No, it's not hard to press CTRL+ESC to open the start menu. Also, that key gets in the way sometimes when I'm playing games; I accidentally press it, minimize the game and curse at the 'convenience' of the Windows key. Still, some of the Windows key + other keys (like WK+E to open an explorer window) are nice. Here are some more. How to disable.
The point I was trying to make is that it should be virtually impossible for a printer driver or spooler to take down the OS (under normal use). I'm obviously not an MS Windows fan but this really suprised me. I've had pretty good luck with Windows 2K (not so much with XP) and being able to repeatedly crash (I did it three times to prove it was consistent) the OS by printing a PDF just blew me away.
I agree that it is silly for a printer driver to be able to crash the entire system. I guess Microsoft wasn't thinking about stability when they moved most of win32 into kernel mode, along with some of the printer drivers. No, you don't want this happening in a critical application.
My setup isn't the same as yours, but I tried to print to an unplugged usb hp deskjet 920c connected to an xp machine over the network from another xp machine, and it didn't blue screen. No errors either, it just sat in the print queue. Which computer is crashing? The print server or the workstation? How is the printer connected to the print server? Does the blue screen have a usefull message? (a record of it should be in the event log.)
Before NT4, printer drivers (and video drivers) were in user mode. Since NT4, MS decided to move the win32 subsystem into kernel mode (to reduce overhead), along with video drivers and some printer drivers. Printers are considered another type of video output device. Here is a Microsoft article about it. For stability, I wish they were all in user mode.
If you were updated, how did you get Sasser? I guess your network wasn't secure (enough) if someone else was already infected.
Oh, and INCOMING traffic is not the worst that happens. It is OUTGOING traffic that gets you in trouble.
What, for spyware? Or are you saying sites that you go out to? You can only get a worm if you have a gross vulnerability in your web browser (or some other client software)that runs malware, you run it yourself, or you leave incoming ports open. How did you get infected?
Erm, yes they do, at least under NT 4.0 Workstation and 2000 Professional with default settings.
I don't have a NT4 or 2k workstation near me, but my xp computer doesn't allow members of the users group to create files in the windows directory.
True, although it stops a lot of standard software from working, including the drivers for my scanner. Funnily enough, I don't want to have to log in as administrator to use my scanner.
The drivers would run in kernel mode. If you're talking about the user interface, then there areworkarounds. Use the SUD program in the second link to create a shortcut to start only your scanner software as an admin. Something like:
Good post. The culture differences between Windows and UNIX are just like you said. I wish MS would crack down on ignorant developers too, but it really isn't their job; the users should be complaining more. Microsoft's own software is usually pretty good about it. Games are the worst. UNIX has commands like su to run programs that require extra priveledges. Windows has runas, psexec, and sud.When I find something that doesn't behave as a lesser user, I create a simple shortcut that uses sud to start that one program as admin or some user with just enough access. It's not perfect but it works.
That works, or you can just disable ActiveX in the 'Internet' security zone and enable it in the 'Trusted' zone; then add windowsupdate.com to the trusted zone. That's what the zones are for. And you can add/remove domains any time you want.
I myself had a Java based trojan install an ftp daemon in my system folder with an INI file that had accounts named 'xdcc-warez' etc.. I am very secure, but I wouldn't have known about this intruder unless my firewall would have reported the ftp daemon opening the port.
Very secure? Running as an Administrator isn't secure. How did it create files in your system directory (assuming %SYSTEMROOT%\SYSTEM32 or anything else under \WINDOWS)? Non-admins don't have permission to create files there. Even if they did, it's not hard to change.
I am all about performance, I will not have adware and virus protection software scanning every file written to my HD, every word doc I open, email I send, or page i visit; that's ridiculous; not to mention with all those things of, the services are still there for some reason.
