Slashdot Mirror
Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability
An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.
Undisclosed?
Is a reasonable amount of time to let a company sit on a known vulnerability? I feel like 90 days is pretty reasonable. There's still that Apple root pipe thing that's floating around that they haven't fixed and hasn't been fully disclosed.
Researchers!
First Sony, now this.
The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.
Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you're using Windows 8.1, this particular vulnerability is the least of your problems.
This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.
MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.
To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.
XML is like violence. If it doesn't solve the problem, use more.
While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.
The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.
"undisclose" something? Did they send one of those worthless "recall email" things?
So?
The GP's point is still entirely valid.
Let's see how that plays out in the Open Source world: ...
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
Step 5: wait for it
Step 6: enjoy your now-patched system.
I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.
John
While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.
It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
I don't see how it is valid anymore.
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
You've really got to try to fix a few things before you can appreciate how uneven the situation can be. I've fixed some little things, they were easy. I've tried to fix some other apparently little things and failed, and found some other solution instead. Or not.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You sound like someone who is pro-gamergate.
"tirade of racist and misogynistic"
Sounds like you're a real nasty sexist who discriminates white men on their gender and skin color, by assigning them these attributes out of nowhere.
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to. Maybe you're the exception but I suspect that most of us work in businesses where multiple sources of supply is a good thing - that's something open source at least helps with and closed source actively works against. Suggesting that open source only makes sense if I can fix it myself is like suggesting I use proprietary wiring in my house that only one supplier can work with because, hey, I'm not an electrician myself. Madness.
I think the "at least the end-user isn't restricted from fixing bugs when they occur" part is what the rejoinder was referring to.
I am very small, utmostly microscopic.
Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to.
Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.
Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.
No, the original claim was:
"at least the end-user isn't restricted from fixing bugs when they occur."
Paying/getting a different party to fix the bug is a valid application of "not being restricted from fixing the bug". In the case of proprietary software, if the original vendor doesn't fix it, you're stuck with the choice of being vulnerable or making significant changes (switching to a different proprietary software).
I already fixed kernel bugs. And probably many others. At least there is the choice and the possibility of doing it. Could we do the same in Windows?? Think about it.
While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.
The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.
The linux kernel source code is riddled with unused variables and other unfixed and seemingly minor issues which collectively represent security vulnerabilities. The worst part about trying to capture these unused variables is the sheer verbosity of the output during compilation. While building Linux From Scratch (LFS) I encountered a multitude of unused variables, among other deficiencies, which I would have liked to address, however, the compilation messages scrolled merrily off screen never to be seen again...until the next compile cycle. If someone would pay me a decent income I would enjoy hunting down these deficiencies but alas companies don't view that work as sexy so it is left to fester and bit rot sets into the code base as the years pass.
That's true.
Unused variables are warnings and not errors because their use is detected only heuristically and not conclusively. I'm not saying that's the case in the Linux kernel; only that it's a possibility.
But the real point, I think, is that even if everyone/most users can't fix a bug in open source code (similar to the prior poster, I've also fixed small and medium ones, but waited for fixes on complex stuff), there are people who can, and will, and do. Even though, for the really obscure things, that group may be small, there is no absolute dependence on some group that has access to closed source code. This seems like rather an advantage for open source.
Why are you bringing up the average user when he was talking about the end user who has a strong reason to keep something patched? That's comparing a Mint home user to someone running the distribution upgrade servers.
If you are in charge of managing an important system or network, then you can either fix the problem yourself, have your programming team fix it and commit the fix back to the upstream vendor or you can potentially hire the work out. Even if you are an average end user, you could actually fix it if you were willing to put in the work, however unlikely that scenario might be.
B) Eliminate all the stupid users. This is frowned upon by society.
I'm surprised more people haven't responded that they already have contributed, given the way anything about a particular language turns into an argument.
I'm not a professional developer, but I have on occasion been the fresh pair of eyes that has spotted something that turned out to be an easy fix. On many more occasions I have found bugs that were out of my league.
[sigh]
If Slashdot has a patrolbot that auto-deletes comments with the letters (ess jay double-yew) in it in gender politics threads, can't it also be made to cover a post with the N-word if it occurs a dozen times?
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Trolls that keep posting crap like this should eat their own dogfood - try it yourself before extolling the horrors, and try it with both the closed source product and the competing open source one. I've done this. IME, you're full of shit.
It's also worth noting that the bug was reported over 90 days ago. "proper fix takes ages"... results will vary wildly depending on the product, the bug report, and the bug, but the majority would be addressable well within that time frame. In most cases, you won't have to do anything as the maintainers will handle it, just like (a good) closed source maintainer would.
10,000 times more people are able to fix an issue in Linux than in Windows. So a single individual may be limited but the community is much stronger.
Why is it so hard to only have politicians for a few years, then have them go away?
Sorry you got lost. Tumblr is three doors down, on the right.
kthx, bye.
