Windows 10
The gift that keeps on giving...
A skilled Microsoft bug hunter with a penchant for public disclosures via Twitter has openly floated a new Windows 10 zero-day flaw. The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs). It can be exploited by a malicious logged-in user or …
"The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs)..."
In case anyone else is curious:
"Advanced Local Procedure Calls (ALPCs) An advanced local procedure call (ALPC) is an interprocess communication facility for high-speed message passing. It is not directly available through the Windows API; it is an internal mechanism available only to Windows operating system components."
Apparently Windows 10's internal communications channels aren't as internal or private as they hoped. Kind of ironic isn't it?
an internal mechanism available only to Windows operating system components
This is meant in the sense "it's not documented and you're not supposed to look at it", not "there's some security boundary that prevents hoi polloi from invoking it".
You can find several explanations of ALPCs and how to call them online, such as this.
Well yes, but other OS's seem to get a slightly easier time of it than Windows.
I had a nasty bug in a grub update towards the start of the year that prevented a bunch of systems from booting*, but it never made it as far as the front page of elReg.
* (not technically data loss, except that these systems used LUKS encryption and recovering the data turned out to be a lot more complicated than running undelete on a Windows system.)
I've bricked my share of machines over the decades, from embedded video and MP3 players, and simpler time Z80 CP/M boxes to modern i7 based Ubuntu machines. I've even brought down a Control Data Cyber back in the day, and several Vaxen.
However, none of those compares with scrubbing user data at the vendor level. Microsoft has had bad rollouts before that have bricked huge swaths of the user base, at the cost of time and money. So have IBM, Dec, Apple, and many application vendors.
But deleting user data is a different story. And this was not as the result of a user operation, it was inflicted on users by the vendor. That alone makes Microsoft's cockup much worse, and singles them out for well-deserved scorn.
If Apple pushed out an update that locked every iPhone for 24 hours, it would be a disaster as well, but it they were able to return the phones to their previous state, it would be an "outtage". But for people with 80GB of user data, waking up to find that they only have 1GB of user data left, because an unrequested Microsoft update scrubbed 79GB of is an unparalleled screw up, and Microsoft well and truly deserves to have their noses rubbed in it for a decade to come.
And I say that as some who, while not exactly a cheerleader for Microsoft, has been referred to as an "apologist" because I happily ran a Windows Phone for several years.
Screwing up an update is one thing. Deleting user data is something else, and falls into the "you had one job" level of screwup.
Now, could it be that that bug hunter has "sources" at the NSA?
Also:
“Microsoft has a strong commitment to security and a demonstrated track record"
Okay ... "Microsoft has a strong commitment to cash flow and a demonstrated stuck record"
could it be that that bug hunter has "sources" at the NSA?
Assuming the "bug hunter" in question is SandboxEscaper: It's certainly possible, but hardly necessary. There was a HITB talk a couple years back about finding and fuzzing ALPCs. It's a well-known area for Windows security research in the hacker community. This is just a typical "Microsoft provided a service with elevated privileges and didn't establish the correct boundaries" bug.
But... but... but... Microsoft have been telling us for years that their latest OS is the fastest, best, most secure etc.?
I'm beginning to suspect that they derive their levels of fastness, bestness and most secureness something like this:
secLevel = abs (get_security_level ());
if (secLevel > previousWindowsSecLevel) printf ("Hey look, it's more secure!");
"That also likely means that Microsoft will opt not to issue an out-of-band update for the coding cockup, and wait until next month's Patch Tuesday to post a permanent fix for the vulnerability."
Have you not seen the updates for Windows10 recently? They are almost weekly not monthly!
A new patch for 1803 dropped yesterday, 1709 and 1607 were patched on the 18th these are all in addition to the "Monthly" patch that dropped on the 9th.
Ah, that's the other half of Augustus De Morgan's poem "Siphonaptera" that no one ever quotes. The entire thing is -
Big fleas have little fleas upon their backs to bite 'em,
And little fleas have lesser fleas, and so, ad infinitum.
And the great fleas, themselves, in turn, have greater fleas to go on;
While these again have greater still, and greater still, and so on.
Have a beer, likely there's no fleas in it.
New zero day flaw: 'It can be exploited by a malicious logged-in user or malware on an already infected computer' ...
Last December's RID hijacking: 'The technique requires a hacker to obtain administrative rights on a box, and can be used to assign admin rights to other users and guests.'
So to summarise both of these techniques rely on the attacker *already being an admin on the machine.* So the game is already up, the Visigoths are already inside the gates, and the attacker could install what they like and wreak all sorts of havoc without going to the trouble of mucking about with reg keys etc.
The 1809 update; that's a monumental cockup and MS deserve all the heat they're getting for that. This, not so much.
So to summarise both of these techniques rely on the attacker *already being an admin on the machine
Today's ALPC vulnerability does not require admin privileges. Technically it doesn't require local user, either; but in practice it probably requires that and the ability to create or download a program, since you're unlikely to find suitable gadgets in anything you can overflow and ROP.
The RID hijacking vulnerability does require elevation, but that's not the point. It's a concealment technique, not an elevation one: you can use it to grant administration-level access to any SID without adding that SID to the Administrators group or granting it additional system privileges.
This is not very complicated. You and your eight upvoters might try reading a bit before you dismiss these issues.
1. never surf the web logged in as an 'administrator' (group or otherwise)
2. never surf the web using a micro-shaft browser
3. avoid surfing the web from windows, if possible (especially windows 10)
4. use a white-listing script blocker such as 'noscript'
5. never read (especially preview) e-mails as HTML (or with inline attachments)
6. never just 'open' downloaded files. save to disk, first. Same with e-mail attachments.
7. Don't use the shell to open (i.e. double-clicking in a file browser). Use the correct application, and 'File Open'. (this avoids the problem of executable files hiding as something else via the extension)
etc.
yeah, THESE rules probably mitigate this particular 0-day, at least to SOME extent. That goes TRIPLE for the one about being an administrator. that was sorta mentioned in the bootnote...
Another update coming, my creaking and groaning machine will slow down even more. It already takes so long to boot that I not only get a cup of tea but lunch as well. My little take on trip laptop can manage 1 application at a time without running out of memory, is perpetually showing 100% processor use while doing no more than sitting idle with a browser open