Slashdot Mirror
New Windows Kernel Vulnerability Bypasses UAC
xsee writes "A new vulnerability in the Windows kernel was disclosed Wednesday that could allow malware to attain administrative privileges by bypassing User Account Control (UAC). Combined with the unpatched Internet Explorer vulnerability in the wild this could be a very bad omen for Windows users."
this could be a very bad omen for Windows users.
Only if Microsoft doesn't fix it. Of course, somebody sharp could submit a patch ... oh wait.
The higher the technology, the sharper that two-edged sword.
I run everything with Administrator privs... oh snap!
Well, as long as you know everything you run is malware free, there is absolutely nothing wrong with that.
They bypassed the UAC? We're DOOMED!
No, it's better. It's like browsing that goes all the way to 11. Much of the suck just magically disappears.
Lost at C:>. Found at C.
Developing an entirely new os is about the worst thing microsoft could possibly do from a business perspective...
Currently their single biggest selling point is compatibility, sure as you point out compatibility with something that has a fundamentally flawed design but still compatibility... If they were to ditch compatibility, then users would have to ditch all their existing apps (especially legacy apps which may be abandonware) and learn a completely new system thats not been tried and tested...
In other words, they would now saddle themselves with the biggest disadvantages associated with other platforms while offering none of the advantages of those platforms...
Microsoft ditching compatibility with all their legacy cruft would probably be the best news apple and linux distros could ever receive.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I believe you miss his point.
It's an easy buffer overflow problem that shouldn't have been hard to prevent if you have even a fraction of the talent and resources at Microsoft's disposal.
If this bug is as you say, and it exploits "left over junk from older OSes" that only means one thing: there has been more than adequate time for an internal security audit to have found and fixed this bug. Consider the personnel and capital available to the OpenBSD group, then compare that to the personnel and capital available to Microsoft. You're telling me Microsoft couldn't do better than the OpenBSD group?
Why do so many people want to give Microsoft a pass in these matters? It's hard to think of any other entity in the world that would be more capable of doing better than this. It's obvious they don't give a damn about security as long as the sales keep coming. That's what you want to excuse, portray as understandable, smooth over, and encourage by example in other companies? I won't.
It is a miracle that curiosity survives formal education. - Einstein
Seriously, let's hear this brilliant idea that a number of geeks on Slashdot seem to have as to how to design an OS that is perfectly secure against Malware and so on, yet still gives the user full administrative control over their system. So show us a framework or example of some kind where users have the full control they must over personally owned systems, yet the system is 100% secure over bad code. Also then show the design methods that can be used to ensure that there are zero bugs, anywhere, ever, in the design or the implementation and that allow a product to be produced in the timescales demanded by the consumer world (as in it can't take 10 years of validation).
If you put any real thought in this, you'll realize it can't be done. There is no power without responsibility, there is no perfect system that is 100% bug free.
That being the case, stop whining.
For this particular thing, this is a local privilege exploit. It is a bug, a mistake, one that will be fixed. If you Google around you'll find that Linux has had plenty of these through out its history. Something is done wrong such that a program can elevate when it isn't supposed to. They are bugs to be patched, but not super critical since you still have to get malicious code on to the local system and get it to execute. They are more of a concern on multi-user systems but even then it is rarely a panic situation.
So seriously, enough with this "OMG MS just needs to make a 100% perfectly secure OS!" shit. It shows massive ignorance of how complex and OS is, and what all you have to balance. No problem with that, you needn't learn about it if you don't want, but then don't argue from a position of ignorance and assume that they could make a perfect OS if only they wanted to bad enough.
No security is perfect. People who do security in the real world, physical security, have always known this. For some reason many people who do virtual security delude themselves in to thinking it is different. No it isn't, there is no perfect security. So have defense in depth. Be mindful of where you visit on the web, don't download random shit, run a quality virus scanner that checks data as it comes in from the web, use a deprivileged browser (somethign in protected mode, if your browser supports it), have a firewall, have UAC turned on, think before you execute a program. None of that is perfect, none of that is something that can't ever fail, but with layers of protection if one fails, you've others to fall back on.
This is a perfectly ordinary elevation-of-privilege vulnerability. Just like every other elevation of privilege vulnerability it also happens to be capable of bypassing UAC's split-token protection, but the vulnerability itself isn't related to UAC in any way.
In particular, if the workaround suggested in the article is correct, this vulnerability can't be used to escape from Internet Explorer Protected Mode (the other major function of UAC).
That's a bet I wouldn't take. Given the well-known existence of both more or less free-floating criminal elements and multiple nations with reasonably substantial CS capabilities more or less tightly integrated into their military and/or clandestine capabilities(and sometimes shading into the first category...) any one entity asking for a backdoor is making the (painfully stupid) bet that nobody else is going to find it. Obviously, virtually everyone would love to have a backdoor of their very own; but even unregenerate PNAC acolytes probably aren't stupid enough to assume that only they would ever find it...