I agree that most AV software (esp Symantec and McAffe) is way too bloated. Still, with the autoprotect stuff off, there shouldn't be anything resident... I don't know for sure because I'm not running any anti-virus software anyways. Or a local firewall. My NAT router blocks all unsolicited incoming traffic; running my browsers as a lesser user and knowing what I am doing protectects me from local attacks. I have had zero viruses, worms, malware, spyware, etc... in the ten some years I've been using computers. Yes, this includes my Windows computers. It's possible.
On Windows (2k or later) you can use transparent file encryption. You could set your entire chache directory (either Internet Explorer or Mozilla, or any other file) to be encrypted. The key for encryption is based on the user's password: it's not stored on the computer. If you forcibly reset a user's password, the key is permanently lost. It appears to be a normal file to applications, so no support from them is needed.
Not that it would have been terribly usefull to the guy in the article, since he apparently didn't even know how to forcibly close windows (without using the close button).
Existing WordProcessors are already so feature rich I can't imagine wanting ever to buy a new one. Same goes for Spreadsheets, Presentation Makers, even desktop databases.
Eh, I think that any software app can be improved with new innovations. It's hard to see with exactly what right now.
The biggest problem with the Subscription Model is that it takes away the supplier's motivation to make things better. If you are already paying, why would they want to improve the product without getting any more money for it? Worst case, the development of word processors and such will completely stagnate; as customers continue paying. Add to that, privacy concerns, inability to fix things yourself, inability to avoid changing versions...
Forget about what happened and your concern of seeing it, and consider the rights of the victims.
You are right. Protecting the victim's rights is an excellent reason; making them a victim again would be wrong.
Assuming (which if I understand the Muslim religion right this is correct) that these people didn't agree to the photo, and also have a prohibition of being seen nude, it is a second wrong to show them without retouching them.
Did anyone ask them if they had a problem with showing the unedited pictures? The safe default would be that they do mind, but perhaps they would want them shown to make their abuse more obvious. The point is that the best we can do is assume what they want. We never get to hear the story in the prisoners's own words. They are people too, and I'm sure they have something to say. Those pictures are the next closest thing.
If these photos are available un-retouched, it must be only to those who have a genuine research need to see them, and then only if no other way of getting the information exists.
Fine, but who gets to decide what legitimate uses are, and which people need the original form for research? I can't think of any group that has the authority but doesn't have a conflict of interest.
Sure most of the pics are re-touched. Tell me the blurryness in all those pictures was caused by something else. If that's ok, more airbrushing and editing isn't such a stretch. If they were just worried about showing nudity on the main page, they should at least provide a link to the originals. No, not because I get off on this kind of thing, but for the sake of offering the original unedited facts.
Here is a link to some. I don't know if it's all of them. (self)censorship seems to be rampant; I can't even find the original photos. Why should we trust the media when they won't even provide access to the origianal, undoctored pictures? I mean, that's the main evidence, why not give the public acces to it so they can draw their own conculsions?
Odd that absolutely none of them mention that debug privlidges are required...
This one and this one are both the same vuln. Read the discussion page for 9694 or see http://www.securityfocus.com/archive/1/354392
for a better description. And I quote: It should be noted that a local user would require the SeDebugPrivilege to exploit these issues.
No, I'd say 1 can be considered a DoS, the rest are privlidge escalation.
Read the descriptions more carefully. This one causes a memory leak; DoS. This one is possible information disclosure, not code execution. This is another memory leak; a DoS.
I have to disagree. There are some inherent problems with the NT design. Sure, most problems are implimentation issues, but there are certainly several design flaws as well.
Design flaws like what? Give me exmples. Every object from window, to thread to registry key has a seperate ACL. API interfaces are divided into subsystems that all have to use the same system interface. All system calls go through ntdll.dll. All strings use a single format and are sized. NT uses memory protection like any other modern PC OS. All named objects are stored in the object manager. Services like the IO manager use layers to abstract functions.
I can't agree with that. If something must be run in kernel mode, it should be considered part of the kernel.
