Windows Vulnerable To 'Token Kidnapping' Attacks

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

About Software

[Halborr]

All software has bugs, that's just a matter of fact. When computers are networked, some of those bugs can be used to exploit another computer.

Moreover, Windows has security problems. Film at 11. (Couldn't post without an anti MS joke! I think there's a filter or something...)

Re:About Software

[iammani]

Really? Can you find a bug in this...

#include <stdio.h>
int main()
{
        printf("hello, world");
        return 0;
}

Re:About Software

Yep. It buggers up the prompt.

  printf("hello, world\n"); /*is better*/

*This message was compiled with -pedantic.

Re:About Software

You are so funny.

Re:About Software

[Post-O-Matron]

You forgot the exclamation mark.

Re:About Software

[ckdake]

I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

Re:About Software

[Lord+Juan]

Really? Can you find a bug in this...

  #include <stdio.h>
  int main()
  {
        printf("hello, world");
        return 0;
  }

But Microsoft did not write that routine, had they done it, it would read something like:

#include <stdio.h>
  int main()
  {
        printf("hello, world");
        get_administrative_privileges();
        collapse_system();
        return 0;
  }

Re:About Software

[DAldredge]

You aren't checking the the return status of printf.

Re:About Software

[alexo]

printf("hello, world\n"); /*is better*/

puts("Hello, world!"); /*is best*/

Re:About Software

[buanzo]

You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

Re:About Software

Your forgot the '\n' character! :P

Re:About Software

[KibibyteBrain]

It does not checks to make sure it has access to enough memory to load the string "hello world" into standard output. It also do no checks to see that the stack size allows it to return 0.

Re:About Software

[greg_barton]

Considering I once performed a security audit and found that the lead developer for the client had rewritten printf so it had damaging side effects...yes...

Re:About Software

[WeatherGod]

but, he didn't want to disturb everybody, just the world.

Re:About Software

[forkazoo]

#include
int main()
{
                printf("hello, world");
                return 0;
}

It lacks i18n.

Re:About Software

[gringer]

you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

Re:About Software

[rudy_wayne]

Really? Can you find a bug in this...

#include
int main()
{
                printf("hello, world");
                return 0;
}

Yes. You left out goatse.cx

Re:About Software

Can someone please just car bomb the black hat conference? All the bastards will be in one place so it's shouldn't take a big one.

Re:About Software

[PiAndWhippedCream]

Yes, "hello, world" should start with a capital letter and end with a punctuation mark. The comma is also unnecessary.

Re:About Software

but, he didn't want to disturb everybody, just the world.

Then he forgot the period.

Re:About Software

[yargnad]

This code displays fine on my Windows system. I guess that means Windows doesn't have any bugs. I've written plenty of code in the past that didn't have any bugs until it was compiled.

Re:About Software

[somersault]

The comma is also unnecessary.

It is proper when addressing someone/something.

Re:About Software

[FrangoAssado]

The file inclusion is done at compile time. Presumably, whoever is compiling the code has a good system (otherwise, the possibilities much worse that what you describe: the compiler might be hacked, for example).

Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include). This means that, if whoever compiles the code is being attacked this way, their system is already compromised.

Re:About Software

[Bert64]

There's an important distinction to be made, between bugs (eg a buffer overflow etc) which can be corrected with a relatively simple patch, and design flaws which may require serious changes breaking compatibility...

Re:About Software

[BitZtream]

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.

It may not crash, but yes, its broken and buggy by my standards. You should probably not act like such a cocky fuck if you plan on doing any job interviews.

Re:About Software

[BitZtream]

On my desktop, no I don't check stdio.h

On our company buildfarm, yes, stdio.h is checked by the IDS before production builds run and after to confirm they are the originals.

Re:About Software

Actually it is possible to modify the call stack, so you might be able to take anything out of the ordinary from that printf.

Re:About Software

You aren't checking if you can write to standard output. Have fun doing ./hello.hex > res.txt in a directory where you can't write.

Re:About Software

[TheLink]

Seriously though, what are you going to do if printf fails? Log to a file? What if that fails? Log an error message to syslog? Then what if that fails too?

At a certain point of time it's a waste of time and resource to add extra checks.

In this case the target user would likely notice if printf fails to produce output and deal with it accordingly.

If printf produces output and still fails for some strange reason, the user is unlikely to care.

