Vista Hacking Challenge Answered

debiansid writes "Microsoft's most secure Operating System yet has been compromised at the Black Hat hacker conference. We all know that Andrew Cushman, Microsoft's director of security outreach invited the Black Hats over to touch and feel Vista in order to showcase the superiority of this OS. Joanna Rutkowska, from Coseinc, a Singapore-based security firm, obliged and showed how it is possible to bypass security measures in Vista that prevents unsigned code from running with the help of a little software she calls the 'Blue Pill.'" To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.

Would they tell anyway?

[Alcimedes]

So if you're a black hat and you've found a new, as yet undiscovered hole in Vista, would you really go running to MS to tell them all about it so they can patch it?

Or would you keep it to yourself in hopes that the final release will still contain the hole so you can pwn millions of new adoptors?

Re:Would they tell anyway?

[twofidyKidd]

More interestingly, will MS actually patch it, even with complete knowledge of the hole? If it further delays Vista's release (because of potentially complex code organization, or other roadblock), they might not even bother until later.

question

[spykemail]

The real question is: will elevating oneself to administrator become common practice or not? If admin land stay reserved for the likes of Slashdot, then problems like this will probably be greatly reduced. But that assumes that the difficulty in setting up an admin account isn't worth it for most people.

20 Year Mac User - Vista Is My Next OS

[Anonymous Coward]

Well, it is unless Ubuntu or one of the other Linux distros finally make that hurdle across the final 5% or 1% of making things 'just work' that seems to elude open source developers.

I've been very impressed with the latest Vista beta. I can't say for certain that it is secure but the small amount of time I've run it, I've had absolutely no security/spyware virus problems in normal day to day use.

It doesn't quite have that elegance that Apple has with the shading/highlights etc for the UI elements, but so far Vista has been stable, secure, and fast.

And I've been a foaming at the mouth Microsoft hater for the a long, long time. It looks to me like Microsoft has finally got their shit together with this OS. There was always a desire to get back to my Mac with previous Windows systems, not any more with Vista.

And Linux as root is any more secure?

[CorporalKlinger]

So let's see, if you run an application as "Administrator" on a new Windows Vista machine (where users are not, by default, created as administrator accounts), that application could cause problems with the system or, if you will, "hack" the system (such an unclean word). How is this any different from sitting down at a Linux system with root access and running amok? Are root accounts inherently more secure than administrator accounts, or am I missing something here? At least on the Vista machine, a notification box may appear letting you know something is going on. See if "rm -rf /" on a Linux machine even asks you to verify your entry before it executes. Microsoft has made it clear that Vista users won't run as admins by default, so I see this as a non-issue. Why does it even qualify as "news?"

Comment removed

[account_deleted]

Comment removed based on user account deletion

freeware?

[colmore]

So does this mean I'm going to need to be in administrator mode to run free software?

Since just about everyone runs one or two pieces of free software (Windows isn't capable of very much out of the box) doesn't this mean that *everyone* will still be running in administrator mode?

What about Visual Studio users?

[splorq]

Visual Studio has to run in admin mode. Okay, IFF you want to use the debugging facilities you need to be an admin. But how often would you not want to use the debugging facilities when you're developing code? And how many developers are only going to use admin mode when they need to do some debugging? Perhaps this will be fixed in the first version of VS for Vista. I wouldn't risk much of my annual income on it.

Missing the point about "Blue Pill"

[etresoft]

People hack a MacBook using 3rd party hardware and software that they won't reveal, then claim the hack would also work on hardware they didn't demonstrate, then claim Apple "leaned on them" to keep the details secret. Suddenly, Macs have no more security. TFA didn't go into enough detail about the "Blue Pill". It wasn't really a hack in the same sense. It was a proof-of-concept to insert a rootkit into an x64-based OS without hacking. To quote the original author [blogspot.com],

I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform.

People aren't worried about how to hack into Vista, they are working on brand new exploitation architectures using Vista. I have read elsewhere where Vista appears to have a TCP/IP stack designed from scratch. It includes all new implementations of the bugs that have been fixed over the past 15 years in all the other OSes.

Re:Only works as an administrator but...

[ChrisA90278]

All Microsoft would have to do to prevent home users from runiing as Admin would be to put a check in MS Office and IE to make both of them fail to run on any admn account or possable put up a big ugly dialog box "You ar running as admin, Continue?, Are you sure? Really continue?" If these came up every 5 minutes people would not run as Admin but could still swtich over now and then. One other Idea would be to make the admin account aauto logout after 10 minutes. Lot of things they could have done.

Re:Only works as an administrator but...

[FLEB]

Spend more time and work to make the OS intentionally and pointlessly annoy the user? No.

If you wanted to take this approach, all you'd need to do is make it a bit scary. Hide the Admin account away, and maybe do something like Safe Mode, putting "Administrative Mode" in big ugly systemtype in the four corners of the screen. That, and make it so people rarely need to run in Admin mode.

Re:And Linux as root is any more secure?

[Vancorps]

You know, 100 years ago the automobile had a lot of problems too. Let's call all modern cars crap because the transmission still goes bad despite the fact that it goes bad 100,000 miles later than it did initially.

Are you seriously reading what you're writing? Sorry, but 90% of corporate America does not nor even needs to run as admin. For those that do, think home PCs they have the runas option which is just like sudo so what's the problem? Maybe because all those lazy developers made programs for Windows that require administrative access? Okay fine, let's give them a portion of the registry that users can read normally and move important system keys into a different location which can be secured. Problem solved.

