Microsoft Obliquely Acknowledges Windows 0-day Bug Published on Twitter

A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. From a report: The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system. Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.

Headline misleading

[Geoffrey.landis]

Unless there's more than is in the summary, the headline should read "Microsoft does not Acknowledge Windows 0-day Bug Published on Twitter".

Re: Headline misleading

[tysonedwards]

Itâ(TM)s the use of phrase âoe(and it's certainly real!)â that has some thinking: the privilege escalation bug is real, but not acknowledged, so wait for Patch Tuesday and letâ(TM)s see what happens.

Re:Headline misleading

[Desler]

No, this is New Here.

Re:Microsoft OS is insecure

[ArchieBunker]

As soon as Adobe makes a Linux build of their suite I'll switch over. Might as well call up SolidWorks and Pro/E while you're at it.

Microsoft Obliquely accepts LInux

I mean, if we're going to spin words here...

Re:Microsoft OS is insecure

[Desler]

Exactly. Nerds need to learn that users care about applications not the OS. It's why so many are fine with ChromeOS despite it being "not real Linux" which is only of concern to dorks.

This person got sick of MSFT bug submission

[guruevi]

If you see the comments and write up in the documents and demo he released. It's fairly easy to exploit, in lay terms: the Task Scheduler read/writes to a location as SYSTEM and you can ask it to write any permissions to that file. Since the location of that file is publicly accessible for everyone, you could replace a job file with a DLL and then the system will write permissions for it to be executable as SYSTEM.

Re:Microsoft OS is insecure

[Killall+-9+Bash]

I work in IT.

Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"

The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).

Re: Microsoft OS is insecure

[Desler]

All people that use OSS says the code is better looked, all bugs are corrected on the fly....etc....etc.

That was definitely what is claimed but one only has to look at the OpenSSL and X.Org codebases to know those claims were false. Both are dumpster fires of poorly written, insecure code.

Another HUGE Windows 10 problem.

[Futurepower(R)]

Windows 10 will soon force monthly charges.

Basically, if there is a monthly charge for Windows 10, Microsoft will make more money if there are more bugs in updates. They will apparently fix the bugs only for those who are paying monthly.

Re:Another HUGE Windows 10 problem.

[Desler]

The Microsoft Managed Desktop which is what those articles discuss willnot be forced on to anyone and are specifically being targeted to business users. Nowhere in the Mary Jo Foley article does it say that anyone will be forced into the service. What your spreading is actual fake news.

Re:Another HUGE Windows 10 problem.

[jezwel]

Basically, if there is a monthly charge for Windows 10, Microsoft will make more money if there are more bugs in updates. They will apparently fix the bugs only for those who are paying monthly.

I find this interesting as essentially this is what most companies already do with software, though on a different scale - annual maintenance charges that provide bug-fixes and updates. Many are moving to monthly fees so that the user has "more flexibility" around how much of a service they want to consume.
Oops, your monthly charge is usually a fair bit more than an annual charge divided by 12 months. You've got all that extra flexibility remember?
Anyone need full time access? Coincidentally your monthly fee paid annually is more than maintaining a perpetual licence...
Been using a product for a few years, and have embedded it into your processes and workflow? Must be time for (yet another) price increase!

Back OT. Monthly charges should be low enough that users are fine with the cost - a couple dollars here or there will easily slide under the radar, plus shareholders have a smoothed out (and greater) profit delivery that is less dependant on new releases.
Now, your supposition that there is money to made by having more bugs? Potentially true - get your subscriber count high as they need your bugfixes. Sounds like a predatory business model.
Regulation that forces vendors to return $$$ or credit subscribers (more likely) where there is disruption to their paid service service will need to be created. The chances of that seems pretty small though.

Re:Microsoft OS is insecure

[Desler]

The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).

Where in my post did I say anything about business users? And nowhere did I say all users would be fine with ChromeOS. Lastly, all those things you mention are application-layer programs which feeds into my point that the user couldn't care less about the OS when its the programs they want to use that matter. The applications drive what OS they use not the other way around. Which is why users are willing to continue to put up with Windows despite many people disliking it.

Re: Microsoft OS is insecure

Remember Windows does a lot more. Linux kernel + all drivers + X Windows + GNU Userland + Open SSL + KDE/GNOME project + package management systems + other misc xwindows tools (xdm, xterm etc) + backwards compatibility layers is the rough equivalent of a typical Windows desktop installation.

Of COURSE the Linux kernel has a lot less bugs than all that code. Same as the Windows Kernel has a lot less bugs in it than WIndows as a whole.

Re:Microsoft OS is insecure

[93+Escort+Wagon]

And then they ask "How do I allow this ActiveX control?"

Who still uses ActiveX? Do you live in Korea?

Re:Microsoft OS is insecure

[dissy]

I work in IT.

Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"

The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).

I work in IT too, and I found an excellent use for ChromeBooks. Remote access.

Both remote desktop and our VPN client are available on the chrome store.
Full laptop form factor chromebooks run $300, compared to a full fledged windows laptop from HP closer to $1000

Once VPNed in, you can remote to your desktop or VM instance and do everything you would in the office, except perhaps full multi-monitor support.

No one asks how to install Outlook because they already have it.
No one really asks for ActiveX controls either, as the local apps using them have those controls pushed out to IE already, and anything else likely will gain a "no" reply.
Same for the printers, office printers are installed with clicking a link on our intranet site, and home printers connected to the chromebook are forwarded over remote desktop to print to.

Plus there are no worries about a windows laptop offsite being joined to the domain.
No stupid syncing group policy except while logged in, no windows update errors due to not finding the WSUS server, no downloading updates over the VPN when it can find the WSUS server, no locally stored data to secure or backup or worry about being lost, no worries that Windows will expire the local SAM cache and tell the user they can't login to the laptop until after they login to the laptop and VPN in...

