Confidence
"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."
That’s what you think...
Software buried in Windows since the days of WinXP can be abused to take complete control of a PC with the help of good ol' Notepad and some crafty code. On Tuesday, ace bug-hunter Tavis Ormandy, of Google Project Zero, detailed how a component of the operating system's Text Services Framework, which manages keyboard layouts …
Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows. Of course the NSA has source code access along with several other three letter agencies. Funny they didn't mention it.
Of course looking at XP era material with a code profiler is like looking at a Vegas motel room under a strong blacklight. Some things cannot be unseen.
Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows
Yes. Such as Microsoft's own static-analysis scanner, which is a near-state-of-the-art hybrid of simulated execution and symbolic analysis. (There was a good paper on it from Microsoft Research in CACM a few years back.) Data tainting and data flow analysis find this sort of thing easily in cases like this, where, as Ormandy wrote, there's simply no validation.
They have the technology. They have the resources. They just don't have the will.
why should they check their OWN code for vulnerabilities? They have the CUSTOMERS as BETA TESTERS now!!!
what a massive challenge that complexity presents Microsoft's engineers from a security standpoint.
Not THAT massive. Back i nthe mid 2000's they should have done THIS instead of Vista:
a) audit every line of code using their massive programming staff, instead of "re-re-inventing" windows [with the exception of the vulnerable parts]
b) NOT re-re-invent it for WIndows "Ape" (8) nor Win-10-nic, but INSTEAD audit the HELL out of EVERYTHING, looking for basic vulnerabilities.
You have to think like thief, applying crowbars, hammers, and chemicals to locks. You can't "just assume" anything about marshalling. You have to check EVERY buffer length, even for trivial stuff.
strcpy(buffer, "string") - no!
strncpy(buffer,"string",sizeof(buffer)) <-- better
(you never know whether or not a buffer overflow might cause that static string pointer to be altered)
that being said MICROSHAFT WASTED A DECADE AND A HALF of WALL TIME to re-re-re-re-invent windows into the PILE OF CRAP it is today!
And oh, they left some serious OLD vulnerabilities in it, too... from a time when they wanted EVERYTHING insecurely interacting with EVERYTHING, and wanted ActiveX to be a MAJOR part of web pages! Pretty clueless, yeah.
icon, because, facepalm
Long before Mac OSX became a thing, I used to say that MS should grab FreeBSD, and rewrite windows as a GUI, and include a compatibility layer for win32 stuff.
Of course, Gates being the "shove the OS into the GUI" kind of guy, they went the NT route instead, then Mac OSX more or less did it instead.
not without using a browser exploit first anyway
Well, problem solved! Or not. (Of course, with many users running browsers with elevated privileges in the first place, once that browser exploit is available there's no need to elevate.)
In any case, this "the attacker has to be able to run unprivileged code first" mitigation is not nearly as useful as some people seem to think. It provides no defense against insider attacks. It provides none against social engineering. Against malware in the software supply chain. And so on.
Not at all. Google want you to use it's Web or Cloud applications instead, which is why there is no native Calendar app, and only a basic Contacts application shipped with Android. Phone makers often add their own, but they are very rarely compatible with those supplied by the other phone makers.
(Using the Web based apps also ensures that you keep data services on so that your device is track-able, as well)
I look back at the baked in set of applications that used to be in PalmOS with a great deal of fondness. Always there, always work the same, always compatible with the last PalmOS device you owned.
I look back at the baked in set of applications that used to be in PalmOS with a great deal of fondness. Always there, always work the same, always compatible with the last PalmOS device you owned.
Modern Android BlackBerries come with a decent set of things, far better than Google imho. Always there, very compatible with Exchange, iMap etc. You can pay for them on any other Androids too.
Whether I'm doing science, engineering or business, I've found my breadcrumb trails invaluable at keeping track of the various avenues I've pursued. Forgetting is not desirable, especially in cases where lives are involved. Not true for most, though. That it often saves time and money.... So, saving my scribbles is ... nice.
Aside: to the send myself an email suggestion, no way am I sharing. Hell, good luck Google, et al., getting a look at my device, even.
If you're involved in safety critical areas and yet have a memory so bad you have to write yourself post-it style notes then please tell us what these areas are so we can avoid anything you've been involved in. Either write proper documentation or don't bother with the task at all.
The thing is. notepad was just used as a demo. The flaw isn't in notepad itself, but what it must connect to on the inside to function. Windows is full of cruft and is more like an old building with many little empty spaces in it - a fire hazard. The "new and improved" Windows has brought forward much of the "old and fscking" Windows. I wouldn't be surprised to see things from Windows 95 in there.
Whereas given the amount of things Emacs *can* do (#), you'd not only be surprised if it *couldn't* be used for an exploit, you'd expect it to already include an in-built exploit mode (alongside M-x kitchen-sink-simulator).
(#) Its only major omission being a decent text editor. (Sorry, but as a vi user, that ancient joke is practically obligatory...:-) )
Did you not get any of the earlier registering memos on the meme*? ........ Words Create, Command and Control and Destroy Worlds ........ and that can easily be turned on and tuned in to terrifying in a whole myriad of consequential existential extremes.
And without them are you no more than dumb ignorant savages to be herded and entertained/employed and enjoyed as animals appropriate to the whims of SMARTR Connected Virtual Machines?
