Slashdot Mirror
PowerShell Security Threats Greater Than Ever, Researchers Warn (computerweekly.com)
Microsoft's Windows PowerShell configuration management framework continues to be abused by cyber attackers, according to researchers at Symantec, who have seen a surge in associated threats. From a report on ComputerWeekly: More than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell. Malicious PowerShell scripts are on the rise, as attackers are using the framework's flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.
Good thing MS had the foresight to make sure that non-signed PS scripts aren't executable by default.
Of course... sysadmins generally disable that restriction just like they turn of UAC... MS makes a security measure and people disable it and then complain that MS is so insecure.
But then Linux is insecure in a lot of the same ways... it's only as secure as the weakest link... which is generally the apps running on it.
My eyes reflect the stars and a smile lights up my face.
Actually, CMD would be in theoretically worse shape if evaluated apples to apples. However, powershell *puroports* to have security features like execution policies and signing, so it draws more scrutiny. Those are pretty much useless in practice because a cmd script is not subjected to that scrutiny and can just modify the executionpolicy of powershell at will if it really wanted to do some nefarious stuff that required powershell (though they could easily use pretty much any language they want).
XML is like violence. If it doesn't solve the problem, use more.
Or, to rephrase, powerful tools are powerful tools. The main reason PowerShell can do more damage is because it can do more stuff.
Maybe this will be the year of Linux on the desktop
Both terrible "security" policies. What would a signature possibly mean to me as a user if I don't know you? With or without a signature, my choice is still: either I run this script I need to my job, or I don't and I can't do my job (or it gets much, much harder). So basically PowerShell's security is no better than any other shell that's come before it; it projects a false sense of security, and like UAC before it, it just gets in your way.
So given the fact that getting a job done is king, and running scripts or programs written by potentially malicious people is the only reasonable way to do your job, then running arbitrary scripts must be made safe. The means to achieve this is the Principle of Least Authority (POLA), and POLA environments can and have been done before, even within commodity POSIX and Windows systems.
The earliest secure POSIX shell that I recall was Plash. Now we also have Shill (requires a kernel module) and the Capsicum shell (also requires kernel modules). Windows can be made POLA secure out of the box as was demonstrated with Polaris.
It's just amazing that we fail to learn the mistakes of the past even when solutions are available.
Higher Logics: where programming meets science.
With great PowerShell comes great ResponsibilityShell.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah... RTFA really doesn't help in this case.
That meaningless statistic, is just as meaningless both before and after reading the article.
And nice bit of work from the article author managing to get this particular link in to that paragraph:
href="file:///C:/Users/washford/Documents/4%20Thursday/Microsoft%E2%80%99s%20Windows%20PowerShell%20configuration%20management%20framework"
Shocking conclusion though, apparently executables and scripts downloaded from the internet can be malicious, who would have thought that!?
What would a signature possibly mean to me as a user if I don't know you?
Funny thing about them signatures. When a powershell script runs another powershell with -Verb RunAs to ask the user to elevate privileges, powershell.exe is "Signed By Microsoft" and tells the user so.
Someone had to do it.
WHen you run powershell as an admin it can do bad things. Who would have thought? I wonder if Linux is vulnerable if someone is logged in as root?
Powershell is not enabled with an execution policy by default. It has to be enabled and most people do not even know what it is so this is no threat? At work we have a GPO that blocks powershell for any non AD admin.
http://saveie6.com/
Powershell has been used to carry out tasks, but we're not talking about PowerShell being exploited here. A pre-existing problem (be it an exploit used to deliver the script, or an ID 10 T problem) would have had to manifest, and you still need to escalate privileges to do something other than a temporary infection or encryption/ransom of the current user account.
Twinstiq, game news
PowerShell isn't a scripting language in the traditional sense -- it's a whole ecosystem that can expose the entire machine if you have the rights, and perform extremely complex stuff on the user's behalf. If you can convince someone to remove the execution protection and run a script you provide, it makes for a very easy malware-distribution utility because it can basically do anything the native OS can, call .NET code directly, grab data from URLs, have JSON conversations, remotely manage other machines on the network and so on. The out of box settings are to only run digitally signed scripts and not allow scripts to be run from remote locations, but it's very possible to just run "Set-ExecutionPolicy Unrestricted" and drop all the protections...then the code you run has all the rights your user account does.
