Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Hacker, Microsoft duke it out over Vista design flaw
ZDNet ^ | 13 February 2007 | Ryan Naraine

Posted on 02/14/2007 6:57:16 AM PST by ShadowAce

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out — from Microsoft officials — that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

This, in Rutkowska's mind, is a "very severe hole in the design of UAC."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

Russinovich, a technical fellow at Redmond, writes:

As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can.

This potentially includes a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory.

That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data.

That kind of escape, called a squatting attack, is sophisticated and requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.

Russinovich pegged it as a tradeoff between application compatibility and ease of use, explaining the weakness as a "design choice."

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

That explanation isn't sitting well with Rutkowska. In an e-mail interview, the Polish malware researcher said she was "pissed off" by what she perceived as Russinovich's flippant attitude to the potential risk.

"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.

"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.

Rutkowska also took issue with this line from Russinovich's argument:

"[H]aving your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account's code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code…"

"This is not valid," Rutkowska declared. "If we followed this reasoning, then we would not be able to talk about security in our email clients nor web browsers, because they all also access data and code which are not trusted."

Her final thought: "I believe that the Vista security model is a good thing and that users can benefit from it, but Microsoft must change their attitude and start treating them as security mechanisms."

[UPDATE: February 13, 2007] Rutkowska wrote in to clarify a few things that appear confusing in the article above:

There are two different things, which should be distinguished:

1. The fact that UAC *design* assumes that every setup executable should be run elevated.

2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was “pissed off” not because of #1, I was “pissed off” because Microsoft employee — Mark Russinovich — declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled “Vista Security Model - A Big Joke”.



TOPICS: Business/Economy; Technical
KEYWORDS: blog; microsoft; vista
Navigation: use the links below to view more comments.
first 1-2021-40 next last

1 posted on 02/14/2007 6:57:19 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

2 posted on 02/14/2007 6:57:34 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Gee a windows security flaw...

imagine that.


3 posted on 02/14/2007 6:59:07 AM PST by Leatherneck_MT (In a world where Carpenters come back from the dead, ALL things are possible.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Leatherneck_MT

We are back to a patch a day club.


4 posted on 02/14/2007 7:01:14 AM PST by bmwcyle (If no one buys illegal drugs, we win the war on drugs)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

I think that PC/Mac commercial with the "security guard" just about says it all. Now, of course, you can't buy a new laptop with Vista pre-installed. Any suggestions from my fellow Freepers out there? I was going to buy a notebook computer with my tax refund and it looks like they all come preloaded with Vista.

Except for Macs, of course -- can I get some guidance? Mac or PC?


5 posted on 02/14/2007 7:01:34 AM PST by Right Cal Gal (I wouldn't believe liberals if their tongues came notarized!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

Good grief, Microsoft is running out of toes to shoot.

Also check this out:

http://www.freerepublic.com/focus/f-news/1784627/posts


6 posted on 02/14/2007 7:02:15 AM PST by savedbygrace (SECURE THE BORDERS FIRST (I'M YELLING ON PURPOSE))
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce


7 posted on 02/14/2007 7:04:28 AM PST by jws3sticks (Hillary can take a very long walk on a very short pier, anytime, and the sooner the better!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Russinovich pegged it as a tradeoff between application compatibility

Backwards compatibility will be Microsoft's Achilles heel until they pull an Apple and just re-do the whole OS.

8 posted on 02/14/2007 7:04:31 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Right Cal Gal

can I get some guidance? Mac or PC?


This is a question I'm interested in as well.


9 posted on 02/14/2007 7:05:27 AM PST by freedomfiter2 (Hunter '08)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Right Cal Gal
It's possible to buy a notebook with an OS. When ordering (no matter what the web site says), order by phone, talking to a real person. Insist on a notebook without an OS. If they refuse, go somewhere else.

That's how I bought this laptop. I even got a lower price since I wasn't buying Windows. They took that amount off my final purchase price.

10 posted on 02/14/2007 7:05:42 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Right Cal Gal
Except for Macs, of course -- can I get some guidance? Mac or PC?

A MacBook/Pro and a copy of XP will do it for you. Watch out though, as people tend to find themselves using XP less and less with such a setup.

11 posted on 02/14/2007 7:06:29 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce
Interesting to me, in this article, is the portrayal of Russinovich as a sort of MS lackey with the quote "Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack", which is an interesting switch.  MS bought him out because he's so good at finding flaws in Windows and other programs.

Most FReepers will remember him as the hacker who discovered Sony's rootkit games a while back.  Now, he's apparently "The Man".

12 posted on 02/14/2007 7:06:38 AM PST by Psycho_Bunny
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
s/buy a notebook with an OS/buy a notebook without an OS/

Sorry for the typo.

13 posted on 02/14/2007 7:06:59 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Psycho_Bunny
Most FReepers will remember him as the hacker who discovered Sony's rootkit games a while back. Now, he's apparently "The Man".

I remember him as the guy who figured out that the difference between NT server and workstation was just a couple of values in the registry.

To be fair to Russinovich, he's just a security guy. It's not his fault that the architects came up with this screwy design before he was even employed by Microsoft.

14 posted on 02/14/2007 7:11:12 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 12 | View Replies]

To: freedomfiter2
can I get some guidance? Mac or PC? This is a question I'm interested in as well.

Here's everything you need to know:

http://www.apple.com/getamac/

15 posted on 02/14/2007 7:23:39 AM PST by doc11355
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce

Hot cha cha cha! I'd like to provide some security to Rutkowska!


16 posted on 02/14/2007 7:23:48 AM PST by FastCoyote
[ Post Reply | Private Reply | To 1 | View Replies]

To: nnn0jeh

ping


17 posted on 02/14/2007 7:50:41 AM PST by kalee (No burka for me....EVER!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Right Cal Gal
XP has been pulled from retail stores so I've been told. However if you hurry, you can still buy it online, as I did so I can install it with my new computer instead of Vista.

NewEgg OS Software

18 posted on 02/14/2007 8:02:15 AM PST by CedarDave (The "Mark Levin Show" live feed has the best bumper music on the net. Listen tonight!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: freedomfiter2

Buy a Mac a copy of Parallel and load any other OS (XP,VISTA, Linux, etc.) along with the Mac's and switch seamlessly. This is the best of both worlds.


19 posted on 02/14/2007 8:47:54 AM PST by A Strict Constructionist (Nobles Oblige, BS, Well take care of it ourselves!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: A Strict Constructionist

Buy a Mac a copy of Parallel and load any other OS (XP,VISTA, Linux, etc.) along with the Mac's and switch seamlessly. This is the best of both worlds.

Could I just use the Mac's OS or do I need both to transfer info?


20 posted on 02/14/2007 8:53:46 AM PST by freedomfiter2 (Hunter '08)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-40 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson