So, let's summarise this..
Microsoft's main "contribution" to Linux is to make it less safe, at least when used on Microsoft platforms.
Is this the "Extinguish" phase?
Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft's Windows Subsystem for Linux (WSL) to install unwelcome payloads. On Thursday, Black Lotus Labs, the threat research group at networking biz Lumen Technologies, said it had …
Re-read the FA.
Microsoft's new "contribution" to Windows security is to make it less safe by increasing the size of the attack surface with a subsystem (WSL) that they don't understand.
It's not the Linux side of things that's vulnerable, it's the Windows API that it has access to.
Actually this is dumb arse developers developing in an insecure environment (Windows/Linux does not matter) it is their laptop that they use for all that other shit like web surfing that is the attack vector but feel free to blame Microsoft for your own inadequate security practices.
Regardless, the WSL should not allow Linux code (not just binaries ... I suspect one can access the same API with simple shell scripting) to access the Windows side of the house like that.
Note that the "dumb arse developer" you cite might be a curious kid at school in a computer class. Or a visitor to your Sooper Sekrit Lab "just checking their email real quick". Or any one of a zillion other ways that a potential miscreant might access the Linux side of WSL in a seemingly legitimate manner.
You don't even need Linux to do it. You can bypass all sorts of security restrictions enforced by the GUI by just using an CMD shell.
And while the CMD shell is old and most people don't use it anymore, you can do even more with power shell. In fact, it has a well documented option to bypass execution policies:
And none of this stuff requires administrator access.
> Windows/Linux does not matter [ ... ]
Actually, it does. Very much so.
With WSL, Microsoft has found yet another spectacular way of fucking itself in public.
Blame developers, blame Linux, blame OEM's, just not Microsoft. It's never their fault.
They have become the joke of the software industry. To top that off, they don't appear to be remotely aware of it.
Here's an idea for a new Microsoft logo, free of charge: "Pure Crap Inside". Print it on the license key sticker.
It's Windows API(s?) allowing the Linux subsystem to access it all willy-nilly which is the problem.
Which begs the question of how to restrict the subsystem while still allowing it to do worthwhile things. The description in the article sounds more like the reason the embedded Linux bit in Windows was being used is that it is an unusual source of any behavior and thus likely to evade detection by existing anti-malware rather than that it does anything special.
Four years later, WSL-based malware has arrived.
Is ANYONE bloody $#%&= surprised?
Like I posted just five months ago:
Pirate Dave wrote: ... trusting Microsoft in anything Linux-related just seems like a Bad Idea.
It does not seem like a Bad Idea: it is a Bad Idea.
But it's not old-skool thinking or old anything for that matter.
After all the crap the IT world has seen from MS in the past 30+ years?
It is nothing but good old common sense.
The kind that comes from having learnt from experience plus the wisdom accrued from years of IT work.
And I'll quote myself:
"Anything 'Windows for Linux' is nothing but a cancer out to get at the Linux ecosystem from inside out.
But the writing has been on the wall for ages, only that the (intellectually) blind refuse to see it and find it all so convenient.
One day it will be too late."
And as you can gather, too late is slowly creeping upon us.
There's no way any of this MS rubbish is going near my Linux boxes.
That's really not true, WSL opens a lot of opportunities, I'd be surprised if this even affects WSL2 and privileged escalation is already an issue in other areas anyway.
And even if it was true, Linux just needs to get better on the desktop because currently it's horrible. Makes the two windows interfaces look almost consistent when you run a GTK next to a QT.
I've given up now after a decade of Linux desktop and gone to Mac (which also has irritating parts like missing keyboard shortcuts but it's faster than Windows and better than Linux)
"And even if it was true, Linux just needs to get better on the desktop because currently it's horrible. Makes the two windows interfaces look almost consistent when you run a GTK next to a QT."
What the fuck does this have to do with the flaw reported on in the article?
Oh, never mind. You've been infected with whataboutitis. I'm sorry for you.
"I've given up now after a decade of Linux desktop and gone to Mac"
Good for you! Give yourself a big pat on the back, consumer.
But again, what the fuck does this have to do the the article?
"look almost consistent when you run a GTK next to a QT"
Wot? I have GTK theming in KDE. eg Evolution on my KDE Plasma desktop thingie has the same window widgets as the rest. The odd one out is Chromium but that can have them if you want to lose a bit of vertical space.
I doubt that themes/widgets have anything whatsoever to do with with your OS or platform choice.
Simply describing Linux as horrible is rather disingenuous - please feel free to expand on that statement. Your telly may boot Linux, do remember to swap it out for an iTV or whatever that is ...
Windows NT 3.5, 3.51 and 4.0 were certified POSIX compliant, per FIPS 151-2. This continued through Windows 2000.