I've mentioned this before, but PowerShell is one of those things that Windows admins are slowly adopting, simply because the alternatives have worked well in the past and are easy to get the basics down in. Those alternatives are disappearing on Windows, so there will be a phase where these kinds of attacks could be very prevalent. It's a little bit like TLS certificates for internal applications -- many admins I know will do the absolute minimum required to stop the browser from showing a certificate error, then run away screaming. And that kind of makes sense -- unless your job is web programming or you're a PKI expert, the details of certificates are very complex and not well documented in an easily digestible form. Like certificates, PowerShell has a really steep learning curve before you can do really useful stuff in it. The basics are easy, but learning to think of every command as returning objects rather than text output you have to play with is a big jump for some people. Makes perfect sense for developers, but less sense for IT people or cross-platform people used to dealing with files and text I/O streams.
Some of the nastier scripts out there nowadays aren't really about gaining elevated privileges. Some of them, like the encrypting ransomware requires no special privileges at all, but simply access to user files, and to network files that the user has read/write access to. So while the critical aspects of a computer or a network are protected by execution and system resource access limitations, you need to prevent execution of unauthorized scripts completely.
I have to admit I've found signing Powershell scripts to be a mighty pain in the arse, but it does provide some protection against external scripts running when you maintain the blocking of execution of unsigned scripts. It isn't a complete protection, unfortunately, and Powershell is only one route by which this kind of ransomware could end up on a system. Vulnerabilities in Java, MS-Office files, and even the execution of Windows Scripting Host files (vbscript and jscript) seem more common from my experience.
The one bit of ransomware I saw got loose through a vbscript file attached to an email. For whatever reason, Outlook allowed it to be executed, and the user clicked the dialog that might have prevented it, and then the script went to town encrypting files on the user's own folders and the share. Fortunately there's a good backup regime in place, so there was very little actual loss, but it demonstrated that along with some vulnerabilities in Windows' execution protection schemes, the real weak link as always is users themselves.
The world's burning. Moped Jesus spotted on I50. Details at 11.
What would a signature possibly mean to me as a user if I don't know you?
All code signing certificates issued by CAs trusted by popular operating systems are at least organizationally validated. This means two things: 1. the executable wasn't modified since it left the publisher's build farm, and 2. you know whom to sue if there are problems (especially in jurisdictions that don't allow a blanket disclaimer of all liability).
With or without a signature, my choice is still: either I run this script I need to my job, or I don't and I can't do my job (or it gets much, much harder).
I think the idea is that when faced with an unsigned script and a competitor's signed script, users will choose the signed script because of the guarantees of an OV certificate.
Those are special privileges. I don't think you truly appreciate the meaning of POLA. When you run a program with a POLA shell, it literally has access to nothing except the memory in its own address space and any parameters it's passed via the command line. Here's a simple example of copying a file in a traditional Unix shell:
$ cp foo.txt foo.bak
To implement the desired copy functionality, the cp command must have access to the entire local environment, including the entire file system since it can lookup an arbitrary path. This is an absurd amount of authority for a program that merely copies bytes from a source to a sink. Now here's a POLA version of the same command:
$ cp < foo.txt > foo.bak
Notice that the only permissions cp needs are explicitly specified in the command. They are then opened by the trusted shell and passed in as file descriptors, a read-only one and a write-only one, to the untrusted program. The explicit permission grants are obvious, and POLA shells generalize this type of pattern to compartmentalize all programs.
A perfect failure of POLA. In a proper least authority environment, it would have been perfectly safe to run that program because it would have had to raise a request to the environment for a set of read/write file descriptors and your user would have been rightly suspicious of any program requesting access to so many files.
Higher Logics: where programming meets science.
How about you don't run random code that you don't understand.
Screwing up your system by running someone else's scripts is not unique to Powershell (or MS in general).
Microsoft might take the brunt of the malicious code however, because their software is designed to be easy. Any screwball can stumble their way through adding users or DNS zones in AD's GUI and call themselves a sysadmin. The mental barrier to entry is low, so you'll end up with a higher percentage of idiots running Windows systems. If those same idiots knew how to CLI, they'd be admins for *nix systems, and writing their own code for Powershell on the windows side. But they don't. So they google "How to ... in Powershell," download the first .ps1 file they find and right-click Run as Admin.
This signature is false.
Just run this PowerShell script via pastebin that will solve your problem: http://pastebin.com/QCnQGWLn
Sleep your way to a whiter smile...date a dentist!