*sigh* There is really no point to argue the definition of a kernel. You are right though, if a vuln exists in something with the privledges of the kernel, it might as well be part of the kernel from a security standpoint. I think the discussion originally made the statement that no vulns exist in the kernel itself (ntoskrnl.exe); not including optional modules. You found some. The difference is that you can choose to not use optional modules, you can't choose to not use the kernel.
As for things that must be run in the kernel, a mircokernel architecture should have almost nothing. MS traded safety for less overhead by moving so much into kernel mode. I agree that there is too much. Ideally the user should be able to choose what they want to have where. However, MS has never been one for giving users choices.
There are many many more that I could have gone through and listed...
First, as pedantic as it may sound, the kernel itself is very much seperate than other things that run in kernel mode. Kernel mode drivers are just DLLs.
How about the 'Client Server Run-time Subsystem'?
Otherwise known as the win32 server. Yes, since NT4 most of it moved into kernel mode (win32k.sys) to reduce overhead. Before that, it was all in csrss.exe and csrsrv.dll, both entirely user-mode.
How about Netbios?
netbios.sys does run in kernel mode; it's a network protocol driver. Is it so bad to have a protocol driver in kernel mode?
How about the Virtual DOS Machine (VDM)?
Most of that runs in ntvdm.exe with some kernel support so it can use v86 mode. Surely you want CPU protect mode control in the kernel?
The program iexplore.exe is run in userspace, but the majority of the functions of the browser are not in the program, but in the OS itself. It is certainly not a solely user-space program.
Yes it is. It is integrated with the Windows shell, but not anything in kernel mode. It depends on what you mean by operating system. Most of IE's code is in shell32.dll, mshtml.dll, shdocvw.dll, ole32.dll and browseui.dll; all of which run exclusively in user mode.
The fact that Windows system security is crap should not be used to disregard the Windows Kernel problems, after all, it's the kernel that this thread is all about.
The Windows NT security model is designed quite well; MS's security problems are in their poor implementation. Here is a good post about the difference.
First off, I listed FOUR, count 'em, 4 exploits that affect XP. Second, I clearly said, in no uncertain terms, that this was a quickly-compiled, partial list. I listed less than half the Microsoft kernel exploits my quick search found.
Several of them go to the same vuln; the one that requires the debug priveledge that normally only admins have anway. This one is in CSR not the kernel. This one is in the mup.sys driver, not the kernel. This one is a DOS attack in the netbios driver, not the kernel. This is an uninitialized disclosure of data that would be extremely unpredictable to get anything out of. This is a serious hole. The others are at best DOS attacks, not even priveledge escilations. Yes, Microsoft runs too many things in kernel mode, but the kernel itself isn't as vulnerable as you claim. And certainly not by design.
That vulnerability requires the SeDebugPrivilege in order to exploit. It is normally (default) only given to members of the Administrators group. If a program is running as admin, then it is already a huge security hole. See http://www.securityfocus.com/archive/1/354392.
That is entirely bogus if you make use of ACLs on your windows. See SetUserObjectSecurity. That's right: every window has a seperate ACL that you can use to restrict access. So does every other object on NT. Unfixable, bah! A solution has been available in every version of NT.
It's the [insert application] creator's fault for not implementing them. You'll also notice that no microsoft software has something running as SYSTEM open windows that can interact with the user; they all use unpriveleged client apps. (other than Winlogon and it has its own protections) That makes it even more the app writer's fault and not an inherant system flaw. Notice they exploited some 3rd party virus scanner.
Yes! You put it into words well. NT was designed to be secure, but with too many errors implementing the design causes it to be unsafe.
I am surprised that Microsoft has not made a tool to grep the code for buffer overruns and other potential problems. With all the compiler technology they have, it would be very easy for them.
They are trying; VC++7.1 (2003) has extra buffer overrun checks. I think.NET is Microsoft's eventual plan to fix that type of error at the language level. Also a lot of MSDN documentation warns about unsafe functions like gets(). Still, you'd think they have enough personell to go over their code very carefully, especially repeat offenders like RPC.
