Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com)

Posted by BeauHD on from the nobody-is-safe dept.

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.

126 comments

  1. Multi-process... by Anonymous Coward · · Score: 2, Funny

    If it's done with multiple processes, is it a Process Doppelgangbang?

    1. Re: Multi-process... by Anonymous Coward · · Score: 0

      Lol at the gang bang comment being marked redundant, good job by autistic moderators, even if they donâ(TM)t understand why itâ(TM)s funny

    2. Re: Multi-process... by VernonNemitz · · Score: 2, Funny

      NOT all Windows versions. I have a machine with Win 3.1 on it, that does not have NTFS.

    3. Re: Multi-process... by omnichad · · Score: 1

      You don't even have to go that far back. It work on Windows 98 or ME either.

    4. Re: Multi-process... by Brockmire · · Score: 1

      Your clarification privileges have been revoked.

  2. Windows Versus Linux by Anonymous Coward · · Score: 0

    Debate in 3..2...1

    1. Re:Windows Versus Linux by Anonymous Coward · · Score: 1

      Windows is better because Linux breaks backward compatibility whenever a penguin takes a shit.

      captcha bugged

    2. Re:Windows Versus Linux by hcs_$reboot · · Score: 1

      Nobody mentions the Mac anymore :-(

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:Windows Versus Linux by TheReaperD · · Score: 0

      Well the Mac is re-polished Linux (yes, I know, MachBSD, not Linux, but whatever) that even Apple doesn't care about any more. It bugged me when I worked there how they'd end up making really good software and then not give a damn about it. The mentality was always that the software was to sell the hardware. The software itself had no value.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    4. Re:Windows Versus Linux by Anonymous Coward · · Score: 1

      That's because Macs are designed so anyone can get root with a couple of clicks...

    5. Re:Windows Versus Linux by murdocj · · Score: 5, Insightful

      Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

    6. Re:Windows Versus Linux by eddeye · · Score: 2

      Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

      Fortunately intelligent people don't post on slashdot.

      --
      Democracy is two wolves and a sheep voting on lunch.
    7. Re:Windows Versus Linux by Anonymous Coward · · Score: 0, Insightful

      Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

      Stupid people also use the operating system that lets them get the tasks they want to get done done. Can we go back to bitching about much Windows security is a joke, especially when it comes to trying to keep it updated?

    8. Re:Windows Versus Linux by Megol · · Score: 1

      :-(

    9. Re: Windows Versus Linux by Zero__Kelvin · · Score: 1

      I disagree, and you might want to think about your claim a bit more too.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    10. Re:Windows Versus Linux by omnichad · · Score: 1

      Intelligent people that need to use commercial software.

    11. Re:Windows Versus Linux by Anonymous Coward · · Score: 0

      "intelligent people"

      who dafuq dis guy?

      lol.

    12. Re: Windows Versus Linux by Anonymous Coward · · Score: 0

      That was the point. Woooosh!

  3. So... by 110010001000 · · Score: 1, Insightful

    ...so you run a program on the target machine that uses some API to run some malware undetected. Clever. Computers that run arbitrary software need to be banned. Only approved computers running a small set of governmental approved programs should be permitted.

    1. Re:So... by Anonymous Coward · · Score: 0

      /irony, in case anyone misses it.

    2. Re:So... by Lije+Baley · · Score: 0

      What is it with people modding ordinary posts as Troll lately? Either snowflakes or actual trolls must be getting mod points now.

      --
      Strange things are afoot at the Circle-K.
    3. Re:So... by TheReaperD · · Score: 0

      The mod point allocation has seemed to be off the last few months. Not sure why.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    4. Re:So... by Anonymous Coward · · Score: 0

      What is it with people modding ordinary posts as Troll lately? Either snowflakes or actual trolls must be getting mod points now.

      It's because of the weather, my fingers are so cold it's hard to select "Sarcasm" without accidentally going down to Troll when modding.

