Vista Protected Processes Bypassed
Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."
The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.
Under the influence of Post-Cyberpunk Gonzo Journalism
http://nyamenation.org/
I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
We are all just people.
No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.
no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.
Under the influence of Post-Cyberpunk Gonzo Journalism
A spokesperson for Microsoft was quoted as saying :
This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.
People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.
"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.
Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.
In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.
If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.
I agree.
The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.
Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!
They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.
My inclinations against myself or my family running vista just got a +1 Justification.