It does not appear to be a serious hole by itself. Microsoft claims you need a valid log-on to exploit this, In reality all you need to do is to get your code run in a machine with the privilege of ordinary user. There are ways and other vulnerabilities to do it. There are numerous holes where the browser executes supplied malware from the net, without admin privileges. These two holes, when combined forms a serious threat.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Maybe you just spend too much time pulling statements out of your ass?
Why is it so hard to only have politicians for a few years, then have them go away?
Gratz. You sir are a thinking and evolving being.
Why is it so hard to only have politicians for a few years, then have them go away?
>> the linux kernel source code is riddled with unused variables...
One would think that the linker would eliminate most of this. Not sure about the unspecified "unfixed and seemingly minor issues which collectively represent security vulnerabilities."
As far was the warnings go - most of those that I see are in the modules, not the kernel itself.
I am very small, utmostly microscopic.
"Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability"
"undisclosed
adjective
1. not made known or revealed: an undisclosed sum"
From that description i assume google has a database of recent security vulnerabilities (from the last 90 days).
Vulnerabilities are immediately public information, then after 90 days they are removed from the list as they arent recent, and assumed to be patched ?
OR
Its the opposite and the person writing the description for the story should have said disclosed instead of undisclosed.
(sarcastic comment about reundisclosing the vulnerability so they can redisclose it in another 90 days)
. . . might be a worse idea.
In addition, unused variables may be the beginnings of an update that hasn't been finished.
Besides, the kernel isn't "riddled". Yes, there are a few places that DO have them. And in some cases, they are actually errors from patches removing old code that missed removing the variables used.
Linus just doesn't put up with crap.
That is probably not enough time.
If you change your UAC to highest level (mine is such for years) UAC warns you before you run the executable.
People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.
Hm. Back when I decided to build my own Linux based computer from source code, I did a lot of tweaking to the sources for a lot of the software that I decided to run. It was not terribly hard and it made the entire user experience amazingly awesome.
Now I am just pissed off. What with the removal of the ability to ctl-alt-backspace out of X (yes, i can add it back in) and "systemD integration" (yes, I can currently avoid it entirely) and other such nonsense like Gnome going off the deep end (nothing I can do about that but fork it), why even bother with Linux anymore? There is way too much to tweak and fix now. Stuff that should NOT NEED to be tweaked and fixed when it was already working.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Because FOSS still doesn't place some arbitrary BS restriction on fixing stuff.
Yes, it's true that a lot of users won't have the knowledge to do it, or won't be competent enough. Heck, even the people who can fix bugs won't have the time to fix every bug they encounter. But at least FOSS doesn't just outright ban you from doing it.
WE MUST NEVER CENSOR TROLLS! Because, umm, wait. Why must we never censor trolls?
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
Perhaps we could move it to a "Possible trolls" thread?
Sounds like the opposite to me.
A few days late, but here we go: because to do it properly we must first find a definition of 'troll' with absolutely no room for misinterpretation or false positives. Failing that, we would end up with the same kind of censorship our benevolent leaders claim is meant to protect us from obscenities, terrorist propaganda and child pornography.
Umm... I get your point about censorship. But coming up with a definition isn't particularly hard in this case. And that's where you leave it. Not every trolling comment needs to be deleted. Only the ones that rise past a clear definition.
As SCOTUS has said, I don't know how to define obscenity, but I knownit when I see it.
Not every trolling comment needs to be deleted. Only the ones that rise past a clear definition.
10 GOTO HELL!
20 GOTO 10
Censorship must never be allowed, ever! We need to make the internet absolutely indelible AND universally accessible. This is the utmost of importance. All people who want ANY kind of censorship should have their hands cut off! Fuck them all sideways!
So why does /. censor posts in gender politics threads? They do selectively run a script in some threads. In the case I'm talking about, it will ghost posts that use ess jay doubleyew (social justice warrior). They DO censor. This isn't hypothetical.
Prostectic Vogon Jeltz:
There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you've had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.
Lets say I am a consumer having routers running Linux and even if I knew about developing in some manner, I wouldn't necessarily have time or interest to start fixing bugs in gear running platforms that might require a complete recompilation and setting up a remote-build system and what else.
Contrast this C/C++/open source model to a model where operating system and everything was written in eg. variations of C# called M# that was used to develop a real operating system.
In this managed language model, if my router or phone etc has a bug, I can download the affected binary from the router and get back source code that's readable enough that I could actually make larger changes to it and send it back to the router. Yes. You could do this with IDA pro but having actually tried it, I can tell you it's nowhere as easy as with C#.
by "readable enough" I meant that with C# (and probably Java etc) you can decompile binary, get back good enough source that you can in few minutes be recompiling it again. The only problem would be if the OS used signed executables and would not allow replacing the executables with ones that you self-signed. So while waiting for official patch, you'd have to set the OS into a mode that accepts self signed executables. This certificate for self-signing could be put into the hardware cert store through a firmware interface pre-boot. This way the entire system would stay secure despite using self-signed modded OS dll's.