you mean have to click FIVE TIMES to get root?
well there you go, M$ couldn't have seen that coming, too much work for them.
Windows Vista may be Microsoft's most secure operating system to date, but researchers are still finding some glaring loopholes for hackers to exploit. Here is the latest: all you need is a Vista Install DVD to get admin level access to a hard drive. The loophole arises because the Command Prompt tool in Vista's System …
Although a Unix fan, I have to say, so what?
With any user permission based file system that isn't encrypted, this is always a likelihood. It's up to administrators to make the machine physically secure, including making booting from external media a no go.
Linux, OpenBSD and various others that I have used are all open to this attack. What next, car windows are vulnerable to hammer blows?
Local drives are always available locally to any OS if booting from a different Drve. I welcome the addition of a proper CLI on the installer...
It ain't a bug.. if your physical machine isnt' secure then it's asking 4 trouble
this existis in Mac OS X, Linux etc...one just needs to lock bios/EFI/Open Firmware from allowing alternate boot drives..
Too many supposed vulnerabilities start with "all you need is admin access/local access at time of boot".
Is it a vulnerability that anyone can boot disk 1 of redhat/CentOS, type "linux rescue" and access the file system as root? I don't think so. The only way to protect local data from this sort of access is to use full-disk encryption.
Password access to the rescue console is no protection, just a hindrance.
<This is not news>
This same "exploit" has existed for years.
Windows Vista's setup is based upon Windows PE. Windows PE has always run as System, and presented a command prompt as its primary user interface.
This same "exploit" can be done easily with any copy of Windows PE, with a side-by-side installation of Windows, or a linux boot CD with NTFS capability. Note that what the original author suggests (insofar as any authentication done within Windows PE) would be a courtesy here, and since linux boot CD's wouldn't bother to do the same, would be a bizarre "courtesy", much as the innane, and much hated administrator login requirement for the Recovery Console (in earlier versions of Windows) was (consult documentation for Windows 2000, XP, or Server 2003 if you aren't familiar with it).
For more info, see Law #3 here: http://microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
As I've said in numerous articles and speeches, the way to secure systems against any type of attack like this is physical security and/or full-volume encryption.
</This is not news>
Short of disk-level encryption, or similar HDD scrambling schemes, you really can't prevent this if you give the attacker physical access to the hardware. You can remove the HDD, you can boot systems like Linux, you can zero CMOS memory to bypass power-up passwords, all sorts of ways. You can't hold the OS responsible until it's booted (and the install version is not the full OS).
Gr8!!
So not likely to see any mass infections in this century from that one then, not unless we cross sploit.
Dude, bro, madam... So yet another local exploit is uncovered, not exactly newsworthy or *shudders* TERRIFYING is it?
No doubt my old ZX Spec is exploitable, given a pair of knickers and a bra, you would find it walking the streets chatting up young Commodors.. However, to report every little bug available in an O/S starts to get tiresome at some point, at least, it does when you find it makes it into every fucking article on the net. Keep this shit to exploitzRus and not here ta, just cause there's a hole in my coffee cup dont mean some fuckers gonna rob me.
As several have pointed ouit, it's easy to compromise a system if you can get it to boot off an alternate media (CD, DVD, Flash etc.). If this is a concern, the obvious thing to do (assuming the PC supports it) is to disable booting from alternate media in the BIOS and then password protect the BIOS. It still won't stop a determined individual (open the box, reset the BIOS) but will slow them down and make "casual" access harder.
This is an old trick with XP. Just boot the PC up with a Windows 2000 install disk. And use the recovery console there. (Have not yet tried this with Vista... but I expect it still works. heheh)
Not only does this give you access to a DOS prompt for XP, but ignores any admin password, and gives FULL access to the WHOLE disk.
I have been using this trick for so long to run chkdsk or kill a dodgy virus, that I was surprised to find that the recovery console using an XP disk _didn't_ allow access to the whole machine. LoL.
(I _had_ to use this trick on the "before SP1" XP systems.... their recovery consoles were broken and wouldn't allow _any_ access, even if the correct password was used... LoL)
Not really a security problem. If the "hacker" is in front of your PC, then your security features have broken down a bit far..... physical access to a machine always allows someone to quietly boot the PC with a Linux CD and copy anything at their leisure using the GUI and a nice DVD Writer/Flash Drive. :)
As other people have said this method has been around since windows 2k and how much damage has it done? none thats been reported.
What use is this method? anyone with an ounce of common sense don't keep important data on client machines, unless someone managed to get physical access to a server the only problem that can arise is the admin will have to send one of his minions to reinstall the OS.
