The easy way to fix this:
NEVER give users Administrative rights on a machine. Problem solved, of course the home lusers will complain that their programs won't install, etc. etc.
White hat hackers have created a proof of concept demo illustrating how improved User Account Control (UAC) features in Windows 7 might be completely bypassed. The new Win7 UAC code-injection bypass can be used to elevate the rights of any command so that actions, even extreme steps such as thrashing a system, become an option …
"UAC was introduced in Windows Vista as a security feature designed to prompt users for permission before allowing applications to run. Criticised as intrusive and annoying by some, Microsoft is working on a revamped version with increased granularity for Windows 7".
Great. So the great ignorant unwashed contribute to the never-ending onslaught of attacks by convincing Redmond that it's good marketing to listen to the sub-prime IQ Windows users.
MS has ~85% share for Chrissakes. Use the muscle and dictate that "WE, MS, will instigate a War on E-Vermin, and you cannot bi-pass this UAC.
I am so glad that Phreaky has gone away, as I can now, possibly, state that any platform other than Windows is the way to go. For now.
BTW WTF is "increased granularity"?
Shame the POC comes after MS already confirmed they will be addressing this issue with changes to the UAC prompting.
http://blogs.msdn.com/e7/archive/2009/02/05/uac-feedback-and-follow-up.aspx
To save people time, the relevant paragraph:
"With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation."
So there you have it. A security issue that no longer exists. Let's move on to more important matters, like where the hell is my starcraft 2.
"the user should never run code, which they don't trust in the first place"
Oh yeah? Try to tell that to the millions of Windows users who routinely install software from dodgy sites or double-click on that nice .ppt file they received via email. Not to mention trusted sources that could be compromised of course.
So someone managed to use a vulerability in beta software that is already slated to be fixed.
Except they didn't, because they had already installed a trojan which would have to bypass UAC by the usual social engineering techniques.
Move along nothing new to see here.
"Thomas Kristensen, CTO at security notification firm Secunia, explained "This isn't a major issue; after all it requires that the user already downloaded some executable code and decided to run it. No matter which security features have been built into the operating system, then the user should never run code, which they don't trust in the first place. Untrusted code should only be run on dedicated test systems." "
This type of apologism is ridiculous coming from a supposed security professional. Then what the hell is the point of UAC anyway? The whole point is so that users can't run malicious code destroy their system. There's no such thing as "trusted code." Even if you get your binaries from a trusted source there's no guarantee that they haven't been altered by a third party. The privileges system on *nix does the job brilliantly (as evidenced by the lack of malware). If you want to root a *nix box you need to find a privilege escalation vulnerability (which is generally patched pretty quickly). You can't just bypass the whole system and do whatever you want. Why can't Microsoft make it work?
Does this vulnerability require the user to be logged in as an admin? If it does than it just bypasses the extra baggage of running as admin on Vista. There's really no reason to prompt for permission on an admin account as the user should only be logged in as admin to perform administrative tasks in the first place.
Nice to know the boys in Redmond take security as seriously as they always have.
Incidentally, I've noticed MS have ceased to show the OS name during startup. Whilst this is quite understandable from a credibility standpoint, I feel that malware and virus writers are missing an important opportunity to have "Pwned" displayed in big letters across the splash screen (and maybe altering the "progress bar" into a ejaculating cartoon cock)
The average user would never just click ok to a yes/no/ok/cancel box when almost every program they use or install requires such an action to proceed to what they really want to do. And when they are presented with such boxes throughout the day, they would never get sick of them and just start clicking ok/yes just to proceed after noticing that 90% of the warnings are related to their own modifications to the system. Therefore, they would NEVER accidentally click OK/YES to a box that looks like a harmless door to their next task out of habit.
Welcome to opposite land, where human conditioning and apparent common sense doesn't apply, and every computer user is an experienced IT user.