    5. Re: So... by Anonymous Coward · · Score: 0

      Iâ(TM)ve been around since the beginning, fucko

    6. Re:So... by BronsCon · · Score: 0

      I dunno but I've had 2 +2 Troll posts in the past week so I'm okay with it.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    7. Re: So... by Nocturna81 · · Score: 2

      But have yet to understand that Slashdot doesn't use unicode

    8. Re:So... by Anonymous Coward · · Score: 0

      110010001000's post is a textbook example of a troll post: deliberately stupid, not contributing anything useful, deliberately distorting facts, and deliberately instigating.

    9. Re:So... by Lije+Baley · · Score: 1

      OK, if that's the bar we're going set, then I get to mod you "-1 Snowflake".

      --
      Strange things are afoot at the Circle-K.
  4. Re: Curry eater English by Anonymous Coward · · Score: 0

    Mmm curry :) I'm hungry.

  5. So, Basically by Shogun37 · · Score: 0

    It means that anyone with the "undocumented knowledge" (ie, Microsoft, NSA) can run whatever they want on a windows machine, and there's nothing to be do about it. Cue Microsoft sales dive in 3..2..1.. Don't feel left out Linux, OS. I'm sure that an "update" would allow you the same "functionality." Big Brother does so love his toys...

    1. Re:So, Basically by Anonymous Coward · · Score: 0

      It means that anyone with the "undocumented knowledge" (ie, Microsoft, NSA, these two particular security researchers, anyone they have shared the details with, other "researchers" who follow up on the clues already given, ... soon, the internet world at large ) can run whatever they want on a windows machine, and there's nothing to be do about it. Cue Microsoft sales dive in 3..2..1.. Don't feel left out Linux, OS. I'm sure that an "update" would allow you the same "functionality." Big Brother does so love his toys...

      FTFY.

    2. Re:So, Basically by Anonymous Coward · · Score: 1

      Why would there be a "sales dive"?

      99.9% of buyers don't know, and don't care.

    3. Re:So, Basically by Anonymous Coward · · Score: 0

      They'll care once their banking information gets compromised in mass quantities. And it doesn't matter how "hard" it is to implement, as soon as the first hacker figures it out, all of them will have the know how soon after.

    4. Re:So, Basically by murdocj · · Score: 1

      No. This just another virus. As someone else pointed out, there's no inherent reason you can't detect it the way other viruses are detected. And it doesn't let you gain more privilege. All it does is bypass current virus detection, which presumably will get fixed.

    5. Re: So, Basically by Anonymous Coward · · Score: 0

      This can't really be fixed without entirely ditching NTFS on Windows platforms. -PCP

    6. Re: So, Basically by guruevi · · Score: 2

      Read the summary, the attack canâ(TM)t be detected because the OS doesnâ(TM)t let itself or any other process into a running transaction.

      This made senses in the 80s/90s in that you donâ(TM)t want a program unnecessarily holding up or interrupting a disk operation because that would cause corruption, hence why we invented file systems that have a journal.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    7. Re:So, Basically by Megol · · Score: 2

      One still have to have the rights to open and modify the file, one still have to have the rights to execute the file. It's "just" that one can replace a section of a file one already could modify and execute in a way that malware scanners can't detect.

      To me this isn't a huge problem - if security requires malware scanning one have no security. And it is using functionality not commonly used together so a hack that detects the combination and handles it should be relatively easy. But why care?

    8. Re: So, Basically by Megol · · Score: 2

      How about:
      Crook: Let's see, here we have a file I want to run and for some reason I have the right to run -> let's go transactional!

      NTFS: Ah, a transactional lock! Don't see those too often!

      Crook: Modify the file that I for some reason have the right to modify _wïthïn_thá_transáctïon_ HOHOHO!!

      NTFS: Okay... Got that.

      Scanner: Ah ho a hum, don't see shit... Boring.

      Crook: Now let's do the cool thing and run this modified shït!

      System: Let's see... Loading a file within a transactional lock? Now I don't like this, I don't like this AT ALL! *plonk*

      Crook: OMGWTF?!? I can't run the file :(((

      Crook: (releases lock either voluntarily or when killed by system)

      NTFS: Ah, a transactional release! Don't see those too often!

      Scanner: Still don't see shit... Really boring, should take up macrame or something.

    9. Re:So, Basically by ilguido · · Score: 1

      RTFA. The whole point of this exploit is that is undetectable by anti virus software or any other application.