An entity in the position to push Microsoft into giving them a backdoor would, one presumes, already possess formidable power, either legally or secretly(depending on whether the backdoor is inserted by NSA spooks or suspiciously cheap Chinese contractors). Such an entity would be foolish to use such power to push for a backdoor which, if discovered(and there is constant searching going on, even if you only count the guys who just want to send h3rb5l v15gra! spam...), would suddenly give every flea-bitten nonentity who can afford an internet connection considerable intelligence capabilities.
Any entity with substantial legal clout would, unless absurdly moronic, simply use instruments like CALEA, collaboration with Telcom entities, search and seizure procedures, and the like. If those weren't good enough, they would advance the theory that only even greater legal clout can possibly save America and The Children from the pedo-terrorist menace. If history is any guide, they should then receive an upgrade.
Any entity with substantial clandestine/illegal clout would, again unless absurdly moronic, be much better served by making use of vulnerabilities that happen anyway, along with HR/outsourcing based infiltration of relevant institutions. Pushing for a backdoor that puts them on par with dubiously pubescent script kiddies, when they currently have a commanding lead, would be illogical in the extreme.
From the article: "The flaw is related to the way in which a certain registry key is interpreted..." Another argument for abolishing the Windows registry and storing setup information in plain text files. Not like that's going to happen...
Freedom is drinking a beer in the park when you're supposed to be at work.
And, if that happens, there is literally nothing to suggest that they would land on a Microsoft platform.
It would be bordering on suicide for Microsoft to lose backwards compatibility -- because people could be swayed to end up someplace else.
Exactly ... I mean, you can see the ad campaigns already ... "Well, if you're already switching operating systems ....".
Lost at C:>. Found at C.
OpenBSD doesn't have the same goals and doesn't have to provide the same level of compatibility.
Windows Security 2008R2 actually has a pretty impressive security record so far. If they stripped it down and provided only core services like OpenBSD it would be even better. The problems really exist in user space where you have a lot of naive people running random executables provided by some very bad people who spend all day looking for holes.
The OS9/OSX change was, ironically, actually a demonstration of A)how hard it can be to change your OS from the ground up and B)how Apple wasn't up to the challenge.
Back in the System 7 days, Apple started "Copland" as a next-gen OS to remedy the numerous and hilarious deficiencies in their existing OS. The project was a miserable failure and, after about as much schedule slipping as Apple could afford at that time, they took it out back, shot it, and bought NeXT, and then proceeded to adopt more or less everything but the name as the foundation for their new OS. Even with the "grabbing an entire, largely complete, OS from a third party" tactic, OSX only made it to release in 2001, with the Copeland project having been started in 1993.
It wasn't really a "rewrite" at all, more of a grafting of some APIs from the old OS, and some UI conventions(though not all, OS9 die-hards are still bitching about how much OSX's finder sucks...) onto an entirely new OS. The rewrite attempt foundered horribly.
Microsoft's OS leaping attempts were actually pretty similar(except that I'm not sure they ever even pretended to have the in-house expertise to transform the DOS-based Windows versions into something resembling a real OS). Their DOS-based Windows versions sucked, architecturally, so they hired a bunch of serious DEC guys to build them a whole new, architecture-independent OS. That was NT. They then grafted on the win32 API and, by around Windows 2000, had finished bringing over all the UI conventions that 95-98-ME users would expect(NT 3.X is actually a pretty alien experience, if you are expecting Windows...)
There is probably some example of a "Hey guys, let's rewrite our OS" story actually going well, without the invocation of a deus-ex-machina outside team; but neither Apple nor Microsoft really qualify.
Besides nebulous empty rhetoric like Windows having a broken design, what's wrong with it that a rewrite would fix?
Staggering amounts of backwards compatibility crud full of security holes?
One obvious example is Windows' default behaviour of loading .DLL files from the current directory, which allows you to infect arbitrary executables by starting a program from a directory wihch contains a malware DLL. 'But we can't change that because it will break WhizzbangSoft 2003!'
The only way for Windows to become secure is to throw out backwards compatibility, and then no-one would use it.
They might well be able to get away with designing (another, NT being their first) new OS; but a new userspace API or huge security model change would get ugly...
Even Vista's "Hey, let's actually slightly enforce all those best-practices things about not assuming that everyone is running with Admin privileges at all times, as though it were still Windows 95" was met with a firestorm of nearly pure hate. So much so that, even with Vista to take the flack and several years for 3rd parties to get their act together, 7 backed off the UAC a little bit. A really serious change of the "Nope, no win32 for you. Also, all drivers must be utterly rewritten" caliber would probably be met with shocked silence, followed by most of Redmond being set on fire...