I insist it has been around through every version of Windows back to at least Win98; yet I keep getting told that is impossible.
Yeah right.
I propose El Reg has a competition; a full set of Vulture gear to the person who turns up the oldest code found in the latest Win10 build.
Us greybeards know how multitasking OSes actually work - by cycling through a message loop deep, deep, deep inside the actual silicon. At that level, the OS trusts - *has* to trust - that the queue of commands has been legitimately created.
It is possible to secure a message loop against hacking - by signing every message with the key of the process that inserted it. But we prefer performance to security.
It was probably there in Windows 1.0
I've made this comment thousands of times over the years, to no effect whatsover in corporate policy, but Windows - even the latest version - is insecure by design. Because at the most fundamental level in it's kernel, it still expects there to be one user. Which didn't make much sense in the 80s, as multi user systems were already up & running.
So 35 years on. and we've arrived at a situation where the safest way to contain Windows is in a VM somewhere that can't break out. The VM itself (of course) won't be running on Windows.
The NT kernel was designed to be, and is, multiuser, and has been used in Windows since NT (obv), and in all versions of Windows since 2000.
I can only imagine that your demands for corporate policy changes also include missives about the lack of CRT monitors and floppy drives.
(PS, a single user OS made sense in the 80's when the OS was designed for use on machines which could physically only be operated by one user at a time. Mac OS classic wasn't multiuser either)
Who said it wasn't ?
The problem is that it still has to provide some thunking down to single-user mode in order to keep that precious compatibility with certain flagship apps.
IE being one of them.
At which point all bets are off, as the kernel can't validate what it's passing and has to hope it's what was intended.
It's deep. It's *very* deep. But its there.
> when the OS was designed for use on machines which could physically only be operated by one user at a time
In the late 1970s I used, and programmed for, multiuser MP/M machines that were 8085 based with bank switching 256Kb memory with two or three serial terminals. I still have one of these here (but not switched on for may years). I also have a couple of multiuser Polymorhic 8813 64Kb machines from the mid 70s that had two or three monitors running off a multi-port video card.
There were many multiuser/multitasking OSes that ran on 8080, 8085, 8086 or 680x0 machines at the end of the 1970s. These even ran on the IBM PC/XT such as DRI's Concurrent-DOS that had one user on the monitor and two on serial terminals (preferably with an EEMS memory card).
> The NT kernel was designed to be, and is, multiuser,
It certainly was designed to be, but Bill had them remove this feature because he wanted to sell a copy of Windows NT to each and every user and not one copy to be shared by several. Citrix brought multiuser operation (concurrent) to OS/2 (again with serial terminals) and then to NT. MS had to obtain Citrix's code to make TSE (Terminal Server Edition) to make NT multiuser concurrently.
It certainly was designed to be, but Bill had them remove this feature
Rubbish. Multiuser support may have been removed from userland in non-server versions of Windows, but it most definitely remains in the kernel. All NT versions support multiple WinStations, Sessions, and Desktops, and every thread has a security token which identifies what user account it's running as.
What Citrix added was userland support for making use of those multiple WinStations, Sessions, and Desktops. RDP does something similar, as does Fast User Switching.
While Windows (even the server versions) is not particularly good at supporting multiple simultaneous users - certainly not nearly as good as pretty much any other multiuser OS - that's not because some feature was removed from the kernel.
Remember GCHQ and other security organisations giving Windows Evaluated product status EAL ratings for the Military/Govt etc?
Well it seems every bloody text field was nickable, and probably not xor'ed out letting it be hoovered up by something else. Its great news for the next Snowden or Assage or Manning. I doubt this has been patched everywhere and I doubt sensitive text boxes have not been wrapped up, by poorly written apps. IBM mainframe has memory keys and storage pools - so not nickable. I bet this breaks screen scraping and disability/Blind applications as well.
Every day there are new privelage escalation exploits being uncovered, whether in Windows, drivers, or third party applications. At this point I think it is fairly safe to say that if you have malicious code running on your Windows machine, it is already too late.
That is no excuse not to fix them of course, but it seems like wishful thinking to assume that they will ever all be discovered, let alone fixed.
As every day passes I become more disturbed by Microsoft's disregard for Quality Assurance in its culture and feel that it is heading for a reckoning that could destroy it and much of the world's economy with it.
To continue to develop new features while failing to deal with long-established flaws is reckless and offensive. It's time to treat Microsoft's licence terms are unfair and unenforceable and sue it for selling dangerously flawed products before it becomes too late.
Why would they care ? It's not like they're losing clients on that. And they are not alone, just look at Facebook, Equifax, CapitalOne, number of big banks and all others. I keep learning in security classes about loss of reputation but I fail to see it materializing in real life.
Especially since I literally just came across a fairly reputable and recentish Windows admin blog advising in great detail how to allow non-Domain Admins to logon to your DCs via RDP. I mean, FFS, if you don't know what RSAT tools are for, you shouldn't be running a domain.
So yeah, get some rando doing password resets on your DCs and enjoy the privilege escalation attacks right on the security source.
The article stupidity was compounded by advising the use of group policy to add a nested group to the BUILTIN/Remote Desktop Users group so that the config would "apply to all DCs". If you don't know that the domain BUILTIN groups apply to all DCs anyway, see earlier remark about capability in running a domain.