Creating a rule for every standard OS file is the only other option I can think of; but it's impractical. It would take a long time to create a hash of every file, and it would be broken by every update. Some kind of program to turn a group of files into a security template script for GPO would make it practical... I don't know of any such program but it would make an interesting project.
Still, it should be possible to have all users, remote or not, be unprivledged. RDP is like a local connection (for security); users use the same logon. VPN users also have to log on with a specific user too. Even if you allow tunneling for SMB or other services on the VPN, those are securable too. It should be possible for every user to have access to a single, normal account only.
What I'd rather see is a separation between "don't allow files to execute" and "don't allow subfolder traversal" in the ACLs. Then you could deny execute permission to various temp directories without breaking subdirectories.
The reason that those permissions share the same bit is that 'execute' doesn't apply to directories and 'directory transversal' doesn't apply to files. To create an ACE (access control entry) that affects only one, change the way it is inherited. For example, you want to make everything under 'profiles' to deny execute permission to 'users'. Open the security tab on the profiles directory, go to advanced, press add. Select users. Change the 'Apply onto' listbox to 'Files only'. Select deny for 'Transverse folder/execute file' Then press OK, set 'Replace permission entries on all child objects...'(optional), press OK.
Usually you have a path rule to allow everything in %SYSTEMROOT% (the Windows directory). Then you can use filesystem permissions to prevent files from being added/changed. If you want an actual list, the loaded module list from msinfo is a good place to start. Run msinfo32.exe from \program files\common files\microsoft shared\msinfo\, look at loaded modules under software environment. I guess you could always add every file in the windows directory:)
If your system stops working because of a bad rule, you can still fix it by mounting the registry using a good install. First you need a windows install with physical access to the drive. A bootable BartPE CD is probably the best way. An extra backup install would work, and transplanting the hard drive to another computer as a last resort. Then you open regedit, select a mount point, say HKLM, select File->Load Hive. Find the 'software' file under windows\system32\config\ on the damaged install. Now you have the entire software branch of that computer's local registry mounted. Navigate to (on the new tree) software\policies\microsoft\windows\safer\. All the rules are stored here. It's not as nice as the MMC snap-in, but you can delete bad rules in an emergency. When you are done, select the registry hive you mounted, and select Unload Hive from the File menu.
Yeah. I guess with something like that, you could have accept/deny mutex, as well as accept/deny app. Then something like C:/SOME/PATH/TO/MSQL.EXE could be allowed to run unencumbered from then on if its MD5 hash hadn't changed.
Like software restriction policies? You can create allow/disallow rules for any/all binaries based on path, hash, filename, internet zone, or certificate on win2k and later. See Control Panel->Admin. Tools->Local Security Policy->Software Restriction Policies.
You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects. Access attempts will show up in the event viewer. Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
Win9x... I guess I wouldn't be suprised if there were possible leaks there. I was thinking of WinNT. Yeah, there is a lot of 16 bit stuff from 3.x in 95. IIRC, kernel mode in 9x is 16 bit too. They even have a global resource pool for GDI and USER objects shared across all processes. In a 9x, open help->about in something and check 'system resources'; this is a global value. Still, I think there is some effort in tracking them. NT completely re-wrote all that stuff (all 32bit too) with a better design.
Slashdot Mirror
No, it's not hard to press CTRL+ESC to open the start menu. Also, that key gets in the way sometimes when I'm playing games; I accidentally press it, minimize the game and curse at the 'convenience' of the Windows key.
Still, some of the Windows key + other keys (like WK+E to open an explorer window) are nice. Here are some more. How to disable.
My setup isn't the same as yours, but I tried to print to an unplugged usb hp deskjet 920c connected to an xp machine over the network from another xp machine, and it didn't blue screen. No errors either, it just sat in the print queue.
Which computer is crashing? The print server or the workstation? How is the printer connected to the print server? Does the blue screen have a usefull message? (a record of it should be in the event log.)