Having worked in phone support for the past 4 years and having taken hundreds of calls from all kinds of users from all levels of experience, I can say that all across the IT experience board, people have made the mistake at least once, of clicking OK/YES to a box that appears to be just an annoyance box when only 10% (which is probably a high estimate) of them actually regard a true threat.
Its like testing a mouse in a cage with a red button that dispenses food, and after clicking it 1,350 times the next click fries it to death, then the scientists say, "Well, the mouse should have known of the potential risk."
The major reason, and this is my theory, that most IT professionals haven't fallen for this trap themselves is that they are like me, they still use XP Pro, or they are just embarrassed and lie (which happens a LOT, as you can tell most sites that help people get rid of these things after they get on the system are usually used by IT savvy users as those sites are the kind of sites that scare average users as soon as they see how horribly they are designed). Vista's UAC is a joke, and most of these arguments about it do not get to the point that technology cannot beat social engineering tactics, at least, not yet.
In my experience, if you haven't formatted and started from scratch at least once a year with any version of windows to date, you can almost assume you have at least one backdoor/downloader hidden somewhere on your system that only one out of every 10 scanners you use could ever find. I haven't seen any evidence that Vista is any different, or that Windows 7 will actually improve on that without a full rewrite. Or they can just go the Mac OS route and modify a version of Unix for themselves and leave it at that, and save everyone the grief of all these blame games. Until Windows only does what the user tells it to, and not random things in the background whenever it feels like it so that real threats go unnoticed becuase most people will just assume windows is just doing its thing, this will not change as far as I see it.
But what the hell do I know?
I'm not shocked and horrified: Win7 is new, it's been betaed to find cracks, cracks found and probably will be fixed and others found later. That's why I 'like' Win XP: most of the cracks have been filled. I didn't like it to start with because it gave me hassle, but that was all those service releases ago.
And now I don't want to move to Vista or Win7 unless I discover they let me do things I couldn't do before, like (uhhh), well, like (emmm) you know, like, well, stuff.
"Thomas Kristensen, CTO at security notification firm Secunia, explained 'This isn't a major issue; after all it requires that the user already downloaded some executable code and decided to run it.'"
Is that really what it means? Or does it mean that the machine must already be running some executable code? There's a world of difference between "the user downloaded, and the system is running, the xyz.exe executable" and "the system is running the xyz.exe executable". For those who don't see the difference, let me spell it out -- a vulnerability in any application can give attackers at least user-level access to a system. If you haven't updated your Adobe Reader, your system could be compromised just by viewing a specially-crafted PDF file. Through that compromise, an attacker (now having user-level access to your system) can download an executable file and run it.
So unless the computer can somehow tell the difference between "the meatsack in the chair downloaded this executable file" and "an exploit downloaded this executable file", this *IS* a major issue.
speaking of his good lady said : "next on Mastermind Sybil fawlty; specialist subject:- the bleeding obvious".
Thomas K. of Secunia said: "This isn't a major issue; after all it requires that the user already downloaded some executable code and decided to run it. No matter which security features have been built into the operating system, then the user should never run code, which they don't trust in the first place. Untrusted code should only be run on dedicated test systems."
And there was me wondering how virii got on MS machines.
"This isn't a major issue; after all it requires that the user already downloaded some executable code and decided to run it. No matter which security features have been built into the operating system, then the user should never run code, which they don't trust in the first place. Untrusted code should only be run on dedicated test systems."
Oh dear. If people didn't do this, what would the purpose of UAC be in the first place? I can only assume that Thomas & Co. at Secunia have a stake in UAC. What idiots.
Despite the fact that anyone who follows MS news in the most casual manner knew that MS was going to fix this exploit [b]a week ago[/b], most of these comments still show the sort of Daily Mail outrage that's used as an excuse for discourse in this country.
Reg-readers, I'm disappointed in you. True, MS tried to defend its idea at first, but rapidly abandoned that and issued the pledge to change UAC-prompting [i]hours[/i] after the initial attempt to defend it. MS's ability to change direction on this in a very short time-frame is exemplary and exhibits a commitment that very few other companies would have the courage to take.
