Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Protected Processes Bypassed

Posted by CowboyNeal on from the falling-confidence-levels dept.

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

12 of 221 comments (clear)

  1. In related news by tinkertim · · Score: 5, Funny
    A spokesperson for Microsoft was quoted as saying :

    This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

    1. Re:In related news by _KiTA_ · · Score: 5, Insightful


      A spokesperson for Microsoft was quoted as saying :

              This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

      People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

    2. Re:In related news by erroneus · · Score: 5, Interesting

      I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

      Vista goes way ot of its way to reduce functionality for the user in order to make content providers happy. Think of what that really means. Company A sells something to Consumer A but that something is disabled in order to make Company B happy. Company B is happy because they can continue their old business model and maintain their dominance if and when they finally move into new business models when they feel ready. Meanwhile, companies C, D and E through M move to create, innovate and design new things only to be prevented by both Company A and Company B. Depending on how this is done and how much evidence can be produced, this is illegal behavior.

    3. Re:In related news by StinkyGeek · · Score: 5, Funny

      I have to ask. If both you *and* your wife enjoy porn, how do you find time to post on /.?

      --
      Stay hopeful that the Crystalline Amoeba poops your car out soon
  2. Re:Can't beat em, join em? by Fallen+Kell · · Score: 5, Insightful

    The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  3. biting the hand that feeds you by kv9 · · Score: 5, Funny

    He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.

    not for long, I bet.

    --
    Stop Computers/Cars Analogies on S
  4. Re:Ever since DOS by Anonymous Coward · · Score: 5, Funny

    I miss the days when I gave my computer commands not suggestions.

    You are becoming nostalgic, Deny or Allow?

  5. Good idea, bad implementation. by Animats · · Score: 5, Insightful

    "Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

    Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

    In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.

    If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

  6. It's really Melinda's fault by ColdWetDog · · Score: 5, Funny
    Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

    So get off your old, tired, 20th Century horse and get with the new paradigm.

    Just a suggestion of course.

    --
    Faster! Faster! Faster would be better!
  7. This is how it's done by Anonymous Coward · · Score: 5, Informative

    The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

  8. Re:Why do they even bother? by Rodness · · Score: 5, Insightful

    I agree.

    The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

    Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

    They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

    My inclinations against myself or my family running vista just got a +1 Justification.

  9. Re:Didn't we see this before... by FutureDomain · · Score: 5, Funny

    I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it. Well, it looks like you might be doing it again. Helping a friend with a malware problem, finding out that he has Vista, and buying a copy of XP to replace it.
    --
    Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!