Before NT4, printer drivers (and video drivers) were in user mode. Since NT4, MS decided to move the win32 subsystem into kernel mode (to reduce overhead), along with video drivers and some printer drivers. Printers are considered another type of video output device. Here is a Microsoft article about it.
For stability, I wish they were all in user mode.
What makes you so sure it is Windows's fault, and not some crappy printer drivers? Which printer are you using?
I guess your network wasn't secure (enough) if someone else was already infected.What, for spyware? Or are you saying sites that you go out to? You can only get a worm if you have a gross vulnerability in your web browser (or some other client software)that runs malware, you run it yourself, or you leave incoming ports open.
How did you get infected?
Use the SUD program in the second link to create a shortcut to start only your scanner software as an admin. Something like:
su -u Administrator -p password -c scanner.exe
Or at least run IE specifically as a lesser user.
Good post. The culture differences between Windows and UNIX are just like you said. I wish MS would crack down on ignorant developers too, but it really isn't their job; the users should be complaining more. Microsoft's own software is usually pretty good about it. Games are the worst.
UNIX has commands like su to run programs that require extra priveledges. Windows has runas, psexec, and sud.When I find something that doesn't behave as a lesser user, I create a simple shortcut that uses sud to start that one program as admin or some user with just enough access. It's not perfect but it works.
That works, or you can just disable ActiveX in the 'Internet' security zone and enable it in the 'Trusted' zone; then add windowsupdate.com to the trusted zone. That's what the zones are for. And you can add/remove domains any time you want.
I have had zero viruses, worms, malware, spyware, etc... in the ten some years I've been using computers. Yes, this includes my Windows computers. It's possible.
On Windows (2k or later) you can use transparent file encryption. You could set your entire chache directory (either Internet Explorer or Mozilla, or any other file) to be encrypted. The key for encryption is based on the user's password: it's not stored on the computer. If you forcibly reset a user's password, the key is permanently lost. It appears to be a normal file to applications, so no support from them is needed.
Not that it would have been terribly usefull to the guy in the article, since he apparently didn't even know how to forcibly close windows (without using the close button).
The biggest problem with the Subscription Model is that it takes away the supplier's motivation to make things better. If you are already paying, why would they want to improve the product without getting any more money for it? Worst case, the development of word processors and such will completely stagnate; as customers continue paying.
Add to that, privacy concerns, inability to fix things yourself, inability to avoid changing versions...
I can't think of any group that has the authority but doesn't have a conflict of interest.
Sure most of the pics are re-touched. Tell me the blurryness in all those pictures was caused by something else.
If that's ok, more airbrushing and editing isn't such a stretch.
If they were just worried about showing nudity on the main page, they should at least provide a link to the originals. No, not because I get off on this kind of thing, but for the sake of offering the original unedited facts.
Here is a link to some. I don't know if it's all of them.
(self)censorship seems to be rampant; I can't even find the original photos. Why should we trust the media when they won't even provide access to the origianal, undoctored pictures? I mean, that's the main evidence, why not give the public acces to it so they can draw their own conculsions?
This one causes a memory leak; DoS.
This one is possible information disclosure, not code execution.
This is another memory leak; a DoS.Design flaws like what? Give me exmples. Every object from window, to thread to registry key has a seperate ACL. API interfaces are divided into subsystems that all have to use the same system interface. All system calls go through ntdll.dll. All strings use a single format and are sized. NT uses memory protection like any other modern PC OS. All named objects are stored in the object manager. Services like the IO manager use layers to abstract functions.*sigh* There is really no point to argue the definition of a kernel. You are right though, if a vuln exists in something with the privledges of the kernel, it might as well be part of the kernel from a security standpoint. I think the discussion originally made the statement that no vulns exist in the kernel itself (ntoskrnl.exe); not including optional modules. You found some. The difference is that you can choose to not use optional modules, you can't choose to not use the kernel.