    10. Re:So, Basically by Anonymous Coward · · Score: 0

      It means that anyone with the "undocumented knowledge" (ie, Microsoft, NSA) can run whatever they want on a windows machine, and there's nothing to be do about it.

      Trump will solve this issue with undocumented knowledge by deporting it to countries where US companies can utilize it with the lowest cost.

    11. Re:So, Basically by murdocj · · Score: 1

      Maybe you should RTFA and THINK.

      At the moment, yes, it isn't detected. The user runs a program, the program loads and modifies and runs a different program. The actions of the program in loading and modifying another program CAN BE DETECTED.

      Got it?

    12. Re: So, Basically by omnichad · · Score: 1

      Unless the A/V runs its own rootkit. Then it could probably still track what's going on.

    13. Re: So, Basically by Anonymous Coward · · Score: 0

      All A/V is a rootkit for all practical purposes.

  6. This is why we need alternative File systems by Anonymous Coward · · Score: 2, Interesting

    This is why we need alternative file systems on windows. If this were Linux we'd either fix it or change to another file system. Not 'live with inscruity for the remaining days of your life.

    1. Re:This is why we need alternative File systems by Anonymous Coward · · Score: 0

      You wouldn't do shit. You'd wait for someone capable to fix it.

    2. Re: This is why we need alternative File systems by Brockmire · · Score: 1

      Workstation Pro with ReFS for extra $$$.

  7. We're boned by Lije+Baley · · Score: 2

    Now does this mean we can finally move on to the "post security" era? Please, can we? So much security fatigue...

    Anybody can bust into my house with a solid kick, but I don't lose any sleep over it.

    --
    Strange things are afoot at the Circle-K.
    1. Re:We're boned by yorgasor · · Score: 1

      Yes, but it takes a lot of resources to bash in your door, and there's a lot of risk involved. You might be home at the time, you might have a gun. They either have to be near you or travel hours to get to your house to do it. On the internet, someone can write a script to bash in millions of "doors" in the space of a few hours with minimal resources and very little risk of getting shot and do it from the comfort of their home halfway around the world.

      --
      Looking for a computer support specialist for your small business? Check out
    2. Re:We're boned by aaarrrgggh · · Score: 1

      Foot, momentum. Not deal-killing resources. Probability of shock attack encountering properly trained people able to respond quite low. Add cell jammer and some gimmicks and you have a high probability of getting stuff to buy more ...whatever.

      GP’s point remains. We have constant risk, but losing sleep over it is stupid. Why?

    3. Re: We're boned by Anonymous Coward · · Score: 0

      Google Door Armor. Youâ(TM)re welcome.

    4. Re:We're boned by yorgasor · · Score: 1

      If you want to break into a million houses all over the world, that's some major deal killing resources. If you want to break into one person's house that lives within an hour of you, that's not too big of a deal. Because of that, the odds of someone picking your house to break into are very slim, and not much to worry about. The odds of some script kiddie from Russia doing a scan and looking for vulnerabilities is quite high. If you're vulnerable to a remote attack, you will most assuredly get hit within a pretty short period of time. If you're not a high value target, basic security steps that block remote automated attacks and internet hygiene where you don't travel the seedier places on the internet and staying up to date on security patches will make it less likely that you'll be hit.

      --
      Looking for a computer support specialist for your small business? Check out
    5. Re:We're boned by Lije+Baley · · Score: 1

      Basic security steps like you mention are totally analogous to locking your door and not driving through bad neighborhoods. That's the easy stuff. Extra locks, alarms systems, reading every day to keep up on criminal techniques and following police blotters is stuff that goes beyond and most people won't do it. But strangely enough we have to hear about every worm, bug, bot, and breach in the news headlines. And every one of those stories has some "security expert" telling us what new thing we need to do today or we'll be PwNed!! They need to dial back the hype before nobody listens to them any more than they listen to the guy selling alarm systems. It's already too late. Security fatigue has set in, in earnest.

      --
      Strange things are afoot at the Circle-K.
    6. Re:We're boned by Aighearach · · Score: 1

      Even my hosts with no published domains get attackers kicking at the server's door multiple times a minute!