A professional way is to document it. "NOTE: in some cases printf may fail and the program not produce the desired output", buy the customer dinner and get them to sign off on everything.

Re:About Software

And let's not forget that not all bugs are programming errors per se. I've seen bug trackers riddled with (mostly appropriate) complaints about margins, style, colours, subtly counterintuitive behaviour, and so on. In a similar vein, the H should be capitalised (and according to some manuals of style possibly the W too since you're using it as a name), and there should be some interpunction at the end. I suggest a dot or an exclamation mark, but you could use a question mark to add a nice existential twist to it. After all, maybe this program will be ran without a console.

Re:About Software

[DrVomact]

Really? Can you find a bug in this... #include <stdio.h> int main() { printf("hello, world"); return 0; }

A bit cryptic, your question is.

Are you saying that including stuff at compilation is safer than relying on DLLs that (by definition) get linked in at runtime? Just a guess of course. Why don't you just say what's on your mind? —or is C the only language you know?

Re:About Software

[shutdown+-p+now]

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

There is no requirement in Standard C to accept arguments - int main() is a perfectly valid conformant signature for the entry point. On the other hand, main is required to return an int (though, unlike any other C function, you can skip return, and the compiler should treat it as if 0 was returned).

So, no, neither of those is a bug. It could be a bug in a sense of not conforming to the specification, but in order to determine that, you have to see that spec first.

Re:About Software

[fractoid]

Really? Can you find a bug in this... #include <stdio.h> int main() {

int main(int argc, void **argv) {

Re:About Software

[JesseMcDonald]

Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include).

The include search path can be overridden on the compiler command-line (-I) or via environment variables (C_INCLUDE_PATH), both of which take precedence over the standard ("system") search path, so there is no guarantee that the file will not be unexpectedly located in some compromised directory under the nominal control of the current user.

Re:About Software

[FrangoAssado]

Well, if someone can inject source code during compilation, they can obviously add malicious code to the final executable.

But in this particular instance, there would be no added include directories to the compilation process, since the source code is just one file. So, to do anything bad, the attacker would have to be able to screw the compilation (by changing the command line, environment or whatever other means he has to trick or change the compiler). If they can do that, they can also do any number of things that go way beyond simply overriding the search path of include files.

Re:About Software

[BitZtream]

And which standard would you like to use as a official C reference point? I can think of four that are considered 'official' right now.

But, either way, reading comprehension is hard:

It may not crash, but yes, its broken and buggy by my standards.

So ...being that I just told you the standard to use (mine) and that it was wrong ... well, not sure what my point was, but go read my previous post and try again.

Re:About Software

[shutdown+-p+now]

And which standard would you like to use as a official C reference point? I can think of four that are considered 'official' right now.

I'm only aware of 3 over the course of language evolution - K&R C, ANSI C89 (aka ISO C90), and ISO C99. My points apply regardless of which of those you pick, except that in C99 there is no "implicit int".

If you're talking about your subjective standard only, then it is entirely unclear to me why you feel that "accepting incoming arguments" is a requirement for main() in a "Hello, world" app. It's not going to do anything useful to them, so why should it do so?

Also, why would running on "bare metal" or not make any difference? Or, for that matter, why returning 0 means that he's "obviously not running on bare metal"?

So it sounded to me more like a factually incorrect argument over the requirements of free-standing vs full implementations of the Standard. If it's not that, then it sounds even more strange.

"Windows Vulnerable"

[batrick]

Fixed the title for you.

Solution sounds easy, right?

[DWMorse]

Just don't connect to a Token Ring LAN! =V

Re:Solution sounds easy, right?

[PolygamousRanchKid+]

I think the problem would be finding a Token Ring LAN to connect to. I can't remember seeing one of those beasts in the last 10 years. Racks of 8228s with connectors that looked like mouths of aliens in a sci-fi flick . . . can't say that I miss them . . .

Re:Solution sounds easy, right?

[buanzo]

You can find token ring all over IBM's building in Buenos Aires. I know. Don't say it.

Re:Solution sounds easy, right?

[DWMorse]

Ugh. Mayo Clinic still has some, at least it's ethernet and not BNC.

Re:Solution sounds easy, right?

[TaoPhoenix]

I read TFS a certauin way, and then searched for exactly your post... here it is!

"I think the problem would be finding a Tolkien Ring..."

PRECIOUSSSS!!!

Re:Solution sounds easy, right?

