Vista Hacking Challenge Answered 388
debiansid writes "Microsoft's most secure Operating System yet
has been compromised at the Black Hat hacker conference. We all know that Andrew Cushman, Microsoft's director of security outreach invited the Black Hats over to touch and feel Vista in order to showcase the superiority of this OS. Joanna Rutkowska, from Coseinc, a Singapore-based security firm, obliged and showed how it is possible to bypass security measures in Vista that prevents unsigned code from running with the help of a little software she calls the 'Blue Pill.'" To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.
Would they tell anyway? (Score:5, Interesting)
Or would you keep it to yourself in hopes that the final release will still contain the hole so you can pwn millions of new adoptors?
Re:Would they tell anyway? (Score:5, Interesting)
Re:Would they tell anyway? (Score:5, Insightful)
This is not just a matter of losing face. If the Windows team blows the revised date by several months (say April or later) AND it ships what is considered to be a lackluster product, many people will start considering the Windows codebase as a sustaining mode project. They will assume that Microsoft is busy preparing a brand new code base (based on FreeBSD plus
Re:Would they tell anyway? (Score:4, Interesting)
The software doesn't rely on a vulnerability in the OS, but rather a feature of the hardware... it could be ported to Linux/BSD/whatever quite easily.
Re:Would they tell anyway? (Score:4, Insightful)
Re:Would they tell anyway? (Score:3, Insightful)
There's also the description on her blog [blogspot.com], which states, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run o
Re:Would they tell anyway? (Score:5, Funny)
Perhaps I'd do this by smiling and saying that the OS was so secure that I couldn't find anything wrong with it and recommending, no, begging that they ship it in exactly its current form.
Re:Would they tell anyway? (Score:3, Insightful)
Most of these people at the blackhat con aren't of ill intent, though. They're just hackers who won't let microsofts convenience get in the way of their fun.
Besides, with Microsofts history, I'd say it's pretty unlikely this hole will be patched if vista comes out before 2008. They certainly didn't patch any other verison of windows with that kind of speed.
Re:Would they tell anyway? (Score:5, Informative)
http://www.eweek.com/article2/0,1759,1999241,00.a
Re:Would they tell anyway? (Score:3, Informative)
Probably because she already published enough details of how it works over a month ago. [slashdot.org]
And, although he says its patched, the patch has not been released and so one must question how well patched - it would not be the first time MS released a patch to close front door that left the back door wide open.
My slightly-humble opinion is that Rutkowska's general approach can only be completely thwarted if the OS itself installs its own "hypervisor" kernel. I've got my fingers cros
Re:Would they tell anyway? (Score:5, Interesting)
One of the dangers in hiring or consulting Black Hats who are any good is that 99% of security is all about social engineering - both the defence and the offense. Because of this, it is utterly impossible to distinguish between someone actually securing your systems and merely persuading you they have done so. Grey Hats will have basically the same social engineering skills but are more likely to teach you what to avoid, than to use those skills against you. This is not to say that Black Hats will always work against you - that's bad for business. All you can say is that what makes someone a Black Hat as opposed to a Grey Hat is that they wouldn't be opposed to doing so, and you'll never know.
Oh yeah - I mentioned the use of social engineering in the protection of a system. The defences in any system will always be breakable with enough time and effort, so the only truly secure system is one that can socially engineer the attacker into believing that they have either already succeeded long before they really have or that there's nothing alive and listening for them to attack. Under no circumstances should obscurity be used as a substitute for social engineering. Obscurity hides what is important except to an attacker who has figured the obscurity out - which means that it can be used against the defender far more effectively than against the attacker. Social engineering hides nothing, it merely helps someone to see what they want to see. Because it hides nothing, it cannot be used against you, the worst possible case is that it'll cease to be as effective.
Only works as an administrator but... (Score:5, Insightful)
Re:Only works as an administrator but... (Score:5, Funny)
Re:Only works as an administrator but... (Score:5, Informative)
Yes, it is going to change for Vista. The default user will not have admin privileges.
Re:Only works as an administrator but... (Score:3, Insightful)
Shut the fuck up, Donny (Score:3, Funny)
Re:MS Support calls (Score:5, Informative)
Re:MS Support calls (Score:5, Informative)
You can either be a limited user or an "administrator". By default in the current beta you're an "administrator".
What this means is that everytime an action is undertaken that actually requires administrative rights, Vista will pop up a dialogue (a la security warnings in Internet Explorer) and make sure you really wanted to do that. If you think this would be annoying (and would just train users to click yes) let me tell you that it was actually worse in Beta1.