Windows hasn't been certified POSIX compliant since 2003 server and XP. Note that word "certified". It's important.
Yes, the logic for POSIX compliance existed through Windows Services for UNIX (with a little help from MKS in a few places), which was removed in Windows 8 and Windows Server 2013. The logic was reinstated with the new WSL in Windows 10.
After Win2K, Windows native support of POSIX has been on again and off again, constantly changing, and all around confusing. It hasn't been worth using for around 20 years. IMO, it is a clusterfuck, at best.
Cygwin provides it's own POSIX compliant services. Recommended, if you must run Windows.
Now that the blindly Microsoft hating Dunning-Kruger brigade has thundered through, perhaps a little more explanation is in order.
This does in fact rely on on the original WSL, using the capability WSL had to execute a linux ELF file like a PE executable. WSL (now backnamed WSL1) was deprecated over a year ago, because it was just plain too ambitious to get entirely bug-free, and it was absolutely never intended to be anything but a development environment where you could test Linux and Windows software side-by-side on the same desktop. Developers being fairly finicky and hard to target is why WSL has existed since 2017 without being attacked, and the one attack that finally does show up is over a year too late to be meaningful. After all, the only way this works is if you trick your victim into downloading and executing it, presuming they even have the environment to do it. Using ELF is nothing more than a way to bypass antivirus scanners.
WSL2, on the other hand, is just a bog-standard virtual machine you turn on and off, and have to interface with entirely via mounts and virtual drivers. Everything described in the report on this requires being able to use Windows features while running ELF-structured code, which is straight up not possible on WSL2, except maybe via Wine. And then you're just attacking the vm, the exact same way any Linux box with Wine would be, not the host.
This would be an extraordinary discovery if it was a VM break and host APIs could be used on WSL2. As it is, it's a malware author that barked up a tree for a while hoping something would shake out of it, and then moved on. Meanwhile, all serious malware authors are aiming square at third-party suppliers with lax security for supply-chain attacks, now that Windows is too hard a target.
The so-called MS-hating Dunning-Kruger crowd are the people who have seen what MS has done to IT in all its monopolistic glory.
It's usually the people who did not 'enjoy' the time that MS screwed over Netscape first-hand, who think that MS is not that bad.
But sure, keep pretending that those people are in the Dunning-Kruger dip, while sitting there comfortably in ignorance yourself.
Now get off my lawn.
"MS are many things but the MS of 25-30 years ago they’re not."
This is true. The MS of 25~30 years ago had an extensive quality control team to try & prevent their software releases from buggering up everything & the kitchen sink. Sometimes they even succeeded & released a patch that did *not* break stuff. They also weren't as psychotic & dysfunctional WRT their user interface, widget location (like breaking Control Panel into fragments & hiding the bits willy nilly around the OS at random), & seemed to at least TRY to actually listen to their customers as far as issues were concerned. Now? No QC, no coherency, & absolutely not giving a fuck about what we might want, hyper focused on milking everyone for every last bloody red penny.
"Now that the blindly Microsoft hating Dunning-Kruger brigade has thundered through"
It ain't blind, dude, it's thirty five years experience with the clusterfuck called "Windows". It ain't hate, either, it's more along the lines of sheer bloody amazement that people still take the badly bloated and b0rken toy of an operating system seriously. My mind still boggles that corporate lawyers allow the thing into corporate computing ... have they not read the fine print in the end user agreement? Where it says (paraphrased) "We know it's broken, we don't care, use it at your own risk sucker!"
"Using ELF is nothing more than a way to bypass antivirus scanners."
And THAT, boys and girls, should tell you all you need to know about this dude's expertise on the subject.
"now that Windows is too hard a target."
"We know it's broken, we don't care, use it at your own risk sucker!"
If we're being fair (and I have absolutely no fondness for MS-Windows myself), don't pretty much all OSes have this sort of disclaimer? (Possibly some specialist real-time OSes might be an exception to this)
"don't pretty much all OSes have this sort of disclaimer?"
Consumer grade OSes, yes.
Professional OSes claim more along the lines of (again paraphrasing) "Our OS works as advertised, when used on certified hardware with certified applications. All other use is at your own risk."
Not just specialist real time kit, either. Most mainframe OSes are like this.
FOSS is, of course, its own world.
I'm pretty sure the Enterprise Edition of the Oracle database is not considered consumer grade. This is the EULA for the database.
And every other "Enterprise" grade vendor has a similar EULA.
