Slashdot Mirror

← Back to Stories (view on slashdot.org)

UAC Whitelist Hole In Windows 7

Posted by Soulskill on from the time-for-some-creative-rebranding dept.

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"

2 of 496 comments (clear)

  1. Re:No Script Bragging -- please stop by mysticgoat · · Score: 5, Informative

    You don't know anything of what you speak.

    No Script is about MY having the choice of whether to run an arbitrary program on MY computer. I set up the whitelist, and I decide whether to make an exception.

    My ruff & reddy rules of usage:

    1. On first visit to any trustworthy site, add all its javascript sources that I also think are trustworthy to my white list. A one-time overhead of maybe 3 seconds.
    2. When following a /. lead to a site that I don't know anything about, assess whether any useful content is being hidden by a NoScript block
      • If so, unblock the bolded item in NoScript's list of javascript sources being used on the page. If the page smells worthy of it, I'll add this source to the whitelist, otherwise I'll do the unblock as a one-time thing. Reassess whether useful content is still being hidden, and if so repeat until good.
      • Else, leave all script sources blocked since I can get what I came for without them, and I'm unlikely to come back.
    3. When mucking about in the web's darker corners, do as above, except never permanently add a javascript source to the whitelist. Do it all as one-time only.

    Web pages that are using scripts from three different sources are not uncommon any more. Web pages that are using scripts from 5 or 6 sources are not rare. There are web pages that are using sources that in turn draw on other sources. When running NoScript, I decide not only whether I trust the developer of this web page, but whether I trust his judgment about the scripts that he is importing from elsewhere. I decide how wide I will let the circle of trust get.

    It's really a no-brainer. If you recognize the possibility that you might do something of value with the computer you are using, then use NoScript or something like that as a low cost method of protecting that potential. Otherwise, I would appreciate it if you would disconnect your virus infected, zombied machine from the internet, because your negligence is diminishing the common good.

  2. Re:No Script Bragging -- please stop by Anonymous Coward · · Score: 5, Informative

    No Script is about MY having the choice of whether to run an arbitrary program on MY computer.

    Yeah, an "arbitrary program" that is already sandboxed by the browser anyway. The worst it could do is use up some system resources [...]. Those people need to learn to chill and trust their browser sandbox.

    [ ] You know that most security holes needing little to no user interaction require JavaScript to function properly.
    [ ] You know that NoScript can also block other techniques (Flash, Java) that are posing security risks.

    No?