Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Show How To Take Control of Windows 7

Posted by CmdrTaco on from the hey-wait-a-minute dept.

alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)

8 of 325 comments (clear)

  1. A hack! by Anonymous Coward · · Score: 5, Insightful

    This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

  2. Boot from Live CD? by neilobremski · · Score: 5, Insightful

    If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.

    --
    -- NeilO
  3. sheeeet, negro. that's all you had to say! by gandhi_2 · · Score: 5, Funny

    This is contrasted with Mac OSX which uses a combination of Gracie-style Brazilian Jiu Jitsu, Hapkido, and oratorical prowess to keep would-be haxors at bay while the police are enroute. Or the Linux lack of social skills which avoids "physical access" altogether.

    --
    THL phish sticks
  4. Re:I cannot believe it... by gnick · · Score: 5, Insightful

    OK, I'm not a Mac guy so I can say nothing about it. I've also not used Windows 7.

    But, really. If you give me physical access to damned near any Windows or Linux machine, it's owned. And there are a lot of people out there a helluva lot better then me.

    Sure, I won't be able to crack your encrypted archives. Nor your well-protected stored passwords. But hacking root/admin with physical access to the box isn't rocket science. Actually, it's much tougher with Vista than any Linux distro I've run into.

    --
    He's getting rather old, but he's a good mouse.
  5. Attack requires editing RAM contents during boot by Sockatume · · Score: 5, Informative

    The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot. The attacker loads an app from a CD-ROM which then itself executes the normal Windows boot process while agressively patching software in memory. This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

    --
    No kidding!!! What do you say at this point?
  6. Re:Yes, why post this? by Lord+Ender · · Score: 5, Insightful

    Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

    It was obvious to crypto pros that it is theoretically worthless, but this is a practical attack against it.

    Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can "prove" it's flawed to management without a working exploit.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  7. Re:I cannot believe it... by DavidChristopher · · Score: 5, Insightful

    In the absence of physical security, taking over a vista, linux, mac os x or (insert vendor here) UNIX system is not difficult, providing you know the platform. No, the 'average gramma' can't do it, but most of us most likely can - with not much more than a google search and a quick download.

    I'm not a microsoft (or apple, or linux) fanboi by any means, but a system is only as secure as you actually make it. Disk encryption helps - it's a great idea - so I've honestly never met anyone who's used it.

    While this is certainly an interesting exploit, I doubt highly that many systems will be compromised in the wild with it.

    --
    http://www.bistolas.net
  8. Re:I cannot believe it... by SanityInAnarchy · · Score: 5, Informative

    I'll correct you a bit further -- there are different kinds of physical access. For instance, a public computer lab might have machines which have their case locked, both to prevent it from being opened and to prevent it from being locked down, BIOS locked and configured to boot only from hard disk, bootloader locked, etc.

    On such a machine, there's really not a lot you can do to compromise it without some sort of actual software vulnerability or misconfiguration. You might be able to add a physical keylogger -- maybe -- depends how kiosk-ified it is.

    However, this does not appear to be such an attack. Rather, it seems this is an attack which requires you to boot the machine off of some other media. Most machines are wide open to this in many ways -- the more frightening one was PXE; just plug a laptop into the same network and own every machine as it boots.

    But Vista is not unique in this respect, and I cannot imagine how an OS could protect itself against such an attack. And even network boots can be secured, if you can add just a kernel and initrd to local storage.

    --
    Don't thank God, thank a doctor!