[Splab]

Look in government institutions - I worked as "the IT guy" in 2005-2007 at a university in Denmark, parts of the LAN was still token ring, reason behind that was at some point during upgrade to ethernet, someone decided that the whole building needed to be overhauled, effectively freezing funds for infrastructure.

Right now they are demolishing it and building a new nice department - only took them something like 12 years from deciding something had to be done to actually do it.

Re:Solution sounds easy, right?

[selven]

One Ring LAN to rule them all and in the darkness bind them?

Re:Solution sounds easy, right?

[BitZtream]

BNC is not a networking protocol, its a connector type. Generally attached to coaxial cable.

Ethernet works over many different cable types and connectors, but it is a set of signalling protocols not a connector or cable type.

Ethernet can use BNC connectors (connected to coaxial cable), as well as RJ45 connectors (connected to CAT3, 5, or 6 cable) and several other interfaces via AUI and the like. You can even signal ethernet over fibre.

What you probably meant to say was 'at least its CAT3, not coaxial' as otherwise your statement makes absolutely no sense. It may not be CAT3 cabling actually, but if their still using token ring, then its either CAT3 or a fat bundle, not likely to be CAT5 and still using TokenRing.

Re:Solution sounds easy, right?

[DWMorse]

Nitpicker. Yes, I find myself using terminology interchangeably incorrectly occasionally.

Granted I've never had to deal hands-on with coaxial data networks, yay. I'm quite happy enough being too young for all that.

Re:Solution sounds easy, right?

[Muad'Dave]

I worked with ethernet back in the days of 10Base5 that used vampire taps that were installed by drilling a freakin' hole into gigantic RG8-like uber-shielded coax that was run straight down the long axis on the building. Users would run these huge AUI cables to the vampire tap to gain access. You could only tap the cable every 2.5 meters, so in a crowded office you'd have loops of coax with piles of taps thrown on top of each other in the drop ceiling. Note that each segment only allowed 100 taps.

Those were the days.

Re:Solution sounds easy, right?

[Muad'Dave]

The only benefit token ring ever really had over ethernet (aside from the 16mb/s vs 10 mb/s signaling speed) was deterministic behavior. When you're doing a full motion cockpit simulator in the late 80's, token ring was the choice. In real-time, deterministic behavior is your friend.

Yes

[XanC]

It doesn't do anything useful.

Re:Yes

[Windwraith]

No, but it's polite, it's greeting the world. You are so insensitive!

Re:Yes

[pspahn]

Demonstrating "hello world" is useful to someone new to programming.

Re:Yes

Neither does Windows.

Re:Yes

[MichaelSmith]

It doesn't do anything useful.

Like MOTD?

Re:Yes

This is completely correct. A bug isn't simply a coding error but a design error. Programming takes an abstract concept and makes it concrete in a formal language. This involves filling in all the details -- which is quite a lot more than non-programmers think. How should the program behave if it runs out of resources, user inputs incorrect information, external system provides incorrect information, operating system error, what should the performance characteristics be, details of statecharts and sequences, security and many more details that I have missed. All of these require trade offs that also require engineering time. Omitting important factors is just as bad, sometimes worse, and a lot more prevalent, than coding errors.

In general, users don't care if a feature doesn't work because of a programming mistake or because it isn't implemented. If a feature doesn't work, they are both the same.

Re:Yes

[davester666]

Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

Re:Yes

[DaveV1.0]

As a demonstration of printing, maybe. But as a general demonstration, not so much.

Re:Yes

[Thinboy00]

Isn't MOTD daemonized (which provides some possibility of e.g. a DOS attack of some kind)?

Windows Vulnerable To 'Token Kidnapping' Attacks

[omar.sahal]

if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

• win 95, usability of GUI
• win xp, stability of software, less crashes
• xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
• windows 7, all the above and smaller foot print when installed

Apple replies

[irrg]

After hearing about this exploit, an Apple VP referred to this as "Microsoft's Iphone 4".

Re:Apple replies

[bsDaemon]

You mean that every other operating system has this same bug? Including MacOS X, then. So, no... I doubt it's their iPhone 4. MS also has more experience dealing with stuff like this. Apple is currently experiencing what its like for a pretty girl the first time she gets blown off by some random dude she's attempting to con into doing her a favor.

Re:Apple replies

[$RANDOMLUSER]

Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.