But still, we have clueless MS-bashers weighing in with their ignorant opinions. I'm disgusted. And John Leyden, if you want to be a reporter, you should try, uh, reading the news from time-to-time. (God alone knows how this got past whatever passes for editorial control at El Reg.)
Great. UAC. yet another bloody "do you trust this" application barrier I have to turn off. Every single fucking step from NT4 is designed to raise my blood pressure ; if theres an SKU out there with a big red "I know what Im fucking doing, leave me the hell alone" button, I'll take that one.
Im sick to death of spending hours sorting Admin-user access levels, firewall exeptions, program permissions, whitelists, blacklists, program priorities and fucking antivirus autochecks.
Yes. Im sure. Yes, I want to download this. No, I know microsoft hasnt WHQL'd this exe. Yes, I know, a file has changed. No, its not a virus. yes, I realise your crappy heuristics has it flagged, _fuck you_, mcCaffee/Norton/Kaspersky. I am sick and tired of my machine second guessing everything I do 'for my own good'.
Im not a genius, or some MSCE/cisco supernerd. im not even a codemonkey, Im just a guy who's owned computers since cases had a 'turbo' button on the front, and when I feel fed up and patronised by this crap, I cant help but wonder what people in the industry do; ubuntu and SuSE?
MICROSOFT HAVE NOT SAID THEY WILL FIX *THIS* EXPLOIT. You're all thinking of the other two. Microsoft haven't even responded to this exploit yet (in any meaningful way.
RE: Too late (Mike Kamermans)
The issue was published *after* the E7 blog post you quoted. MS haven't responded to this issue yet.
You'd know this if you bothered to read my web page instead of assuming that any post on the web saying any issue was fixed applied to every possible issue. :-)
RE: Why? (AC)
"Hasn't this guy just wasted his time? Since Win7 is Beta, MS have said they aren't too fussy about patching the Beta, but have said they'll change this for the final."
MS's talk of patching was about two different issues both of which are easier to patch than this one. Also, they were not going to patch the other two until a lot of fuss was made over them. MS are also traditionally very slow/reluctant to fix things this late in the cycle and there wont be another beta.
And since it's a beta, now is exactly the time to test it and provide feedback, which is what I've done.
RE: Most pointless proof of concept ever.
"Except they didn't, because they had already installed a trojan which would have to bypass UAC by the usual social engineering techniques."
Except nothing was installed beyond an EXE being copied to the desktop. UAC was not bypassed at all until the program itself bypassed it. All things explained in the video and on the webpage that you didn't bother to view properly before commenting. Well done!
All of this is just another bandaid on a bandaid on a bandaid, layers and layers thick.
If CALC can be exploited in this way then it points immediately to an underlying failure in the interior program connectedness within Windows itself.
Fixing the problem (and not putting a bandaid over the symptoms) means reordering the connections between the appliations. This will undoubtedly break compatibility though, and that directs the failure to the people who implemented the connections in the first place.
You know, kinda like thinking - Gee Wow, why don't we have thrid party applications be executed as soon as I roll the mouse pointer over an icon.
Bullet to the head. Death is immediate.
The day I discovered it was possible to *completely disable* UAC from win2k8, I was at last able to appreciate the new OS.
Clearly it has very interesting features that were not available in win2k3 ( iis7, posix shell, .. ) but for me the UAC wasted it completely.
I think most people should disable UAC on Vista or Windows7. I bet they would be actually more secure because they would not have a false feeling of protection because of the continuous interruption.
Is there any statistics suggesting UAC reduces virus infection?
"But still, we have clueless MS-bashers weighing in with their ignorant opinions. I'm disgusted."
looking throught he messages, comments can be broken down into one of 2 groups:
1. 'you're too late, MS have said they'll fix it already" and
2. "Thomas says "Untrusted code should only be run on dedicated test systems." "
Where's the MS bashers?