UAC isn't really anything special, just an easy way for running as a deprivileged user. However many Slashdot types love to hate on it not only because it is from Microsoft, but because it messes with one of their talking points. For the longest time Linux (and OS-X) types hated on Windows because people ran as administrators. They talked about how amazingly insecure that was, how big a problem, how MS didn't care about security and so on. Many people tried to explain to them that it really doesn't matter, since people will just hand out the credentials to elevate without thinking, you can't protect people from themselves.
Well then along comes UAC, with a number of other security enhancements. Seems Ms WAS taking that seriously now. They made it easy for users to run deprivileged. Well shit, that isn't a good thing if you are an MS hater. So they find ways to hate on UAC and claim it is no good, insecure, worthless, a pain, whatever. Many of the criticisms apply just as well to other elevation modes in other OSes but this isn't a matter of true technical analysis, it is just fanboyism.
Same shit here. Windows has a bug in its privilege isolation, leading to a local escalation exploit. Something to be fixed for sure, but hardly super critical. Linux has had the same kind of thing many times and it is never a major crisis since it still requires code to get on the local system and be executed first. However since it is with Windows they'll spin it as an anti-UAC thing.
"I'm hard pressed to decide if Microsoft is unwilling, or just unable, to ever fix it."
Microsoft top managers achieve vulnerabilities by not allowing Microsoft programmers to finish their work, apparently. Since Microsoft has a virtual monopoly on operating systems installed on computers you can buy, the vulnerabilities make Microsoft more money because the average person cannot fix an infected computer and buys a new computer with another copy of Windows. See the New York Times article: Corrupted PC's Find New Home in the Dumpster.
The solution is to make computers with Linux already installed available. Unfortunately configuration of Linux is quirky and poorly documented, slowing adoption.
Another solution is to use anti-trust law to make Windows more fair for buyers. Should users of Windows Vista pay for an entirely new version of Windows, when Vista was troublesome and a court case showed that Vista was knowingly released before it was ready? There are only small differences between Windows Vista and Windows 7. Why should users pay for an entirely new copy of Windows?
It is my opinion that the present practices of selling something almost everyone with a computer must have are unfair and against the common welfare. Microsoft lost an anti-trust case, but there was never any penalty.
No, but the 'windows startup sound' is.
---- Booth was a patriot ----
Most (not all, but most) of the recent remote exploits for Windows are through third-party code present on OS X and Linux as well (Adobe Reader, Flashplayer, and Java are the big three recently). Those programs are vulnerable on other platforms too, but weaponizing and deploying an exploit is expensive, and they're not worth the return on investment.
In situations where return on investment is equal for each platform, or where OS X or Linux are dominant, there have certainly been exploits. See the Pwn2Own contests for an example of how easily OS X can be compromised, even before Windows was. See the smartphone market, in particular iPhone jailbreaks (which are no more or less than remote root exploits), for what happens when people actually bother to find and exploit vulnerabilities in Apple's code.
As for the inevitability, that's dead easy. Malware is business, and has been for years. For each platform, there are two relevant numbers: cost to produce a useful exploit, and value (income) from releasing that exploit. Currently, the former number is relatively high for Windows - it's been picked over pretty hard, and a lot of security hardening has gone into it. Again, see things like Pwn2Own.
However, the latter number - the money you can make with a good Windows exploit - is far, FAR higher. Many millions of dollars higher. The difference between that value on Windows and that value on other desktop operating systems is such that it's not worth developing malware for them if you could do it for free (i.e. be compensated for your time). If you're going to spend the time writing malware for desktop operating systems, there just isn't any target that makes sense other than Windows.
To answer your question more directly, try a few hundred million. That's how many you need to come close to the number of Windows installations. Depending on the value-difficulty equation, it might not take a number equal to that of Windows - for example, the untapped market may be easier to monetize, increasing the income - but it will require that market shares become roughly equivalent.
There's no place I could be, since I've found Serenity...
As long as everything you run is *vulnerability* free, you mean. Actively running malware (Trojans) is certainly a major problem, but in general running Firefox as admin is more dangerous than running IE as a standard user (the fact that there's a local EoP vulnerability just announced notwithstanding).
There's no place I could be, since I've found Serenity...
why do I have to install a third-party firewall and run third-party anti-malware software, that is, if I want to use it on the Internet?
Probably because you're too retarded to know how to use a hardware firewall, the Windows built in software firewall, and MSE?
*Posted via Windows 7 Professional behind a hardware firewall with the software firewall turned off*
Why the fuck do I need a firewall at all? Seriously.
The solution is to make computers with Linux already installed available. Unfortunately configuration of Linux is quirky and poorly documented, slowing adoption.
Dell tried that and sales were so bad, that they stopped doing it for the consumer level computers. You can still get a no-OS option servers.