ORACLE DOES NOT GUARANTEE THAT THE PROGRAMS WILL PERFORM ERROR-FREE OR UNINTERRUPTED OR THAT ORACLE WILL CORRECT ALL PROGRAM ERRORS. TO THE EXTENT PERMITTED BY LAW, THESE WARRANTIES ARE EXCLUSIVE AND THERE ARE NO OTHER EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
FOR ANY BREACH OF THE ABOVE WARRANTIES, YOUR EXCLUSIVE REMEDY, AND ORACLE’S ENTIRE LIABILITY, SHALL BE: (A) THE CORRECTION OF PROGRAM ERRORS THAT CAUSE BREACH OF THE WARRANTY, OR IF ORACLE CANNOT SUBSTANTIALLY CORRECT SUCH BREACH IN A COMMERCIALLY REASONABLE MANNER, YOU MAY END YOUR PROGRAM LICENSE AND RECOVER THE FEES PAID TO ORACLE FOR THE PROGRAM LICENSE.
Err, Microsoft and Windows has always been successful in the enterprise because of everything that it gets packaged with or plugs into it.
From an overall functionality view it is very difficult to make a case for alternatives.
Take Active Directory, why is it pretty much the universal directory and has been for years?
It does loads of stuff and provides convenient ways of managing huge estates without too much difficulty.
Add into that Exchange, then all the Azure AD with O365 and is it unassailable.
What are the real alternatives? The only one that had a hope was Novell eDirectory. It was better, the underlying NSS filesystem was better, in fact everything was better when you threw in GroupWise but it struggled. Why? Because with Windows on the desktop and all the corporate applications developed for Windows you still needed AD. Okay, lets use the AD sync stuff (DirXML) at the time. It worked, it was fine but I still needed two sets of licences. The solution, ditch OES & eDir because the future was Windows. However much people be abusive about how rubbish Windows is (and a don't disagree), it is always going to win on the numbers game because of market penetration at corporate levels.
Abusive posts don't do anything to further the cause of Linux or make the case for Windows being bug-ridden. Heck, I am wrestling with a Windows Cluster/DNS feature that has been there since server 2019 and possible 2016 (We did not use that). The only answer the Bing Jockeys at MS Premier Support can give me is to create static entries with "Allow unauthenticated updates".
AD can be provided from Linux, Exchange is so dangerous it should not be allowed near any enterprise that values its security. But what is really noticeable is that that Linux "stuff" works on Open Standards and even interacts with MS products, whereas the opposite is never true and always requires some wedge to be installed to make it work. So Linux is more universal and adaptable, whereas with MS products and service you can have any colour, as long as it's black.
In addition, running MS required a lot more resources to keep it up and stable than Linux because it was never properly scaled up. Linux has an origin of big systems which has then been scaled down - but it hasn't lost its big systems roots.
Or do you think it's by accident that the really big boys such as Google and Zuck Enterprises run on Linux?
"Or do you think it's by accident that the really big boys such as Google and Zuck Enterprises run on Linux?"
To hell with go ogle & Zchmuck ... Every single one of the top 500 supercomputers on the planet run Linux. I guess it scales rather well, not just in raw compute power, but also in available talent and TCO.
> "Using ELF is nothing more than a way to bypass antivirus scanners."
> And THAT, boys and girls, should tell you all you need to know about this dude's expertise on the subject.
That's literally what the report linked in the article, written by the security engineers who exposed this bug, said about it. If you're impugning their expertise, in favor of yours, perhaps you have an alternate write-up about the guts of this vuln.
Whole comment section is just a bunch of people spouting off without even reading what they're commenting on.
And you, like them, clearly didn't think about it. Or didn't understand the concepts involved.
ELF wasn't used for any reason other than because it's the the file format that Linux has been using as the default for executable files since 1995. It comes with it. The system both uses and expects it. The compiler builds files that way by default. It is ubiquitous within the universal Linux ecosystem.
ELF wasn't chosen by the miscreants for any particular reason ... it was merely accepted by default because to use an alternative, although quite possible, would require far more work than necessary. Especially for this kind of thing.
To say "Using ELF is nothing more than a way to bypass antivirus scanners." is attributing to intelligence that which is better explained by complacency, laziness and/or ignorance.
To say nothing of the fact that most (all?) modern AV products have no issue scanning ELF files, which makes the statement preposterous.
Most people using WSL will do so with a dist like Ubuntu, Debian or Fedora Core. They're not going to be installing or running random binaries so from that point alone the threat is quite low. And let's say they did do that and this binary was able to exploit their machine. How is that any worse than someone running an untrusted Windows binary?
How is that any worse than someone running an untrusted Windows binary?
Let me explain:
An untrusted Windows binary in Windows?
I don't give a rat's toss about that.
The Linux ecosystem has, by design, a thoroughly checked and validated software repositories system.
So it is highly unlikely or impossible that people using a dist like Ubuntu, Debian or Fedora Core (or any other for that matter) would be installing or running random binaries.
A bad .deb/.rpm, etc. would have to be both written and purposedly uploaded to a repository.
