back to article Want to get around app whitelists by pretending to be Microsoft? Of course you can...

A sprinkle of code and an understanding of the Windows digital certificate process is all that's needed for a miscreant to sneak malware past Microsoft's application whitelist within a corporate environment. In a keynote address at the DerbyCon hacking conference in Kentucky, USA, on Friday, Matt Graeber, a security researcher …

  1. Anonymous Coward
    Anonymous Coward

    No, actually, can't say I've ever wanted people to think I'm Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      Weird. I always thought you were Microsoft.

      1. John Gamble

        <voice="Kirk_Douglas">No, I am Microsoft</voice>

        1. LaeMing

          And so is my wife.

    2. This post has been deleted by a moderator

  2. streaky


    a feature!


    1. robidy

      Re: It's..

      Hmm, I'd be more concerned that this was published as important but needs root/admin accesss to perform it. If a hacker has root/admin it's already game over.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's..

        needs root/admin accesss to perform it

        And that is very difficult to achieve, isn't it? :)

        Asking Microsoft to be secure is like asking your local bakery to do your IT. Come to think of it, they may do a better job.

        With admin access you could just add your own signature, of course, but I guess that's the one thing $corporate will watch by way of simple host intrusion detection.

        1. Anonymous Coward
          Anonymous Coward

          Re: It's..

          Whilst with linux you don't even need admin access to be able to write to any file on the system. Just ask linux, he knew about the C.O.W. bug years ago, but couldn't be bothered to fix it.

          seems the local bakery isn't all that bad after all.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's..

            Whilst with linux you don't even need admin access to be able to write to any file on the system. Just ask linux, he knew about the C.O.W. bug years ago, but couldn't be bothered to fix it.

            It would be nice if you put at least *some* effort into trolling, we have standards here. Honestly, even for Microsoft marketing standards this was pathetic.

            I give it a 0 out of 10, because of "asking linux".

    2. Adam 1

      Re: It's..

      Sorry, if evil Adam1 had admin rights then your cert store would find itself a new trusted root CA, bypassing the need to do any of the above.

  3. Anonymous Coward

    Bore off

    Bad things can happened once you have admin rights! Who knew?

    1. yoganmahew

      Re: Bore off

      Unless I'm mistaken (and I probably am, it is not my field), the attack vector is to get admin rights once (e.g. on install), and then build an identify that allows nefarious activities without asking again for admin rights. As everything asks for admin rights on install/update and everyone just clicks it (what else are you supposed to do?), admin rights are easily got at least once. As I say, YMMV...

      1. Adam 1

        Re: Bore off


        "However, we're told, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer."

        If you are not mistaken then Iain is.

    2. freecode99

      Re: Bore off

      David Allan Coe wants his picture back. He may be a scruffy mutt, but he'll let you know how he feels about that job.

  4. asdfasdfasdfasdf

    Wow... an administrator can...

    Replace system DLLs and Registry keys? In an absurdly complex scheme to mess up signature validation?

    Who knew?

    Or they could install their own trusted root certificate, but that wouldn’t fill up 15 pages of pdf.

    1. phuzz Silver badge

      Re: Wow... an administrator can...

      Windows security privileges can be quite fine grained, so it's possible a user might have enough privileges to perform this account, but not enough to install a certificate, or disable whitelisting, etc.

      On the other hand 99% of Windows users have full admin rights because that was easier than working out exactly what each class of user should have access to and tailoring it accordingly, so your point still stands.

  5. RobinCM


    A different type of whitelisting, but works well enough to stop people (non-admins) running stuff you've not approved.

    Except it now doesn't block PowerShell, and worse, lies and tells you it has in the event log. Disappointing.

  6. Jonathan 27


    If you have admin access, you can disable code signing checks. So it's not that big a deal, if you could do it without a privileges escalation attack first, that would be pretty novel.

  7. RyokuMas


    There's a way round Microsoft's app security process? I guess they're just copying Google again...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022