There it popped up ALL the time and even if a background task does something that requires it, the entire system would stop and pop up the dialogue. At least now it'll just block and wait for you to notice the new task button and deal with it.
If you're on a limited account, you'll have to run whatever it was you were trying to run with the context menu "Run as admin" item. Then you'll have to type the admin password. Then when the program does something that actually requires the rights, it may or may not pop up the UAC dialogue.
At least MS is putting hoops for us to jump through.
Re:MS Support calls (Score:3, Funny)
You don't really think that MS would make that button scriptable, do you? I don't think even MS are that stupid.
Re:MS Support calls (Score:2)
If you can deal with using sudo on a Linux box, you can deal with runas under Windows.
Re:Only works as an administrator but... (Score:5, Insightful)
Short term administrator usage to install a driver isn't that big of a threat. The real problem will be legacy applications that won't run without administrator priviledges. That's what keeps most people from running everything as a user.
Re:Only works as an administrator but... (Score:5, Insightful)
You shouldnt be allowed to say "NT/2k/Xp compatible" if your software cant correctly handle user permissions.
Re:Only works as an administrator but... (Score:2, Informative)
Re:Only works as an administrator but... (Score:2)
There's a lot of unbelievably bad Windows code out there. If most of it runs without a hitch have they really fixed anything?
Re:Only works as an administrator but... (Score:3, Insightful)
Yes it's a great way to alert a knowledgable user that some background process may be playing where it doesn't belong but I still see thousands of end users blindly clicking "Continue" as with the old Ac
Re:Only works as an administrator but... (Score:3, Interesting)
Re:Only works as an administrator but... (Score:3, Interesting)
If you wanted to take this approach, all you'd need to do is make it a bit scary. Hide the Admin account away, and maybe do something like Safe Mode, putting "Administrative Mode" in big ugly systemtype in the four corners of the screen. That, and make it so people rarely need to run in Admin mode.
Re:Only works as an administrator but... (Score:3, Funny)
Re:Only works as an administrator but... (Score:3, Interesting)
That approach has been taken by some minor software projects - by preventing use of the root account. This takes the wrong approach to security - it enocurages lax code under the false assumption that it couldn't possibly inflict
Re:Only works as an administrator but... (Score:2)
Re:Only works as an administrator but... (Score:3, Informative)
http://www.anandtech.com/systems/showdoc.aspx?i=27 80&p=7 [anandtech.com]
The above article details a new "User Account Control" system. From TFA: "The basic premise behind UAC is that the previous way of running everything as an Administrator was wrong, and by doing so it not only allowed applications to make system-wide changes when they shouldn't, but it also meant that com
Re:Only works as an administrator but... (Score:3, Insightful)
There's a point where you have to blame people for their own actions. That's roughly at the point where they start making explicit choices based on available information. Anything more, and the OS (or any other program) just starts becoming useless under the weight of handholding and artificial restrictions.
About the only thing I could see worth adding (if it isn't already... I haven't kept up on the Vista betas) is some sort of good central logging function, so w
Re:Only works as an administrator but... (Score:2, Informative)
Re:Only works as an administrator but... (Score:2)
One reason users run with administrative privileges in XP is because the XP setup it requires you to create a new user, and that user is given admin rights. Thus, the 'bob' user account that Bob made for his everyday use is an administrator, whether he knows it or not. Users get accustomed to having free reign over their systems and being able to make changes and install software without authenticating that it becomes the norm. In addition, there is a
Re:Only works as an administrator but... (Score:2)
Yup. People here are talking like "the darned user" is going to choose to run administrator. Most probably, administrator privileges is what the local Nerd Brigade outlet handed them. The behavior that has to be changed is at the retailer's shop. If Vista will get Windows techs to do an "su" instead of running admin, that is fine.
Ok, so the machine was in Admin mode... (Score:4, Insightful)
Re:Ok, so the machine was in Admin mode... (Score:4, Insightful)
I've had accounts on POSIX-compliant systems for years. I've found that with only user-level access I'm quite able to compile or install applications for my own user account in my own home directory without much difficulty, and still maintain the system integrity. As long as Microsoft holds on to the registry they'll never achieve such.
Re:Ok, so the machine was in Admin mode... (Score:5, Insightful)
Bingo.