Re:Apple replies

[Blink+Tag]

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Re:Apple replies

[bsDaemon]

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

Re:Apple replies

[Bengie]

I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

And some quotes from the above link

"regularWindows users can’t exploit them"

"if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

It's bad, but not *as* horribly bad as the title suggests.

A properly locked down Windows machine should have been mostly immune to this anyway.

I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

Re:Apple replies

[timmarhy]

you don't live in the real world do you? in the real world there is a direct relation between easyness and getting laid that fat ugly girls know how to play.

Re:Apple replies

[$RANDOMLUSER]

Windows has shown it will let ANYBODY fuck it. Low self-esteem and all.

Re:Apple replies

[WrongSizeGlass]

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Indeed. Although, I would have preferred if they had posted "After hearing about this exploit, an Apple VP referred to this as "Microsoft's Vista ". ;-)

Re:Apple replies

I just shot milk through my nose. Or, at least, I would have if I'd been drinking milk. Well played, sir.

Re:Apple replies

[bonch]

I love that Microsoft is essentially saying, "They suck as much as us!" How the mighty have fallen. Too bad the Vista analogy doesn't work though since people are actually buying the iPhone 4.

Re:Apple replies

[Phroon]

My bad, my humor sensor is broken today. Commented to remove said moderation.

Re:Apple replies

If you need citations for those things, then it's you who desperately needs the clue.

Re:Apple replies

[Kaboom13]

Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference is there's a larger pool of people with jobs as windows administrators without the skills and knowledge to back it up. As linux becomes ever more popular, expect to see the same thing to happen to it.

Re:Apple replies

[drsmithy]

I still love how *nix naturally allows individual services to run under different users [...]

There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.

Re:Apple replies

[Whuffo]

Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as useful as trying to bail out the ocean with a teacup.

Their "authenticode" signatures are just an example of "security through obscurity" and have already been compromised. All of the other security fixes are nice, but they don't deal with the gaping wide holes that MS has built into their products. It doesn't matter how many buffer overflows you fix (they claimed they were all fixed - not so) or how you partition memory - when you give execute privileges to code downloaded from the web you're bypassing all of those "security" restrictions. Am I being clear enough here? Microsoft has built into their operating systems services and programs which download and execute code from the internet. Everything else is useless when you leave this door wide open.

Sure, all operating systems are subject to having their bugs be exploited. But it appears that Windows is the only one which has these "come screw me" doors wide open - can they be closed? By the average user? Sheesh.

Re:Apple replies

[beerbear]

I pull my hat in respect. Too many people here don't have the maturity to admit they were wrong.

Re:Apple replies

[TheRaven64]

You also don't have to go back too far to find a time when the phrase 'UNIX security' had the same sorts of connotations as 'military intelligence'. People who used systems like VMS laughed at it, as a concept. Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS. Security, in most cases, is a usability problem. It's easy to make a secure system. It's hard to make a usable system. It's much harder to make a secure, usable, system.

Re:Apple replies

[Rubinstien]

Thank you for your, as usual, rational observation.

Unix-derived OS's are only recently gaining proper fine-grained security controls, and most are still hacks, IMHO. Newer Linux has "capabilities" that allows one to mark a binary as allowed to use certain privileges, such as CAP_NET_BIND_SERVICE, but this can't be used with *scripts* due to the fact that it is the *interpreter* that would need the privilege (*bad* idea to always give it to the interpreter). Solaris 10 has user privileges such as net_privaddr, which is closer to the VMS way, but in my experience it is easier to get a customer to install a script that starts the web server as root than it is to get them to create a user for that specific purpose and type 'usermod -K defaultpriv=basic,net_privaddr webservd'. Often the customer admin'ing the box is just the most-technically-competent user, with the job dumped into his lap, rather than a "real" admin who understands that job. He's OK with things he's been asked to do before, and suspicious of anything he's never seen or does not understand. It's even difficult to get other developers to understand half of this stuff (tried unsuccessfully with ACL's a while back, for example, and they interact poorly enough with "standard" Unix file security to frustrate people with 30+ years Unix experience).

The other issue is a complete lack of consistency between Unix variants on how any of this stuff is enabled, configured, managed, or audited. Unless you have a lot of programming and testing resources at your disposal, developers need to limit themselves to those things they can rely on having as "standard" across the platforms supported. The company I work for supports 3 Unix variants, and tests on more than that. Even something as simple as querying directory services is a cross-platform mess, and security-related issues are a whole new weed patch. Of course, VMS did not have this issue to deal with, but that OS is at least consistent from top to bottom. Anytime I have to do anything security-related on Unix I cringe and wish I was working with VMS again (when will Unix get installed images? http://hoffmanlabs.org/vmsfaq/vmsfaq_007.html [AIX almost has this -- equivalent to /SHAREABLE] ).