      Nobody has ever kicked at my front door of my house. One person tried the doorhandle one time, and ran away when I opened the door.

    7. Re:We're boned by BronsCon · · Score: 0

      The worst of it is that the self-proclaimed security guys have no clue what the fuck they're talking about in the first place, most of the time. For instance, the moron here on Slashdot who kept calling me Junior while insinuating that I'm an old-timer (insisting that I was relying on techniques 3 decades out of date), right after insisting that my Mac must have a virus, then going on about how Macs don't get viruses.

      I'm pretty sure the only thing that particular moron knows how to secure is another vial of crack.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  8. Re:Curry eater English by Anonymous Coward · · Score: 0

    Maybe I could change my surname as Malware, and be know as A Malware forevermore!

  9. Works On All Windows Versions? by bagofbeans · · Score: 1

    Not really. But at long last we have a single data point where Window 95 is better than Windows NT.

    1. Re:Works On All Windows Versions? by Anonymous Coward · · Score: 0

      What is really of note is the alleged compatibility. I never seen anything compatible with all windows versions. ANYTHING.. In fact, I doubt anyone really checked it because I'm pretty sure it will hang or crash on some versions.

    2. Re:Works On All Windows Versions? by Trax3001BBS · · Score: 1

      What is really of note is the alleged compatibility. I never seen anything compatible with all windows versions. ANYTHING.. In fact, I doubt anyone really checked it because I'm pretty sure it will hang or crash on some versions.

      One right off hand. Forte Agent 1.92, just move a short-cut to the newest install and have an E-mailer/Newsreader all set-up and ready to go.

      Older versions work as well, but needed yEnc the newer 1.92 offered. Used this version from W2K/Win98 to Win10 and in between.

  10. Re:Curry eater English by Anonymous Coward · · Score: 0

    Ugh I bet you're the sort of people who gets sniffy if someone says 'the data is' instead of the 'the data are'. Or vice versa.

  11. Re: And THIS is why Kevin uses Linux now by Brockmire · · Score: 1

    I don't know if this is funnier written by a human or by a bot. It's like as if Beck trolls /. (Nonsensical words slapped together).

  12. NTFS Transactions have been deprecated for years by Anonymous Coward · · Score: 0

    "Unpatchable"? If Microsoft simply disabled the feature very few would even notice...

  13. Not patchable, really? by Bruce+Perens · · Score: 3, Insightful

    Creating a process from a file that is part of an in-progress transaction is probably not a documented feature of Windows at all. Making such files non-executable until the transaction is completed sounds like it would be a sufficient fix.

    Much as I like to brag that Linux folks can fix this sort of thing overnight, it is not really the case that everyone at Microsoft is a knuckle-walking Neanderthal who could not fix this in a week or a month.

    Watch some Neanderthal get offended...

    --
    Bruce Perens.
    1. Re:Not patchable, really? by Anonymous Coward · · Score: 0

      The way I read the summary was that the part of the exploit they haven't told us about involves features that are core to the OS.

    2. Re:Not patchable, really? by Anonymous Coward · · Score: 0

      Agreed, Microsoft is technically competent. If they believe they need to fix it, they will. Worst case they need to work with software vendors to implement any necessary changes, though from what the parent said, that doesn't appear to be required.

      Of course, it might not hurt to build applications that run on both Windows and Linux. That way, no matter what happens your covered. Another bonus point of that, is if we could ever reach a critical mass we might eventually get that mythical year of the Linux desktop though I suspect inertia will prevent that for a long time.

    3. Re:Not patchable, really? by Aighearach · · Score: 1

      Why are you bigoted against Neandertals?

    4. Re:Not patchable, really? by Bruce+Perens · · Score: 3, Funny

      Why are you bigoted against Neandertals?

      I believe I can say in complete truthfulness that I have never met a Neanderthal that I didn't like.

      --
      Bruce Perens.
    5. Re:Not patchable, really? by Bruce+Perens · · Score: 1

      The way I read the summary was that the part of the exploit they haven't told us about involves features that are core to the OS.

