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.
Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!
They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.
My inclinations against myself or my family running vista just got a +1 Justification.
I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.
So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.
The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.
In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.
I do not respond to cowards. Especially anonymous ones.
You're wrong. The "collective observations of thousands of admins" is in fact little more than assumptions and anecdotes perpetuated by people such as yourself.
Do a significant proportion of porn sites have malware? Probably.
Is there a greater risk of getting infected by malware when surfing for porn than doing "wholesome" surfing? Perhaps.
Is a malware infection reason enough to presume that they got it from browsing porn and/or piracy-related sites? Not in the slightest in my experience. If you've got differing experiences that prove me wrong, by all means collate your data and present your findings because I and I'm sure many other people working in admin or IT roles would love some hard numbers on the nature of malware sources online. Until then I'll have to assume the "observations of thousands of admins" you speak of are in fact nothing more than your own pre-conceptions.
Spelling mistakes, grammatical errors, and stupid comments are intentional.