Did any of you morons actually read the article? This has NOTHING to do with the previous UAC turn-off flaw that MS have said they are going to fix. Even if that is fixed, this flaw will still be a major problem because it renders UAC completely irrelevant with the default settings.
And to people saying that it's not a vulnerability because users will still have to be tricked into downloading software and running it... umm... duhhhhh... like that's never happened before?
"There's really no reason to prompt for permission on an admin account as the user should only be logged in as admin to perform administrative tasks in the first place."
Yes, there is. That's how things work in your ideal techo-heaven, but in reality people will use admin accounts and you have to acknowledge that in your security design. Windows 7, Vista, and OS X all make the default user an admin.
Not all of us fell in lust with Halo and believe MS have a clue because we don't, because some of us do. After working with Windows almost exclusively since Windows for Workgroups was running on DOS, I'd like to think that I'm not just full of hot air.
SO what is your excuse Charles??
Maybe if Windows could get me off, I might be on the same page as you, but it always leaves me disappointed after hearing all the hype.
Maybe if you could have a point to your argument based on evidence and logic, instead of just being insulting, people like me would be able to shut up because we would have nothing to say.
If MS hadn't strong armed all of the software development companies through the 80's and 90's to only write programs for Windows, I wouldn't even give a crap, but since I have to suffer through using windows, then I feel like I have a right to complain.
By Toby Richards Posted Friday 13th February 2009 21:36 GMT
Why does MS have to constantly re-invent the wheel? Nobody is screaming about sudo flaws. Why even invent UAC?
By Snert Lee Posted Friday 13th February 2009 21:43 GMT
All UAC pop ups do is train the user how to hit the button as fast as possible.
Me: posted now.
*That* is what's wrong with sudo. Malware that wants admin privileges justs asks you to prefix your command with "sudo" and it's done. If Linux users were as dumb as Windows users, they'd be really fast as typing 's', 'u', 'd', 'o'.
Running with privilege should be hard. For some users, it should be so hard that they never figure out how to do it, and therefore get someone with a clue to maintain their computer for them. That's not elitist. It is how my car works.
UAC is a truly horrendous idea, because it defeats the point of a secure attention sequence and single sign on, which are the two main psychological barriers that prevent social engineering attacks. Such attacks dominate the threat landscape these days, precisely because nearly all the real sescurity holes have been plugged. Adding UAC to Vista proved to me that Microsoft were *institutionally* incapable of producing secure software: even when given a reasonably secure system to start with, such as Cutler's NT, they work relentlessly to undermine it any way they can.
Mike Kamermans and others (AC17:24, AC17:38, Charles King) are under the impression that this bug has been fixed by the changes already proposed by MS to the behaviour of the UAC prompt.
That fixed the earlier bug. It does *not* fix this bug. None of you have RTFA'd the original source.
Let's take a look again at the quote so kindly provided for us by MK:
"First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation."
Now, if you had RTFAd, you would understand that this exploit does not involve the UAC control panel, nor changing the level of the UAC setting in any way whatsoever, and that is why the fixes already announced make absolutely no difference.
The bug we are talking about today involves using WriteProcessMemory and CreateRemoteThread to inject code into a running process of an MS signed executable. (MS has built special privileges into the OS for the benefit of its own applications, and they can launch elevated processes without UAC having any say in the matter). Once a non-privileged program has injected code into one of MS' specially-blessed processes, it can abuse that privilege to launch elevated processes.
This is a design flaw that MS could work around or fix in various ways(*), but the best idea would be simply NOT to give special exemptions from UAC to MS' own applications, which is blatantly an anti-competitive measure to allow their own software to work better and more smoothly than anyone else's software because only MS' software can avoid the user being constantly interrupted by UAC popups.