      Yeah, like filesystem transactions and executing files. The whole exploit is explained in the summary. Create a file in a transaction. Virus checker can't get at it because it's not visible outside of the transaction. Execute the file. Abort the transaction. No file left for the virus checker. Process still running.

      --
      Bruce Perens.
    6. Re:Not patchable, really? by Anonymous Coward · · Score: 0

      But now this bug is so old that, even if they come up with a way to patch it (likely, since it sounds like it depends on specific undefined and unintended behavior), it will never be patched for people still running old EOL versions of Windows. (You know they're out there.) And also for people who got tired of Microsoft's bullshit and turned off updates completely. At least with Linux, if you were using a really, really old kernel, once the patch is released, you could download the appropriate version of kernel source, apply the patch yourself (adjusting for code drift), then compile and install it.

      This is also an argument against creating a new operating system with an original design. There will always be bugs, but at least if you start from an existing operating system design, the really stupid design bugs will likely already be shaken out. Lucky for Apple that they tried and failed twice before NeXT became the basis for their new OS. I'd hate to imagine what a security minefield Copland could have been. (Note that their most recent notable bug is from the most recent major point release ignoring decades of what "*" means in the password file.)

    7. Re:Not patchable, really? by Anonymous Coward · · Score: 1

      I just read another post here that says the thing being exploited first appeared in Vista. So it's not quite as bad as I was thinking. XP is the 800-pound post-EOL gorilla, and nobody in their right mind should want to run Vista at all, especially EOL.

      And apparently it requires a particular service to be running, which should be easy for the 99.999% of people who don't use NTFS Transactions to simply turn it off. On my Windows 7 gaming computer it was set to Manual. Yeah, let's just completely disable this useless piece of bullet point fodder. There, that's better.

    8. Re:Not patchable, really? by MrMr · · Score: 1

      About 2% of the people you meet outside Africa is Neanderthal. See: https://genographic.nationalge...

  14. You still need the admin password, right? by AlanObject · · Score: 4, Interesting

    Trying to understand this. Basically NTFS Transactions are a deprecated feature, but this amounts to little more than monkeying with the in-RAM read cache of an executable file.

    Well great. In order to do that I have to have access to the system at some level in the first place. So this exploit technique is only really viable if you have either an inside job or a leaked password. And it isn't clear to me that you don't need an admin-level access to use that API as well.

    Unless I missed something this doesn't seem like that hot an issue.

    1. Re:You still need the admin password, right? by Anonymous Coward · · Score: 0

      Unless I missed something this doesn't seem like that hot an issue.

      Yeah, because privilege elevation exploits on windows are soooo farfetched... never happened before. Except it did.

    2. Re:You still need the admin password, right? by Cephacles · · Score: 2

      It also appears this attack needs the Distributed Transaction Coordinator service to be running, which is rarely used. The linked Microsoft article on NTFS transactions says it uses DTC. I always turn that service off to Manual or Disabled, otherwise it just wastes resources and slows boot time. Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

    3. Re:You still need the admin password, right? by StormReaver · · Score: 1

      In order to do that I have to have access to the system at some level in the first place.

      This is Microsoft Windows, the Swiss Cheese of operating system security. Attackers most likely already have this for any given machine.

      So this exploit technique is only really viable if you have either an inside job or a leaked password.

      See answer to quote #1 above.

      And it isn't clear to me that you don't need an admin-level access to use that API as well.

      See answer to quote #1 above.

    4. Re:You still need the admin password, right? by AlanObject · · Score: 1

      Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

      I think that was the whole point of why this new exploit sounds so scary. Nothing gets written to disk so it isn't "traceable."

      The thing is if you are able to inject your own code to run in a system in the first place, you can do it again and again as long as the owner of the system isn't aware of it and doesn't change anything. I can see the appeal of that; it would allow an attacker to set up a temporary base that would be devilishly hard to trace back to the system that injected it. At least if all you had to go on was the infected system itself.

      Of course if you have decent IDS that covers both inside and outside jobs that is really not much added safety for the bad hombre. But not that many sites have that.

  15. Windows IFS model allows other filesystems by Anonymous Coward · · Score: 0

    Ext2IFS_1_12.exe is an example of it (even CDFS is) & the Windows Installable File System model https://en.wikipedia.org/wiki/Installable_File_System/ proves it for you!