If someone broke into my house I serously doubt they'd come armed with a Windows Vista DVD
This is a problem on all local (ie non terminal based) systems, this is one of the reasons that many companies are electing to run terminal servers - you stick your servers in a physically secured room.
ANY computer/OS can be compromised (encrypted file systems not withstanding) if you have local access and a bunch of tools. With the possilbe exception of Z/OS et al, although I can't think of a Z server that isn't in a highly secured data centre.
Nothing to see here, move along please...
As an orginal source of this article, I'd like to point out few things:
- there are millions of installation dvd's available, even typical end-user can now misuse it, you don't have to use Google to find suitable software, download it (and/or included trojan) and learn how to use it
- as mentioned, you can use WinPE to boot into cmd even without any mouse clicks, but typical end user doesn't know what are terms like WAIK, WinPE, ISO-disk etc. Also, shift + F10 in Vista setup - plenty to choose from.
- the only *real* solution is of course HD encryption / tight physical security, but why there are so many computers without encryption? Why there are so few TPM-ready desktops available? Who would like to save certificates into usb-memory? Why Windows Server 2008 includes BitLocker in every version but not in Vista Business for example? Encryption isn't that easy.
====
Of course this was not a news for security professionals, but this is a news for ordinary non security IT-professionals and end users. They don't understand, how easy it is crack into their system where they save their confidential information, and now it's even a little bit easerier, tnx to this installation-DVD.
Oh come on chaps - this 'nothing to see here' attitude really won't do.
This is a wondrous opportunity for a bunch of us to slag MS, and big up other systems on which the issue is virtually identical, have MS fanchaps come back pointing this out, and then gradually drift away from rational discourse into 'my memory chip is bigger than yours, and anyway you've got a bad BIOS' territory.
I've never seen a flamewar on el Reg, and with fodder like this being ignored I think I may never do so. At this rate I'm going to head back to slashdot for my tech 'news'.
You should all be ashamed of your rational sensible viewpoints on this matter.
Thank the maker! This Admin-Pass work around CD is going to feel sooo goood!
Seriously, I cannot count the number of times I have had to work on a clients computer (private sector PC repair) and they have no idea what their password is. Usually I take out their hard drive and mount it in the test box at work, but this is the same difference. BitLocker scares me from a repair point of view. Once the TPM is common place, how many people will enable full disk encryption with out realizing they have just made restoring data from a hosed system (especially if the MoBo is fried via a surge) very costly and difficult? I am glad the option is lacking on most vista installs, at least until the common user understands just what they are getting themselves into.
physical access to any bit of kit allows u to follow the manufs repair instructions
if it was remotely exploitable then it might be intresting, but so what if with the install cd u can access the hdd as root, would make installing/reinstalling a bit bloody difficult if it couldnt.
end of the day if they got physical access they dont need to hack just bypass
(possibly one of the few things the ccna course i did got right, was teach the dangers of physical access, any wonder its a part of ccna 1, to recover and reset passwords from cisco routers?)
I found a Windows NT 4.0 SP6 PDC/fileserver at a customer site the other day, and no one knew any of the passwords to it (sigh...) so grabbing at straws, I clicked on the usrmgr.exe ( I have them on my keychain/USB ) using an WinXP media center PC on the same LAN ... not only was I able to select and view the users on its domain **without being authenticated**, but I was able to reset the administrator account password as well.
When someone mentions windows and security in the same breath or paragraph, its because they are telling a joke.
"If someone broke into my house I serously doubt they'd come armed with a Windows Vista DVD"
This one made me laugh out loud...seeing how we have the "equipped with intent to steal" law here in England, do you think we can now be arrested for carrying a vista install DVD around?
I'm having mental images of geeks getting arrested at gun point for carrying thier cd wallets...
I agree that this is pretty much a non-issue - physical access to a machine means it is compromised; that's why business systems are (should be) physically secured.
However, this article does highlight the need for people to safegaurd their personal data. If burglar Bill nicks your home PC, then he has access to any personal info on it. Perhaps you have bank account details stored in saved emails, login ids and passwords, portfolio details, whatever. Even not, would you like him looking thru your holiday pics or saucy pics of your missus - you know that's why you got that digital camera really ;)
Virtual encrypted disk software is readily available for all platforms for free - eg: Truecrypt, and probably others. USE IT PEOPLE!
Also, back up your data - DVD burners are cheap too!