Even VMS is not invulnerable. The last exploit I know of was verified in 2008.

Re:Apple replies

[Bert64]

Although windows can run services under limited accounts, it is far less common to do so... And i believe more difficult because you have to store a password for the user rather than just being able to setuid() on unix... So some unix services will start as root, and then drop privileges later.

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

Re:Apple replies

[TheRaven64]

It's worth noting that Symbian actually has quite a nice (i.e. simple enough to actually be used) capability model. Both libraries and executables have a set of capability flags and they interact very nicely with the Symbian driver model. It doesn't quite have a true microkernel, because the drivers are in the kernel, but the drivers are very simple. Most, for example, do not implement multiplexing - they just provide exclusive access to the device to a single userspace program (which has the direct access to this device capability flag set). This program then uses the same capability mechanism and the Symbian kernel's message passing mechanism to allow other applications to access it.

But, of course, people on Slashdot will tell you that Symbian is a toy OS and that Linux is the only sensible thing to run...

Re:Apple replies

[Jaime2]

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.

Re:Apple replies

[Bert64]

SQL server runs as SYSTEM by default (and even lets dba users execute shell commands), IIS has improved in recent versions largely due to having been so heavily attacked previously.

Re:Apple replies

[drsmithy]

Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS.

How so ?

Re:Apple replies

[shutdown+-p+now]

Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits.

ActiveX - ever heard of .xpi? Yeah, that pops up a prompt when you install it; so does ActiveX. And .xpi can contain native code (which many people don't even realize).

Windows Media does not "download code from the web". It's just a browser plugin, like MPlayer or VLC pugins.

Unless what you mean is that it can download codecs from the Net from a central repository (after popping up a confirmation dialog) - which e.g. Rhythmbox and Totem also do in Ubuntu, though those go through the centralized package system.

Windows Update - it's identical to a package management system in any Linux distro, except that it's bare-bones and for MS products only. In terms of "downloading code from the web", its attack surface is exactly the same - code comes from a centralized server.

Re:Apple replies

[Whuffo]

Regarding ActiveX - those object can be marked as "user choice" or "safe" - guess what the bad guys mark them as; newer Windows versions prompt on all of them so this reduces the danger a little bit - but the vast majority of users just hit the OK button when a prompt pops up. And Windows Media - you hit the nail on the head when you pinpointed it's ability to download and run install packages for codecs. But they aren't required to come from a central repository - they can come from the same domain as the media file. Every day, people click on a media file and WMP lets them know that it needs a codec to play it and they almost always say OK. A lot of malware gets installed in just this way. And Windows Update - it's not limited to a centralized server either. It'd break WSUS if they required it to only pull executables from just one Microsoft server. This one's a real beauty because most people have their system set to automatically download and install critical updates. Getting their systems to pull "updates" from your server is a trivial task for those in the know.

It just takes exploiting a couple of these built-in services to totally own a Windows box. While your codec download is installing some malware it can also tweak the Windows Update registry settings and point that service towards your own server. Now they can run whatever anti-spy/malware program and even if it manages to find and delete it (they're not as good at this as you think) your system will helpfully download and install another copy from the "windows update" server. So easy to setup; download a free copy of WSUS from Microsoft.

What makes this so easy is that Microsoft built in the ability for these things to happen. They set the default operation of these services to allow these exploits to happen. You can't disable these exploits without breaking some functionality - and the average user doesn't know how to tell if he's been exploited or how to turn these services off. This kind of design stupidity is all through the Microsoft operating systems - it's not the bugs that keep turning up that are the real problem, it's the exploit vectors that are coded in and intended to be operational at all times that are the real problem.

I see that you've listed some third-party programs that contain similar flaws - that's true, but you don't have to use those programs and by default your system doesn't include Even the Microsoft apologists can learn from this - and I'll bet you stop and think the next time WMP wants you to install a codec to view / play some media file. It might be a legitimate request - but if it's not, your machine will belong to someone else if you click that OK button.