It sounds to me like you don't know what you're talking about or at the very least you don't seem to understand Vista's new features or even features that have existed since NT4. That's fine, you're not required to but don't expect everyone to sit back and let you make false statements since that doesn't help anyone.

If you want to bash Vista bash something relavent like the user pop-ups asking you to authorize actions or the wizard you have to run when you access system files which grants you access to said files. It's not a default behavior for even Administrator to have access to certain files. Of course nothing stops Administrator from granting access since they indeed the Administrator.

That said, even if you do run as Admin on Vista things are a lot safer (read not safe, but safer), think OS X style prompts. There's another legitimate gripe with Vista. As I said, there are plenty of real reasons, there's no need to make one up.

I ran Vista for a month before wiping it and throwing Gentoo on it and I can honestly say I did not need to run as Administrator at all. Of course I know my way around a Windows system and I understand how to use Runas, of course I taught my computer illiterate parents how to use it too so I really don't think it's that complicated although it's intuitiveness is up for debate.

Re:Would they tell anyway?

[Anonymous Coward]

They won't patch it because they can't. The software is really quite clever--it uses the hardware-based virtualization capabilities in newer AMD processors to move the currently running operating system into a VM (on the fly--no reboot!). Everything looks the same to the OS (no intermediary drivers like with VMWare, Virtual PC, et. al.)

The software doesn't rely on a vulnerability in the OS, but rather a feature of the hardware... it could be ported to Linux/BSD/whatever quite easily.

Re:Only works as an administrator but...

[Sigma 7]

All Microsoft would have to do to prevent home users from runiing as Admin would be to put a check in MS Office and IE to make both of them fail to run on any admn account or possable put up a big ugly dialog box "You ar running as admin, Continue?, Are you sure? Really continue?"

That approach has been taken by some minor software projects - by preventing use of the root account. This takes the wrong approach to security - it enocurages lax code under the false assumption that it couldn't possibly inflict system-wide damage. It is the computer equivalany of sweeping dirt under the rug to make things look clean.

Better systems do:
- Not permit reckless actions through interface flaws (e.g. not designing your system to do an easy "rm -rf /")
- Not premit applications to auto-execute (e.g. what Firefox does to embedded objects and Javascript by default)
- Not contain buffer overflow possibilities (e.g. use C-style strings carelessly.)

In that case I totally hacked ubuntu earlier

[caller9]

I was able to run an application with full control over the system! I just had to put sudo in front of it and provide the right password.

Like the time I hacked Steam, I just entered in my name, email, and credit card info and BAM instant online games baby!

Ditto on the blackhats keeping the best ones under their black hats. This genius ran a known hardware issue on a new OS, *as root* and it worked. Get this girl a cookie.

Re:Blue Pill seems insincere

[x2A]

Sure if you have access to this "general purpose hardware" you can boot it off a cd or whatever to get around security checks, but that's not what this is about. This is about Vista supposedly not allowing you to load unsigned code into ring0, which is TOTALLY possible on general purpose hardware, because of a little thing called "protected mode", which allowes software in ring0 to control things that software in the lower rings does, by catching any attempts to directly access hardware or memory, and either allowing or disallowing it based on certain rules. These rules can include checking that which you're trying to access to see if it has been signed by a trusted key. If it isn't, it refuses to load the code, and ring0 remains untouched.

Idiot.

If, however, the code has been signed, it can allow it to load and run in ring0 (or ring1 as some OS's load their drivers).

"Are you really so stupid you cannot see the difference between bypassing a security feature on a iPod versus a general purpose computer?"

Are you really so stupid that you can't see what they, in this case, have in common?

Unsigned driver hack already fixed

[I'm Don Giovanni]

I hate to tell you this, but the hack to allow unsigned drivers had (and is) already been fixed in the latest Vista builds.
http://news.yahoo.com/s/zd/185371 [yahoo.com]

Re:Would they tell anyway?

[jd]

No, the Black Hat wouldn't tell them about the hole. Well, not per-se. Not if there was some way of tricking Microsoft into thinking it was fixed, whilst leaving the Black Hat a back-door into everybody's systems. One way to do this would be to try and persuade Microsoft that only a subset of the values that would break security are a problem. Social engineer both the fix and the buglist. That way, if the Black Hat is ever detected, there's a good chance Microsoft will deem it a fixed bug and blame the victim, rather than investigating further.

One of the dangers in hiring or consulting Black Hats who are any good is that 99% of security is all about social engineering - both the defence and the offense. Because of this, it is utterly impossible to distinguish between someone actually securing your systems and merely persuading you they have done so. Grey Hats will have basically the same social engineering skills but are more likely to teach you what to avoid, than to use those skills against you. This is not to say that Black Hats will always work against you - that's bad for business. All you can say is that what makes someone a Black Hat as opposed to a Grey Hat is that they wouldn't be opposed to doing so, and you'll never know.

Oh yeah - I mentioned the use of social engineering in the protection of a system. The defences in any system will always be breakable with enough time and effort, so the only truly secure system is one that can socially engineer the attacker into believing that they have either already succeeded long before they really have or that there's nothing alive and listening for them to attack. Under no circumstances should obscurity be used as a substitute for social engineering. Obscurity hides what is important except to an attacker who has figured the obscurity out - which means that it can be used against the defender far more effectively than against the attacker. Social engineering hides nothing, it merely helps someone to see what they want to see. Because it hides nothing, it cannot be used against you, the worst possible case is that it'll cease to be as effective.