As for the so-called "security expert" who appears to have never heard of least privilege, restricted users, and the concept of privilege escalation as an exploit or vital component of a larger attack, I'm just ... WTF? Boggle me stupid. Still, he's a CxO, I guess he must be a PHB, not an engineer.
(*) - see, e.g. the use of registered exception handler regions in combination with ASLR to prevent injected, heap or stack-based-exploit code from intercepting the SEH chain. Return-into-libc style attacks might still be tricky to stop by this means, though, so removing the malfeature altogether makes by far the best sense.
Sorry to burst *your* bubble Rich Turner, but if you'd actually paid any attention tothe videos, the article or the explanation linked from the videos you would know:
IT
DOES
NOT
USE
THE
RUNDLL
OR
SENDKEYS
FLAWS
YOU
IDIOT.
:-)
Sorry, but waiting for the reg to moderate comments all weekend while so much retarded crap was left here built up my frustration levels.
I'm also wondering how you managed to post that on Sunday when I put a large, caps message at the top of the video explaining it on Saturday morning.
Did you even look at the page before slopping your stupidity on the Internet?
Stephen Sherry is an irresponsible misanthropist.
As any fule noe - like our richers and betters - nobody buys or sells anything without being homo economicus, without knowing everything about the product, its manufacturer, the practices and prices of every outlet, and the maths to compare the relative utility of these products over their expected lifetime. That's Economics at its most fundamental - and why we have the most prosperous, most progressive, healthiest and most unbreakable economic system the world has every known.
Also, why worry about "road deaths" - even the man in the road knows that they're accidents and and unavoidable part of our wonderful way of life. He also knows that more people die tying their shoelaces than in "accidents". The whingers and wet willies and moaning mingers should stop getting in the way of our (thankfully) admirable authorities and use the time and money saved to make our nation great again!
Everyone always does his best in this best of all possible worlds, and the bigger they are the better and brighter they are. Microsoft wouldn't be where they were if they'd listened to every WIMP trying to drag them down and the rest of us back into the stone ages. So let's just be 'umble for once, eh? and get off our high horses and face up to reality. A price has to be paid for excellence after all, and I'm not going to steal just cos everyone else is a thieving parasite.
(Paris cos she knows all about wet willies...)
One a terminal has used sudo, it gets a free pass to use sudo for a while with no checks.
That makes the following scenario possible:
# sudo do_benign_thing
Get asked to enter password
# sudo do_nasty_thing
Don't get asked for password
Ultimately any system is only as good as trust. If you trust someone and they convince you to enter your password etc then you're screwed: Windows, Linux or whatever.
#sudo rm -rf /
I've never acquired any malware in a way that could be prevented by UAC.
My machine is patched and running antivirus and spyware checkers, I've got a firewall - moreover I know what an executable file is and how to assess the risk. I turned off UAC on my Vista box, coz I don't want two or three warnings every time I install software.
Of course, if Microsoft really wanted to secure things, they could move to the iPhone/XBox model - everything has to be tested and approved by Microsoft before it will run. I think that would create much wailing and complaint, though.
If you feel that way then you should be in the camp arguing for the UAC prompts to be removed completely.
(Note: Removing the prompts is not the same as turning off UAC completely. Apps still have to be written to use UAC and support the extremely useful over-the-shoulder elevation feature for non-admins. Apps also still have to segregate their admin and non-admin tasks with an encouragement to minimize the admin parts. All that's lost is the user notification/consent about switching to admin mode. Which is no loss when malware can bypass it with very little effort and the only things that will show it are the legitimate requests which the user will OK every time.)
Right now the problem is that Windows 7's UAC prompts provide very little protection. The solution could either be:
a) Make them more secure.
b) Get rid of them by making the default the "Elevate Without Prompting" mode that was already an option in Vista. (i.e. Admit that, as it is now, it doesn't work, is just security theater, and is unfairly inflicted on third-party apps to give the illusion of security when the hole isn't their fault and is actually the fault of the very things that are getting the free pass: Microsoft's apps which used UAC so badly that it irritated people so much on Vista. I go into this thinking in more detail and examples on my site.)