Re:Apple replies

[Jaime2]

SQL only runs as SYSTEM if you change the service account settings during install (in other words, not by default). Shell commands are not available unless the server is specifically configured for them using the "Surface Area Configuration Tool". Running as SYSTEM by default was fixed fourteen years ago and xp_cmdshell was disabled by default five years ago.

IIS improved seven years ago, not recently. Regardless of the reason for improvement, it did improve. IIS 6 and 7 both have excellent security records and both have a sound architecture.

Microsoft's far from perfect, but you've been holding a grudge for fourteen years. Did they eat your children?

Re:Apple replies

[fractoid]

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases.

It only takes once if the guy (or other girl OH HO SEE WHAT I DID THERE) is blueberry-waffle enough.

Re:Apple replies

[fractoid]

[...] and I'll bet you stop and think the next time WMP wants you to install a codec to view / play some media file. It might be a legitimate request - but if it's not, your machine will belong to someone else if you click that OK button.

And this is where the whole "click OK to continue" approach falls down flat. I don't know who signed Adobe's SSL certificate. I might not even spot the difference between "Unity3D" and "Unity30" if I'm skim reading through the page. The basic fact is that if you ever install *anything* you're taking a leap of faith that what you're actually installing is what you think you're installing. So many times while running Windows, I had to give authorization to install codecs, drivers etc. and found myself thinking "well fuck, I don't KNOW if I trust this source or not, but it's a divx codec and I want to watch this video." I have no realistic way of knowing whether it's a got a Greek (it's not a fucking Trojan, it's a Greek, gah!) stuffed inside it.

Yes.... you forgot the comments ...

[AnonymousClown]

/* Really? Can you find a bug in this... */

#include <stdio.h>

int main()

{

printf("hello, world");

return 0;

}

Re:Yes.... you forgot the comments ...

[bejiitas_wrath]

This is better.

int main(void) {
puts("Hello World.\n\n");
return 0;
}

"... by any user with impersonation rights."

[n0-0p]

That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

Re:"... by any user with impersonation rights."

[toadlife]

Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

Re:"... by any user with impersonation rights."

[Lehk228]

if you run IIS you may as well just post your admin password and social security number on your homepage

Re:"... by any user with impersonation rights."

Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.

Re:"... by any user with impersonation rights."

if you run IIS you may as well just post your admin password and social security number on your homepage

Really? Try a little comparison exercise:
IIS6: http://secunia.com/advisories/product/1438/
IIS7: http://secunia.com/advisories/product/17543/
Apache 2.2.x: http://secunia.com/advisories/product/9633/

In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19

Re:"... by any user with impersonation rights."

[TheLink]

Yeah.

That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.

Re:"... by any user with impersonation rights."

[ffreeloader]

Just what is it of his that is a little confused?

This just in...

[ascari]

Next release Windows is codenamed "Phoenix" see link for details:

http://www.nationalterroralert.com/updates/2009/02/13/kidnapping-capital-of-the-usa-phoenix-arizona/

Re:This just in...

[bonch]

This is why the majority of the public supports the Arizona legislation.

Oh, wait, this is a Windows story. Why'd you post that?

Get a Life Already Hackers!!

I bet these without-a-life hackers are so lame they go on slashdot on a Saturday night! Poor saps don't have a life. Wouldn't want to be them, that's for sure!

Nope, problem is in architecture.

[Cyberax]

Problem is in Windows architecture. Its security subsystem is so complex that it's nearly unusable. You can, in theory, create very flexible security policy using ACLs which can be attached to almost all objects in Windows but in practice nobody uses it. So glaring security bugs can live for years.

It's almost like SELinux.

Re:Nope, problem is in architecture.

I agree that there are aspects of the security system that are complex, however for the people who's job is security (e.g. IT), this isn't a big deal. Computers are complex, they almost always are for good reasons, get over it.

Yes, people use ACLs; they do it all the time. I have seen many companies have their own groups setup and custom ACLs on file system directories. Also anyone who does Windows programming has to deal with security on OS objects like mutexes and named pipes. Sometimes they do so badly but they always have to deal with it.

Re:Nope, problem is in architecture.

[linzeal]

If you are being paid to run a SELinux box, you pry know more than 10 windows admins put together or 4-5 Linux Admins even.

optimistic

[Twillerror]

Lately the security bugs I've seen are making me feel good.

Sounds weird I know, but it just seems like they are getting more and more bizarre.

Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

Where will be in 5 years...probably in a relatively safe world.

I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

When was the last major worm anyways?