    * That executable for Ext2 can be downloaded from many spots online https://duckduckgo.com/?q=Ext2IFS_1_12.exe&t=hf&ia=web/ IF You want Linux filesystems online inside Windows for example!

    APK

    P.S.=> ... & "there ya go" PLUS Windows, over time, has support for MANY different filesystems (some removed/deprecated like HPFS from OS/2 iirc)... apk

    1. Re:Windows IFS model allows other filesystems by Zontar+The+Mindless · · Score: 2

      First, pretend that you have a job.

      Now, pretend that you have to persuade IT at your job to let you install a filesystem different to the one everyone else in the company is using.

      Let us know how it goes.

      --
      Il n'y a pas de Planet B.
    2. Re:Windows IFS model allows other filesystems by Anonymous Coward · · Score: 0

      Whoop-de-do. Windows has support for a nearly obsolete filesystem with no journalling, and various size and other restrictions, which is no longer being developed, having been effectively replaced with ext4 or at least ext3.

  16. All Windows Versions by PoopJuggler · · Score: 1

    So it works on Windows 3.0?

  17. All Windows Versions by hcs_$reboot · · Score: 1

    At last, something fully backwards compatible in Windows.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  18. spot the shill by jmccue · · Score: 1

    Well it is Friday evening here, another Windows vulnerability found, it is time for a Drinking Game.

    "Spot the shill", you should be able to guess the rules now

    1. Re:spot the shill by Anonymous Coward · · Score: 0

      Ok I will go for it.

      unpatchable my eye. Right up until MS lets the scanner have access to that function too.

    2. Re:spot the shill by Anonymous Coward · · Score: 0

      so....... you're the shill? don't address.... distract. clever.

  19. The NSA is overdoing it man! by Anonymous Coward · · Score: 0

    Way too many vulnerabilities all across the board lately. Maybe now that Obama is out, all the backdoors from the last 8 years are finally getting exposed and closed.

  20. Mac is company-approved Unix by raymorris · · Score: 0

    > Windows is used by people who either don't have a choice, BECAUSE THEY WORK FOR A BIG COMPANY, or are lazy. *nix is used by computer skilled people. Mac is the Unix used by by skilled people who work for big companies.

  21. This will eventually get exploited, guaranteed by Anonymous Coward · · Score: 0

    And when it does, the landscape may forever be changed. Hopefully this will be the straw that breaks microsofts back. My pitch fork has been sharpened!

    1. Re:This will eventually get exploited, guaranteed by Anonymous Coward · · Score: 0

      Only FreeBSD mascot uses a pitchfork, are you a mascot?

    2. Re:This will eventually get exploited, guaranteed by Anonymous Coward · · Score: 0

      I am pretty sure that he freeBSD mascot holds up a trident. those are three pronged, as opposed to a fork.

    3. Re:This will eventually get exploited, guaranteed by Anonymous Coward · · Score: 0

      Indeed. Four prongs is a fork, three prongs is a threek.

  22. All versions of windows by dougg76 · · Score: 1

    This is amazing. It's the first thing I ever heard of that can work on all versions of windows. They should patent that and make bank.

    --
    I laugh at inappropriate times.
    1. Re:All versions of windows by Anonymous Coward · · Score: 0

      Hmm, there are some. Visicalc runs on all versions of Windows:
      https://en.wikipedia.org/wiki/VisiCalc

  23. Re:So... MAC by Anonymous Coward · · Score: 1

    The main problem is that Windows doesn't have a proper implementation of Mandatory Access Control that really works. Linux has multiple ones e.g. SELinux and AppArmor.

    MAC can prevent this attack since it could prevent the modification of a file by a different process that isn't allowed to do that.

  24. Can't be patched? (Rubbish) by Anonymous Coward · · Score: 1

    I'm sure that not instantiating a process from an uncommitted NTfs transaction wouldn't break many legitamate programs.

    Only create processes from files that are also not being written to would also work equally as will within the kernel.

    Both paths sound like they would ensure that virus software can pick up the dodgy behavior.

    A creative attack though.