I've tried, I've tried so hard to get my family to run using user-level accounts. It doesn't work. I don't live with them, so at least one needs an account with Admin rights. The others get the password (usually by asking), and then reelevate themselves. They aren't doing it to spite me. When some games won't run without admin, they can't burn CDs, so forth, they will find a way to make it work. Security? What's that? They don't care. If they can't play games, or burn CDs, they don't care about security.
I know it is nice and easy to blame developers. True, they should do better. Heck, the first two release versions of my software didn't run properly as a user under Windows either (be gentle, I didn't have XP then). But if you want developers to behave, it has to cost them if they don't. The admin-by-default situation in Windows is ludicrous. They took a step in the right direction with user accounts in XP, but with the default installation forcing the first user account to be admin, and then not letting you de-admin the account, makes the step almost pointless.
When default users run as an ordinary user with a pretty graphical sudo, and the OS blocks running apps as administrator without some sort of painful confirmation process (eg. whitelist), and developers have access to decent commandline or API sudo and security equivalents, then developers will behave and make damn sure their app runs as an ordinary user.
Legacy apps will break unless some sort of layer is put in to make it look like the app does have arbitrary permissions to do fun stuff like write into its installation directory or the top level of a drive. I've heard Vista does some of this funky stuff (I'd check if the a__holes at Microsoft actually let me get their beta version of Vista- another story), which I hope is true.
Microsoft got themselves into this mess and they have nobody to blame but themselves (despite the way they love to blame third parties for their sloppy OS). They can dig their way out if they choose. It won't be easy, but give them a decade and they'll be where Unix was a decade ago.
Personally I'm not too stressed one way or the other. I don't use Windows unless I absolutely must, and whilst it is a worm-ridden crash-prone security nightmare it does mean there will be work available to clean up the mess. The target market of my software mostly runs on Windows though, so I do have to keep aware of what is going on. It would be nice if they cleaned up their act, as it makes my work easier.
Re:Ok, so the machine was in Admin mode... (Score:2)
Hmmm... (Score:2)
Re:Hmmm... (Score:2)
You are giving Apple WAY too much credit here.
In the UNIX world people have been running as unpriveledged users for DECADES.
Apple simply followed standard unix operating practice
Re:Hmmm... (Score:2)
Re:Hmmm... (Score:2)
But Linux has had that for a long time.
What's that? Oh, widespread doesn't necessarily mean popular. Windows is installed by default with most hardware, Linux users have made a choice. Most people in the US die of heart disease, but that doesn't make it the most popular form of death.
Hypocrites (Score:3, Insightful)
And no, before you ask, I am not a windows user, I am on a Mac PowerBook G4. I prefer the mac because it is easier to use and I am not a gamer, not because of some imagined speed or innate security edge over every possible windows product.
Re:Hypocrites (Score:4, Insightful)
Now if that's a security issue, then I guess rm -rf / is an enormous security hole on Unix systems
Re:Hypocrites (Score:2, Informative)
Correct, it will. The true administrator account is hidden and disabled by default. Most people won't even know it's there, and you have to go through a rigmarole to enable it if you really want it (these a how-to guide at http://www.computerworld.com/action/article.do?com [computerworld.com] mand=viewArticleBasic&articleId=9001970). The "administrator" account that Vista creates by default is actually a standard user that can temporarily elevate to admin privelages
Re:Hypocrites (Score:2, Insightful)
Re:Hypocrites (Score:2)
That's not true. The reason "windows users have the unfortunate tendency to run as administrators" is because some software requires Admin priviledges to run properly! That being said, those applications and the OS itself are to blame.
Re:Hypocrites (Score:2)
I would agree with you, except that the hack was to run code that was unsigned when the OS was specifically designed with this security feature. If linux implemented something to prevent any executables from running that were not shipped from the distribution,
Re:Hypocrites (Score:2)
Well, yeah, but (1) Windows seems to have so much more insecure software than other OS's, and (2) a lot of that software is so eager to run yet more insecure software just to be "helpful" to the user (eg Word and Excel macros, email attachments, fun stuff in webpages, etc.)
Having Vista default to user mode is a good thing -- it's nice to see Microsoft finally
Not only does it have to be in admin mode... (Score:3, Informative)
Yes, many users are just stupid and will automatically click "yes" on things, but at that point it's their own damn fault. The hack won't work without the user letting it work.