As for things that must be run in the kernel, a mircokernel architecture should have almost nothing. MS traded safety for less overhead by moving so much into kernel mode. I agree that there is too much. Ideally the user should be able to choose what they want to have where. However, MS has never been one for giving users choices.Bring 'em on!
This one is in CSR not the kernel.
This one is in the mup.sys driver, not the kernel.
This one is a DOS attack in the netbios driver, not the kernel.
This is an uninitialized disclosure of data that would be extremely unpredictable to get anything out of.
This is a serious hole.
The others are at best DOS attacks, not even priveledge escilations. Yes, Microsoft runs too many things in kernel mode, but the kernel itself isn't as vulnerable as you claim. And certainly not by design.
That vulnerability requires the SeDebugPrivilege in order to exploit. It is normally (default) only given to members of the Administrators group. If a program is running as admin, then it is already a huge security hole. See http://www.securityfocus.com/archive/1/354392.
That is entirely bogus if you make use of ACLs on your windows. See SetUserObjectSecurity. That's right: every window has a seperate ACL that you can use to restrict access. So does every other object on NT. Unfixable, bah! A solution has been available in every version of NT.
It's the [insert application] creator's fault for not implementing them.
You'll also notice that no microsoft software has something running as SYSTEM open windows that can interact with the user; they all use unpriveleged client apps. (other than Winlogon and it has its own protections) That makes it even more the app writer's fault and not an inherant system flaw. Notice they exploited some 3rd party virus scanner.
Creating a rule for every standard OS file is the only other option I can think of; but it's impractical. It would take a long time to create a hash of every file, and it would be broken by every update. Some kind of program to turn a group of files into a security template script for GPO would make it practical... I don't know of any such program but it would make an interesting project.
Still, it should be possible to have all users, remote or not, be unprivledged. RDP is like a local connection (for security); users use the same logon. VPN users also have to log on with a specific user too. Even if you allow tunneling for SMB or other services on the VPN, those are securable too. It should be possible for every user to have access to a single, normal account only.
For example, you want to make everything under 'profiles' to deny execute permission to 'users'. Open the security tab on the profiles directory, go to advanced, press add. Select users. Change the 'Apply onto' listbox to 'Files only'. Select deny for 'Transverse folder/execute file' Then press OK, set 'Replace permission entries on all child objects...'(optional), press OK.
Usually you have a path rule to allow everything in %SYSTEMROOT% (the Windows directory). Then you can use filesystem permissions to prevent files from being added/changed. If you want an actual list, the loaded module list from msinfo is a good place to start. Run msinfo32.exe from \program files\common files\microsoft shared\msinfo\, look at loaded modules under software environment. I guess you could always add every file in the windows directory :)
If your system stops working because of a bad rule, you can still fix it by mounting the registry using a good install. First you need a windows install with physical access to the drive. A bootable BartPE CD is probably the best way. An extra backup install would work, and transplanting the hard drive to another computer as a last resort. Then you open regedit, select a mount point, say HKLM, select File->Load Hive. Find the 'software' file under windows\system32\config\ on the damaged install. Now you have the entire software branch of that computer's local registry mounted. Navigate to (on the new tree) software\policies\microsoft\windows\safer\. All the rules are stored here. It's not as nice as the MMC snap-in, but you can delete bad rules in an emergency. When you are done, select the registry hive you mounted, and select Unload Hive from the File menu.
You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
Access attempts will show up in the event viewer.
Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).
Win9x... I guess I wouldn't be suprised if there were possible leaks there. I was thinking of WinNT. Yeah, there is a lot of 16 bit stuff from 3.x in 95. IIRC, kernel mode in 9x is 16 bit too. They even have a global resource pool for GDI and USER objects shared across all processes. In a 9x, open help->about in something and check 'system resources'; this is a global value. Still, I think there is some effort in tracking them. NT completely re-wrote all that stuff (all 32bit too) with a better design.
See
Windows 95/98/Me Limitations
Window classes in win32
Explination of system resources in Windows 95/98 (although they fail to mention the 10k USER and GDI handle quota per process in NT)