  25. Don't you dare belittle my beloved BSD! by Anonymous Coward · · Score: 0

    Oh, and Plan9 FTW!

  26. Macs are not meant to be used. by Anonymous Coward · · Score: 0

    Apple is jewlery manufacturer.
    It is just by sheer accident that there is still a computer well-hidden inside.

    Don't worry. It will soon be gone. About the same time, when the screen of the iPhone is replaced by a huge boom-box-sized razor-thin mirror, because that is all that matters. "iPhonez in da hood!"

  27. btrfs full works under windows now! by Anonymous Coward · · Score: 0

    Even as a boot medium!

    Of course the problem is that it's ... btfs.
    The fs, where you can't even find out how much of a subvolume quota is used up, without doing essentially a recursive `du` on it.

    But hey, you can also ditch Windows, use the glorious ZFS, and waste 1GB of RAM on every TB of storage you have! :P

  28. They wish they were Neanderthals. by Anonymous Coward · · Score: 0

    Neanderthals were intelligent social humanoids.
    MS are more like lizard-lamprey-blobfish parasites.

  29. Only Vista OS up to Win10 are vulnerable by Anonymous Coward · · Score: 0

    According to msdn.microsoft.com all API used on this attack are only available from Vista OS and up.
    Which means XP going down which doesnt support transactional NTFS aren't affected.

  30. Re:Only Vista OS up to Win10 are vulnerable by Anonymous Coward · · Score: 0

    True, here's the source: https://msdn.microsoft.com/en-us/library/windows/desktop/bb968806%28v=vs.85%29.aspx

    Run-time requirements
    TxF is available starting with Windows Vista.

    TxF functions are not included in XP Kernel32.dll

  31. Amazing by Anonymous Coward · · Score: 0

    I'm constantly amazed about the absolute inability of every OS maker on earth to get even the most basic security features right. I know, I know, there is no such thing as bug-free code. But NASA and in the aircraft industry still have less problems with bugs in critical systems. There is nothing wrong with bugs in non-critical systems, but what contemporary OSes illustrate is just ridiculous. They are programmed in unsafe languages (no memory safety, no safe concurrency, unreadable and hard to maintain) and whenever some complete exploit has been fixed the next one is just at doorstep.

    And the reason is very simple: There is 0 accountability of these companies for their criminal negligence. If anybody can pawn your OS with a one-liner or by using "root" with no password, you'd expect someone at the company who produces the OS to get into troubles, maybe even go to prison. Yet nothing happens. Imagine an engineer who suffers no consequences when the bridge he's calculated breaks down! "Software engineers" my ass.

    1. Re:Amazing by Anonymous Coward · · Score: 0

      Civil Engineers should print out a huge disclaimer before entering the bridge. That's how they do it in the software world.

      captcha: screwed (that's how you hang up a disclaimer in a bridge)

    2. Re:Amazing by Anonymous Coward · · Score: 0

      Please read this End User License Agreement carefully and in its entirety before entering the bridge: <120 pages of legalese gibberish>

    3. Re:Amazing by omnichad · · Score: 1

      But NASA and in the aircraft industry still have less problems with bugs

      How many external attacks are their on the systems? All NASA has to do is not include legacy MacOS binary compatibility to keep spacecraft relatively virus-proof.

    4. Re: Amazing by Anonymous Coward · · Score: 0

      I suggest you read up on the burroughs and the icl mainframes.

      Just because unix and windows are done in this portable assembler means little.

      Also there are efforts at proving the entire os, compilers etc correct. See seL4 and the inria c compiler.

      As soon as we are willing to ditch the bell labs crap, we have serious options.

      Also see integrity 178.

    5. Re:Amazing by Anonymous Coward · · Score: 0

      NASA just uses linux...

    6. Re: Amazing by Brockmire · · Score: 1

      You're comparing a specific, critical embedded system intended for operation in space from millions of miles away to be the same as a general purpose desktop operating system sold for free to cheap? Are you fucked in the head? Do you expect heart surgery by your nurse?

    7. Re: Amazing by vux984 · · Score: 1

      Its even stupider than that. The critical embedded system in deep space has about zero malicious hackers analyzing it and attacking it.

      And this particular windows flaw would not be a much of a risk on a computer floating in deep space.