How's that even a hack? (Score:2)
Calling anything that requires manual user execution a "hack" seems to stretc
Re:How's that even a hack? (Score:2)
This isn't like getting someone to run your script as root, it's like getting someone to run your script as root from a
To be fair to MS (Score:5, Insightful)
Microsoft doesn't care about impressing Linux users, they care about releasing something that A LOT of normal users can install and forget about. Every iteration they get more stuff right, and their operating system becomes better (except ME, that sucked dick).
Re:To be fair to MS (Score:2)
Re:To be fair to MS (Score:2)
Re:To be fair to MS (Score:2)
Perhaps that's true in regard to security. But aside from a few right-click functions and totally new features like having CD-burner support built in, Windows XP with default settings is more difficult for a reasonably skilled user than Windows 2000. And it's for a very simple reason: Every iteration of Windows is more childish than the one before.
Seriously, Windows is the AOL of operating systems—designe
Re:To be fair to MS (Score:5, Funny)
once again, we're reminded of the importance of proper comma placement.
Blue Pill seems insincere (Score:4, Insightful)
Seems to me this 'hack' gets the cart before the horse. If you are able to run malicious software in administrator mode, you can do anything at all, not just compromise signed code authorization. Heck you could replace the whole OS. The point of security is to prevent unknown persons from being able to run malicious software in the first place.
Re:Blue Pill seems insincere (Score:2)
The user is the biggest security problem of all, regardless of OS.
Re:Blue Pill seems insincere (Score:3, Interesting)
On teh flip side, the question remains..... (Score:2)
The most secure computer system is one that is not turned on.
question (Score:5, Interesting)
Re:question (Score:5, Insightful)
That depends on how many legacy programs require Administrator priveleges to even run. (Hint: a lot)
Re:question (Score:2)
Re:question (Score:2)
Course, Linux has had this sort of thing for ages.
Blue Pill (Score:3, Funny)
Hardware bug (Score:3, Informative)
I'm not surprised that they focused on being able to break Vista. A nice marketing move for the "researcher" (like there're not papers that explain how virtualizing environments aren't 100% safe in the x86 architecture)
Not a hardware bug.. it modifies the pagefile (Score:2, Informative)
You are probably thinking of the AMD hypervisor she discussed for designing Vista rootkits.
re (Score:2)
This exploit-requiring-admin reminds me of another recent speech, namely http://www.defcon.org/html/defcon-14/dc-14-speake
*yawn*
And Linux as root is any more secure? (Score:2, Interesting)
Re:And Linux as root is any more secure? (Score:2)
Re:And Linux as root is any more secure? (Score:3, Interesting)
You know, 100 years ago the automobile had a lot of problems too. Let's call all modern cars crap because the transmission still goes bad despite the fact that it goes bad 100,000 miles later than it did initially.
Are you seriously reading what you're writing? Sorry, but 90% of corporate America does not nor even needs to run as admin. For those that do, think home PCs they have the runas option which is just like sudo so what's the problem? Maybe because all those lazy developers made programs for Window
Re:And Linux as root is any more secure? (Score:3, Informative)
Because linux (without something like selinux) isn't designed to not let you run unsigned code in ring0. Vista is. Yet by using this security hole, you can push unsigned code into ring0. Therefore, it is only as secure as linux; their extra security requiring cryptographically signed binaries to run in ring0 didn't work.
Re:And Linux as root is any more secure? (Score:3, Informative)
Of course not - the entire point is that you have full and absolute control to be able to change anything. The difference between multi-user systems and systems with a single user legacy is that you should only need root access to set things up - even your system services run as different users without full root priveleges. MS Windows 2k,XP,2k3 suffers from having people with the single user idea turn up from the Win98 side and mess thing
Comment removed (Score:5, Interesting)
Re:Security Development Lifecycle (Score:2)
The same reason Microsoft doesn't try to get rid of security vulnerabities in MS-Dos and Windows 3.11. It's considered "don't-even-bother", as those computers just barely got a hard drive and adding user-accounts would massivly break 99% of existing applications.
BTW, OpenBSD didn't remove every security vulnerability either, as demonstrated by the new class of attack that was recently discovered. T
These kinds of contests don't work. (Score:3, Insightful)
The only case where they DO work is when you're asking people to crack encryption, and then it's only CRACKING it that proves something, saying that noone could crack it doesn't mean it's uncrackable.
Missing the point, I suspect (Score:2)
As I read it, Microsoft has declared that as of their next release, they simply won't allow unsigned drivers and other kernel-level code to run. Which, according to quite a few hardware vendors, means enough expense to be prohibitive; those same vendors today simply provide instructions to ignore "this code isn't signed" warnings.