If you find UAC pointless then argue for B.
Personally, I find UAC useful. As one example, I keep my nightly backup files in a place that cannot be modified by non-admin processes. That way a normal process cannot easily take those out if it is taken over by a remote execution attack. Obviously there's still a chance that an admin process will be taken over in the same way but limiting it to only those processes reduces the risks. Crucially, things that access random places on the net such as web browsers and FTP clients are all non-admin.
(And before someone says, "Just don't go to dodgy websites," you should know from reading The Register that plenty of "safe" and legitimate websites have been hacked in the last year and made to serve up malicious content to their unsuspecting readers.)
And even better write-up by Leo. Quite right about building stuff in at the beginning, and not bolting it on after. Trouble is, look what they started with!
"..wonder what people in the industry do; ubuntu and SuSE?"
Both, and many others. One size does not fit all.
We try really hard (at work) to make things idiot proof (like Microsoft does). The trouble is humans keep coming up with better idiots.
Paul, while I am a massive Mac fan (indeed, I am typing this on one), Macs are just as vulnerable to user stupidity as Windows..
A lot of windows malware is distributed by people clicking on EXEs attached to emails, or on websites because the email or website tells them to.
Now, while, if you do that on a Mac, the application may well bring up a prompt to enter your password for admin access, but how many people are simply going to just enter their password because they are prompted to?
This system is, IMO, a lot better than anything Windows has (even UAC in Vista and 7), but it's not foolproof. Indeed, I know one person who has an irritating habit of enabling and logging in as root just to bypass these prompts. And yes, I have had a go at him.
Simply put, you can put the best security systems on the planet in place, but if a user is stupid enough to log in with admin privilages and run EXEs, that security is worthless.
Is the fault Redmond's for (finally) trying to bring in some level of security?
Or is the fault dumb developers who need admin rights to install/run their code?
In this case I say the latter. The amount of software that assumes you store stuff on C:, have access to C: or even have a C: is staggering. It's lazy programming and needs to be stamped out hard.
But Microsoft will give it a damn good go...
TBF the whole UAC exists because of stupid. so this issue relies on a dose of stupid. therefore is legit.
Now MS whitelisting apps is also stupid but 'might' just be for the Beta - so they work - then again it could be just an enormous dose of stupid.
Stupid [Developer] + [Catering for] Stupid [User] = Perfect Microsoft Product.
Personally I dont think it'll be long before MS virtualise the User space totally... And It probably wouldn't be a stupid Idea either...
"Thomas Kristensen, CTO at security notification firm Secunia, explained "This isn't a major issue; after all it requires that the user already downloaded some executable code and decided to run it. No matter which security features have been built into the operating system, then the user should never run code, which they don't trust in the first place. Untrusted code should only be run on dedicated test systems.""
That appaling statement shows that today's world can turn any idiot as a CTO in security.
Repeat after me, young Thomas: "user is insecure, admin is secure, thus there's a very strong need of seggragating between the 2. And it needs being done properly, FFS"
""UAC should only be considered an extra security feature, which will remind users that the code they run potentially could harm their systems - it is not meant as a guarantee against code's ability to harm a system," Secunia's Kristensen added."
No, the admin/user seggragation is vital key to security, not a mere option, and not some freaking marketing material !!!
As SO many others have pointed out, after that kind of bollocks, you no longer wonder why MS various OS have so many security problems. What a moron.
Charles Manning Posted above:
One a terminal has used sudo, it gets a free pass to use sudo for a while with no checks.
True, but malware can't tell which processes have rights when, and therefore where to try injecting stuff. On win7, 70+ applications have permanent, unlimited, use-at-any-time free passes. Including explorer.exe, a very complex program which is easy to inject stuff into and which is almost certainly running all the time.