  32. Ungood! by JustAnotherOldGuy · · Score: 1

    The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

    Yes, I'd say that qualifies as "bad news". This is ungood, and yet another reason to switch to another OS.

    Seriously, after all this time the fucknutz at Microsoft have managed to create a vulnerability that's baked in to every version of Windows, their flagship product?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  33. I point out fact you can't overcome... apk by Anonymous Coward · · Score: 0

    See subject: I never said anything about work/job. I only point out fact that Windows IFS allows diff. filesystems.

    You're clearly unable to show otherwise.

    * Additionally: Obviously (unlike YOU 'wageslave') you don't realize I haven't had to work for ANYONE in a decade++ & my monies work for ME (not the other way around - I'm past that, you're not)).

    HOWEVER - As far as that is concerned? I almost GUARANTEE you've never done as much as I have in this field NOR will you ever!

    APK

    P.S.=> Trolling me is a waste of your time ZontarTheMindless - you name yourself rather aptly - after all, I always make YOU (& "your kind", fake names for fake lives) EAT YOUR WORDS -> https://slashdot.org/comments.pl?sid=5033597&cid=46760611/ & yes you blow all your "downmodpoints" on downmodbombing me (which I RUN YOU DRY OF easily by reposting (NO LIMITS on my posting unlike most ac's)) https://slashdot.org/comments.pl?sid=10878741&cid=54858603/ + https://slashdot.org/comments.pl?sid=10878741&cid=54835069/ ... apk

    1. Re:I point out fact you can't overcome... apk by Zontar+The+Mindless · · Score: 1

      No, I *could* have mod-bombed you, but you were providing us some fine entertainment by trolling yourself, so why bother.

      --
      Il n'y a pas de Planet B.
  34. Windows is a wide-open door, can never be closed by Anonymous Coward · · Score: 0

    according to the discoveries in this research. If you use Windows, anyone who wants to can get inside your computer.

  35. Ok - Design one yourself then! apk by Anonymous Coward · · Score: 0

    See subject: However, what stops "YOUR KIND" (the UNIDENTIFIABLE trolling worm)? A lack of SKILL + WILL to do so.

    * I merely pointed out fact that Windows DOES support multiple filesystems & CAN SUPPORT MORE via IFS!

    APK

    P.S.=> Truer words were NEVER spoken on /. (& you KNOW it, lol) - me, by way of comparison? I do stuff our /. peers even LIKE & USE https://slashdot.org/comments.pl?sid=11420419&cid=55704671/ - "your kind" can't & doesn't! apk

    1. Re: Ok - Design one yourself then! apk by Brockmire · · Score: 1

      And it was merely pointing out your posts are useless and unnecessary. No one gives a shit what you post, most times it's nonsense. Now get off the rag and stop being a whiny little bitch.

  36. Re: Curry eater English by Brockmire · · Score: 1

    Snippy, motherfucker, snippy.

  37. Re: parade of idiots by Brockmire · · Score: 1

    Please use capital letters next time you feel like insulting someone. I give zero fucks to people who can't do very, very basic English.

  38. Brockmire STFU & have some manners! apk by Anonymous Coward · · Score: 0

    See subject: Talking w/ your mouth full isn't polite as you EAT YOUR WORDS https://slashdot.org/comments.pl?sid=10557875&cid=54347839/ I made you eat!

    (... & anyone can read what you said before it laughing @ you afterwards - I surely did!).

    * You make it SO easy to laugh @ you it's not even funny anymore!

    STUPID - learn to read - the guy I replied to said Windows ought to allow other filesystems & guess what? IT DOES, you dumbass!

    APK

    P.S.=> You'll die of malnutrition vs. me Brockmire as EATING YOUR WORDS != Good nutrition, lol... apk

  39. Re:NTFS Transactions have been deprecated for year by jdschulteis · · Score: 1
    Per MSDN:

    Microsoft strongly recommends developers utilize alternative means to achieve your application’s needs. Many scenarios that TxF was developed for can be achieved through simpler and more readily available techniques. Furthermore, TxF may not be available in future versions of Microsoft Windows.

    Looks like the future needs to be now.