Well, this hack lets those vendors continue as they bear.
The posts about "well, DUH! you need admin privs" is beside the point because driver (etc) installations always
Unsigned driver hack already fixed (Score:4, Interesting)
http://news.yahoo.com/s/zd/185371 [yahoo.com]
freeware? (Score:3, Interesting)
Since just about everyone runs one or two pieces of free software (Windows isn't capable of very much out of the box) doesn't this mean that *everyone* will still be running in administrator mode?
Re:freeware? (Score:3, Insightful)
What about Visual Studio users? (Score:2, Interesting)
Re:What about Visual Studio users? (Score:2)
Re:What about Visual Studio users? (Score:2)
Missing the point about "Blue Pill" (Score:5, Interesting)
Re:Missing the point about "Blue Pill" (Score:2)
Think about it: If you ever turn on the WiFi system on a machine with a vulnerably driver it can be sliently infected wirelessly with malware that would, from then on, run the OS and its herd of applications in a virtual environment within which it can not even DETECT that it has been compromosed.
To be fair... (Score:2)
...I'd be willing to bet that most people run their computes with Admin accounts.
It's too much fo a hassle to deal with the "You can't do that, log out, log in as admin, do that, log out, log back in as yourself" for most people. Hell, I KNOW what the hazards are, but I sitll do it.
Saying "It's only insecure when you run as administrator" is like saying "It's only dangerous when you smoke the cigarettes". Of course it's only dangerous that way, but that's not stopping thousands of people from doing it.
Whew (Score:2)
To be fair, the hack was possible only when the target is in administrator mode rather than a limited user account.
That will limit the damage to about 90% of Windows machines connected to the internet. And here I started thinking that MSFT security wouldn't be any better in Vista. Guess I was wrong.
Re:Whew (Score:2)
Where can I get "blue pill"???? (Score:3, Funny)
You are all missing the point (Score:5, Informative)
It infuriates developers, yet doesn't do anything for preventing rootkits, as Joanna has demonstrated. As long as user-mode programs have raw disk access, they will be able to attack whatever they want.
I have a feeling that Microsoft's response to this will be to lock out raw disk access to user mode regardless of privilege. Keep in mind that even SELinux does not do this. All disk utilities would have to be written as signed drivers. The problem here is that developers won't stand for it, and will make signed drivers that grant access again. Then the rootkits can just copy these signed drivers then use them to do the same thing.
Even if Microsoft encrypts the page file or removes the ability for the kernel to page itself out, raw disk access is still an issue. You can always open \Device\Harddisk0\Partition0 (NT's
The real reason for driver signing appears to be DRM. The easiest way to "crack" song DRM is to install a fake audio driver that logs to disk. With the DMCA, it's illegal to make such a driver, and with driver signing, it's impossible to do it anonymously. If you temporarily disable driver signing - which is possible if you press F8 each boot - Vista's Windows Media Player refuses to play protected songs. Gee I wonder why.
By the way, I thought of the same pagefile hack as Joanna on my own and posted it on my weblog in early June. I'm sure Joanna figured it out long before me though.
* There are other root certificate companies that are countersigned, but this is a well-known phrase.
Melissa
Re:The blue pill? (Score:2, Funny)
The blue pill seems apropos (Score:2)
Since the malware works by creating a virtual machine environment and effectively running the OS and its entire herd of applications within it, the Matrix reference seems entirely appropos. The Matrix is the closest match in popular fiction to the situation.
("True Names" and the Cyberspace/Cyberpunk stories are earlier. But the core premise of "The Matrix" is that the entities within it are normally unaware of this fact and don't normally have any way
Re:since when? (Score:2)
Re:The Majority of Executables are Unsigned (Score:2)
Re:The Majority of Executables are Unsigned (Score:3, Informative)
It's basically like two seperate sandboxes, both kept seperate, and one of them highly controlled so you can trust (as much as you trust the key issuer) that it's safe and secure. The other... use at your own risk.
Re:Ok, *puts in devil suit* (Score:2)
Also, each can probably has a $20 bill rubber-banded to it - providing a $100 per hour bonus for the average programmer.
Re:Microsoft's most secure Operating System yet (Score:2)
It says that it's MICROSOFTS most secure OS yet. Not THE most secure OS yet.
I'm sure it is. The only way to make it worse would be to ship it pre-trojaned.
Oh come on (Score:3, Funny)