And to have any success, a great many safeguards would have to fail at the same time, safeguards that we know from experience MS does not have.
WSL is the unchecked entry point for untrusted Windows binaries into Linux.
And that is an unforgivable mistake.
"WSL is the unchecked entry point for untrusted Windows binaries into Linux."
Other way around. One or more Windows APIs, in their infinite glory, allow binaries (probably even simple shell scripts) running on the Linux side of WSL to gain access to the "host" Windows system.
"So it is highly unlikely or impossible that people using a dist like Ubuntu, Debian or Fedora Core (or any other for that matter) would be installing or running random binaries."
No, with all of the Python stuff (libraries pulling in more libraries, command line options to install and compile packages...) and small Java programs that some people love so dearly this is clearly not the case. For most standard software you are right, of course, but I do quite often encounter those helpful (yeah...) guides written by experts (ex = has been, spurt = little dribble (C) BOFH) that tell you to "simply install this from github using pip" or somesuch.
From an admin's perspective I see both as problematic, the reported flaw from the article and the users installing unwanted stuff. You can only lock down a machine so much, and educating users is a journey, and a long one. Educating users with academic degrees is yet another thing (and I include myself in that group), as we tend to think we are way too clever for anything bad happening to us (and so far I have been ok, but being aware of my shortcomings is helpful).
Oh, and depending what you are doing inside WSL, a breach there could be really bad, even without taking over the Windows part of the machine: just think about which systems you might access from there as a developer.
No, with all of the Python stuff (libraries pulling in more libraries, command line options ...
That is why admin priviliges exist.
And they are called priviliges for a reason.
If a user with admin priviliges and an academic degree screws up by uploading/installing from outside the repositories, it is on their plate to suffer the consequences.
I've been there more than once, became more aware of my lack of knowledge but also learned quite a bit in the process.
But no, WSL (not depending on anything here) is not good for the Linux ecosystem.
That much I know.
The problem with languages like Python is that it is entirely possible to put a private installation of Python and it's runtime and libraries into a location like your home directory, and have it run from there.
And what things like PyInstaller (which is not a true compiler) do is to create a canned interpreter runtime including all of the required libraries into a single entity that runs as if it was an ELF binary, with the source of the program that you want to run wrapped up in the binary. It's not difficult to do, and actually allows you to use a pretty secure Linux system as a platform to generate infected "binaries", even on systems which do not have any normal development tools in them.
This will be possible in pretty much any high function language interpreter, such as Java, Perl or any of the myriad of languages that will interpret source code shipped as text.
The only way to prevent this is to take off execute permission from any filesystem that ordinary users are permitted to write to, and I've seen this suggested in extreme secure environments. And even this might fail is PyInstaller is actually a python script itself, and there is a python instance in the environment.
"While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems."
He's not wrong. I worked at an organisation that had a number of satellites and at the time, they had the daft idea that nothing in their ground segments needed anti-virus protection, because the ground segments were not connected to any external networks. :-)
Predictably, I was called to address a problem with a PC that was misbehaving and found it infected with load of trojans and other malware. This machine had been infected through the ground segment networks, where all the other Windows systems had the same malware. The culprits were the chaps from a large French aerospace company, who I had already caught using bittorrent on their notebooks, attached to our guest wifi. They were on site to implement the rollout of a new release of their parts of the satellite ground segment and inadvertently introduced malware from their corporate notebooks* to the entire ground segment.
Due to political sensitivities, their was no big fuss but I understand they each received a severe arse-kicking in private.
*Being "software experts", they had all been given admin privileges to their corporate notebooks and to a man, had installed all kinds of illicit software.
If you need Linux ,.. run linux a to z if you need windows .. run windows a to z .. anything else is ridiculous. You leave in the hands of Microsoft the overall security we need / want from Linux .. not mentioning other reasons we run Linux. ( like performance for one ) .. This subsystem is imho a way to sucker in people into the ms fold . I for one haven't run a windows computer in 22 years and will never go back . I compute .. this aint a toy , a game boy or game station ffs. If it's written MS on it .. i stay away like i stay away from trump .. or the plague .. both being about the same ..
That's crazy talk! I have a company issue Windows notebook that is so locked down that I'm hardly allowed to type in a password. It comes with no dev tools other than this weird Intersystems Ensemble stuff, and that's not fit for human consumption. Thankfully through WSL I have access to gcc so that I can still write a small CUI tool when the need arises.
People go with what they are comfortable with and what the majority of their staff are familiar with and the chances are that’s Windows and MS Orifice.
As a result of that it’s easy to see why miscreants are going to target MS operating systems and software - it has the largest surface area.
No one solution is better than the other, it’s all about the myriad of criteria that drive decisions which sometimes are heavily restrictive