Re:optimistic

[dna_(c)(tm)(r)]

When was the last major worm anyways?

Disable all spam filtering your ISP provides, wonder where all the spam is sent from... Blissful ignorance is not improved security

Re:optimistic

[John+Hasler]

> When was the last major worm anyways?

Microsoft Windows 7 was released in 2009, IIRC. It has reportedly infected over 150 million computers.

Re:Windows Vulnerable To 'Token Kidnapping' Attack

[yuhong]

This is way too incomplete. For one thing, you forgot NT and 2000.

Old News

[dzr0001]

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf was published in the summer of 08.

Re:Old News

[dzr0001]

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf was published in the summer of 08.

Ok, so I read the zdnet article and the article does appropriately state that the exploit was discovered in 08. However, the zdnet article linked by OP is also a year old.

Re:Windows Vulnerable To 'Token Kidnapping' Attack

...windows 7, all the above and smaller foot print when installed...

Smaller footprint than what? The default install clocks in at around 13GB of disk space!

Its a "Feature" not a bug.

[Bob_Who]

Ironic how bugs are so well suited to infestation through windows. A RAID array might help....

hello bugs.

[leuk_he]

It does not check the return value of printf.

Under windows it does only run in console mode.

Documentation is lacking.

The start of the source code is not marked. Since has a stop of line with a single "." there are 2 dots in start of the program that give a compile error.

Re:This is what you get, America

Ron Paul !? LOL. Dude, nobody wants a racist lunatic in the white-house.

Ron Paul cheerleaders are starting to become more annoying than Apple fanboys.

Re:This is what you get, America

[TheRaven64]

Dude, nobody wants a racist lunatic in the white-house

Wow, you're seriously out of touch with a large fraction of the American electorate...

First they kidnapped Token

then they killed Kenny!

You bastards!

Re:This is what you get, America

Some might argue that is exactly what you have now.

Patch Release

[helix2301]

So they know there is an issue with this but yet there is not another patch being released to fix this?

You don't need a return type

You do not need to use "int main()", and you can instead substite a slightly more efficient void return type (none in other words) and no need to return 0 either.

void main()
{
    printf("hello world");
}

That will do the job just as well and more efficiently.

Re:You don't need a return type

[shutdown+-p+now]

You do not need to use "int main()", and you can instead substite a slightly more efficient void return type (none in other words) and no need to return 0 either.

void main()

The above is not valid, and will not compile on a decent implementation. Go ahead, try it with gcc or any other standard-conforming compiler.

As a side note, omitting the return type - i.e. main() { ... } - is not the same as void return type. It's actually implied int. That one is valid, yes. And you can omit the return whether you omit int or not, because ISO C allows you to do so only and specifically for main, in which case it is equivalent to ending it with return 0; - this does not affect efficiency, though.

Re:Windows Vulnerable To 'Token Kidnapping' Attack

All software has bugs, that's just a matter of fact.

[Insert random quote about Windows being the biggest target inferring that ALL other OSes are ONLY secure because they are obscure.]

To be fair to Microsoft their products have been steadily improved over the years.

But I thought you couldn't improve security on a Microsoft platform because they are the "victim" of being the most popular target. You fan boys change it up too much. Every time there's a story about Windows security you're all going "Oh noes there's nothing MS can do! All softwares has bugs! Windows is a popular target thatz all (every other OS is ONLY secure because it's obscure)!" Yet somehow they are improving by huge amounts.

On one hand you have MS apologists saying there's nothing MS can do about being vulnerable and on the other you have them saying their getting better. Profit!!!

You kids are just too much.

All versions?

[Tacvek]

Really all versions? Going all the way back to 1.0, and also including the CE versions? I strongly doubt that! Perhaps it dates all the way back to NT4, but that is still very, very different than affecting all Windows versions.

Re:Windows Vulnerable To 'Token Kidnapping' Attack

[fractoid]

I ran the Windows 7 RC on my home computer and Windows Vista Professional on my work computer for around 9 months. Both machines were roughly the same spec and purchased at the same time. Vista was an absolute hog, while Windows 7 felt fairly snappy and responsive. The free RC trial wasn't enough to convince me to pay $130 for an OEM license, but it was enough to convince me that Windows 7 is at least as good as Ubuntu for a general home computing / gaming platform.

Re:Windows Vulnerable To 'Token Kidnapping' Attack

Insightful?! You have got to be trolling me!