Thus, if you're unfortunate enough to have your PC stolen, you don't need to worry about your data being access, and can buy a new and put it all back.
every OS has this feature, i love to bash microsoft when they deserve it but this is just gettign silly
OSX, BSD, LInux all have this same feature, if sombody can gain physical access to you server then your in trouble anyway as it would be far easier for them to switch it off or just steal the hard disk or take a sledge hammer to the server, being able to log on as root is the least of you worries
every OS has this feature, i love to bash microsoft when they deserve it but this is just gettign silly
OSX, BSD, LInux all have this same feature, if sombody can gain physical access to you server then your in trouble anyway as it would be far easier for them to switch it off or just steal the hard disk or take a sledge hammer to the server, being able to log on as root is the least of you worries
Well, if they've got local access, what is a crook likely to do - hack into my computer, or just take it? Why bother getting all clever with an install DVD, when you can just take it away and examine it at your leisure - assuming you even want the data on it?
If there is sensitive data on the drive, then you need to keep the computer in a secure location anyway. If it isn't physically secure, a burglar with an install DVD is the least of your troubles.
BTW, this "exploit" is possible with all manner of OS's, including Linux. I don't see what the problem is, nor why this is considered an exploit.
Indeed, if you boot a Solaris install disk in single-user mode it'll also give you root access without a password. In fact this is the official way to recover lost root passwords. Likewise, Linux too can be booted with a kernel parameter that gives you a root shell with no password required. You don't even need a CD on many boxes, I don't recall anyone making a big fuss over that.
Besides, if an attacker has physical access to the machine, all bets are off anyway. That's not really Microsoft's fault.
Shame on you for falling for this one, John.
Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.
The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.
Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
Updated Microsoft's latest set of Windows patches are causing problems for users.
Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).
KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.
Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.
Microsoft has pledged to clamp down on access to AI tools designed to predict emotions, gender, and age from images, and will restrict the usage of its facial recognition and generative audio models in Azure.
The Windows giant made the promise on Tuesday while also sharing its so-called Responsible AI Standard, a document [PDF] in which the US corporation vowed to minimize any harm inflicted by its machine-learning software. This pledge included assurances that the biz will assess the impact of its technologies, document models' data and capabilities, and enforce stricter use guidelines.
This is needed because – and let's just check the notes here – there are apparently not enough laws yet regulating machine-learning technology use. Thus, in the absence of this legislation, Microsoft will just have to force itself to do the right thing.
Desktop Tourism My 20-year-old son is an aspiring athlete who spends a lot of time in the gym and thinks nothing of lifting 100 kilograms in various directions. So I was a little surprised when I handed him Microsoft’s Surface Laptop Studio and he declared it uncomfortably heavy.
At 1.8kg it's certainly not among today's lighter laptops. That matters, because the device's big design selling point is a split along the rear of its screen that lets it sit at an angle that covers the keyboard and places its touch-sensitive surface in a comfortable position for prodding with a pen. The screen can also fold completely flat to allow the laptop to serve as a tablet.
Below is a .GIF to show that all in action.
Microsoft isn't wasting time trying to put Activision Blizzard's problems in the rearview mirror, announcing a labor neutrality agreement with the game maker's recently-formed union.
Microsoft will be grappling with plenty of issues at Activision, including unfair labor lawsuits, sexual harassment allegations and toxic workplace claims. Activision subsidiary Raven Software, developers on the popular Call of Duty game series, recently voted to organize a union, which Activision entered into negotiations with only a few days ago.
Microsoft and the Communication Workers of America (CWA), which represents Raven Software employees, issued a joint statement saying that the agreement is a ground-breaking one that "will benefit Microsoft and its employees, and create opportunities for innovation in the gaming sector."
Microsoft has blocked the installation of Windows 10 and 11 in Russia from the company's official website, Russian state media reported on Sunday.
Users within the country confirmed that attempts to download Windows 10 resulted in a 404 error message.
If Windows Autopatch arrives in July as planned, some of you will be able to say goodbye to Patch Tuesday.
Windows Autopatch formed part of Microsoft's April announcements on updates to the company's Windows-in-the-cloud product. The tech was in public preview since May.
Aimed at enterprise users running Windows 10 and 11, Autopatch can, in theory, be used to replace the traditional Patch Tuesday to which administrators have become accustomed over the years. A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks.
FOSS Fest There are still ways to run DOS apps under 64-bit Windows and Linux, and a lot of free apps to choose from.
One of the differences between the Microsoft and Apple approaches to maintaining widely used OSes is that Apple is quite aggressive about removing backwards compatibility, while Microsoft tries hard to keep it.
One of the few times Microsoft removed a whole compatibility layer from Windows was with the launch of 64-bit Windows, which went mainstream with Vista in 2007. 64-bit editions of Windows can't run 16-bit apps, whether they're for DOS or Windows.
Biting the hand that feeds IT © 1998–2022