They also have much lower end and simpler chromebook hardware in the $100-200 range.
Not quite laptop form factor fully, but at a price point to be almost disposable.

Maybe your infrastructure doesn't allow for this type of setup, and I can only vouch for the Cisco AnyConnect VPN client, but that doesn't mean there are no business use cases for the things.

Questions: 1) Charging later? 2) No control?

[Futurepower(R)]

Questions:

1) Do you think Microsoft won't begin charging everyone later? That's what Adobe Systems did after releasing Creative Suite version 6. It is now Adobe Creative Cloud.

2) Will "business users" want Microsoft to have more control over their computers?

Re:Microsoft OS is insecure

[iggymanz]

and AutoDesk and MasterCAM, let's move the whole industry over

Re:Microsoft OS is insecure

[Eravnrekaree]

I never understood why these companies do not simply write their software using Qt so that it will work across the operating systems, it makes financial sense to maintain just one code base that will run on all OSs.

Re:Microsoft OS is insecure

[Bert64]

So switch to Mac, there is a build of their suite available there.

Re:Microsoft OS is insecure

[Bert64]

A lot of corporate users use outlook web access, which works fine in chromeos...
A lot of users use gmail, which works fine in chromeos.

Very few activex controls are still out there, i've not encountered any of that crap for years...

If you're going to buy a chromebook, you buy a compatible printer to go along with it, assuming you actually need to print something. Most consumer printers are cheap and disposable and regularly replaced because they fail or become incompatible with the latest os updates.

There are lots of users for whom chromeos works great, infact there are many users who's only interaction with the internet is from a mobile device and have never used a traditional computer at all.

Re:Microsoft OS is insecure

[Bert64]

And also a lot more secure, if a remote user connects them to a random free wifi network the chance of them being compromised and becoming a foothold on your corporate network is massively reduced.

A corporate windows (or macos to a lesser degree) laptop connecting to a third party wireless network often leaks a LOT of information at the network level (eg it tries to perform dns lookups for your internal domain), and often contains a lot of data that can be extracted. A chromebook will do none of these things, and is far less likely to be compromised in any case.

Re: Microsoft OS is insecure

[Bert64]

There would still be problems, but security would still be better because you'd be starting from a better base...

Windows has a lot of bad legacy design, and then lots of cruft bolted on top trying to implement security alongside a system that was never designed with it in mind (im referring to windows specifically and all the crap thats been inherited from dos and win3x/9x, not NT which although a more sensible design has had the aforementioned cruft bolted on top of it).

You have massive complexity, design flaws that cannot be fixed without breaking compatibility, and a lot of legacy hanging over from a system which didn't even have a concept of users or privileges.

Windows still stores passwords using an unsalted algorithm, and still allows authentication by hash (so effectively it stores plain text passwords)...
Windows still runs several highly complex network-listening services by default at a high privilege level and which are hard to turn off (they recommend hiding the problem with a firewall rather than actually fixing it by removing the services).
The shear complexity makes it extremely difficult to manage and monitor, new techniques are constantly being discovered and noone knows the whole system well enough to truly understand whats going on. Linux is extremely simple by comparison.
Windows users are expected to download and run arbitrary binaries, although there is now a repository system in the form of the windows store it is still not widely used. Downloading random binaries requires a high level of technical literacy in order to verify the legitimacy of the site and the binaries downloaded.

So the whole world using linux wouldn't be perfect, but it would be better... A good example of this is Android, while there are malware problems on android in reality they are very few and far between compared to windows, despite the huge number of active android devices.

Re: Microsoft OS is insecure

[Bert64]

A typical linux distro on the other hand comes with a lot more tools than windows does...

The Linux kernel also does a lot more than the windows kernel, it has many more features, runs on a much wider array of hardware and includes drivers for a lot more hardware (windows drivers are typically provided by third parties).

Re:Microsoft OS is insecure

[ArchieBunker]

I think my next build is going to be ESXI based so I can run OSX without too many hardware headaches. Keep a Windows VM for when you need it.

More complete vulnerability description

This is /. so you don't have to oversimplify.
What's actually going on is that the task scheduler has an API that allows you to set the DACL (discretionary access control list, the list of permissions for various user accounts or groups) for a task's folder and .job file in the Tasks folder. Since the task scheduler runs under the system account, it should impersonate the caller when doing so, since otherwise when setting the permissions, the kernel will check if system, rather than the caller, is allowed to set the specified permissions. This is done correctly for the folder, but due to an oversight the task scheduler doesn't impersonate the caller when setting the DACL on the .job file.
Now, any user can create a job and were it not for a bug like this one there'd be no reason to disallow this since the job would only run with privileges that were already available in some way to the user creating the job in the first place. But this fact can be used to exploit the bug, by dropping a hard link to some file in the Tasks folder and then using the API to set a new DACL on it. Because of the bug you can gain write access for files that are normally read-only for you and on which you normally cannot set a new DACL.
The scenario used by the POC is as follows: Locate a dynamic link library that gets loaded into a process running as system. These are normally shielded from modification by normal users and even system, because normally only TrustedInstaller can modify these files. It's important it isn't already loaded, otherwise we'll get a sharing violation later when we try to edit it. Drop a hard link to this dynamic link library into the Tasks folder and edit the DACL to give you write access. Modify the dynamic link library to contain your exploit code. Perform whatever action needed to trigger loading the library, and presto!

Re:Microsoft OS is insecure

[Killall+-9+Bash]

Who still uses ActiveX?

Banks. Yes. I agree with your look of horrified realization.