In Thursday's IT Blogwatch, Richi Jennings watches the egg on Microsoft's face, over Windows 7's tweaked User Access Control. Not to mention the man cold...
Gregg Keizer reports:
A pair of Windows bloggers posted more proof-of-concept code today that subverts an important security feature of Windows 7, a problem Microsoft knew about as long ago as last October and which one of its software engineers said would be fixed in the beta.
...According to bloggers Rafael Rivera and Long Zheng, hackers can easily piggyback on "pre-approved" Microsoft applications and code to trick Windows 7 into granting their malicious code full access rights to the machine.
Dan Goodin adds:
Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install a potentially malicious payload.
...The vulnerability stems from Microsoft's attempts to make UAC more palatable by allowing certain applications to make changes to the OS without first prompting the user for permission. Executables that are digitally signed are essentially given fast-track permission under UAC's default configuration. And it turns out many of these third-party executables are in turn able to invoke still more third-party code.
Yes, Long Zheng started something alright:
Soon after writing my last blog post on the potential security vulnerabilityto autonomously disable Windows 7 betas UAC system, I had realized that flaw was just one piece in a string of dominoes that fell much earlier when the new tiered-UAC system was introduced ... a second UAC security flaw ... allows a malicious application to autonomously elevate themselves ... cannot be classified as by design.
...Since there is an inherent trust on everything Microsoft-signed, by design, the chain of trust inadvertently flows onto other third-party code as well. A phenomenon Ive started calling piggybacking ... The advice to every Windows 7 beta user is to set your UAC setting to high.
Rafael Rivera is the other culprit:
In every binary that Microsoft feels should have auto-elevation capabilities, a flag is added to its manifest and the executable (of which the manifest resides in) is digitally signed. I havent dug into the internals yet, but Im assuming that a) the manifest must be embedded (i.e. external manifests should not meet auto-elevation requirements) and b) the image must be signed by Microsoft and Microsoft alone.
...[But] theres a problem. This auto-elevation flag was applied to rundll32.exe, an executable that has and still ships with Windows today ... As a proof of concept, I created two programs. The proxy application, Catapult.exe is a one-line C# application (code) that uses the Process.Start method to launch an instance of rundll32.exe, requesting elevation with the little-known runas verb. Cake.dll is a multi-line C++ library (code) and our payload ... the entry point of our malware.
Microsoft's Jon DeVaan sings, "La la la, I can't hear you":
There has been no report of a way for malware to make it onto a PC without consent ... the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine ... [But] please know we take all of the feedback we receive seriously.
...UAC is not a security boundary ... If anyone says something like, UAC is broken, it is easy to see they are mischaracterizing the feedback ... While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view.
Larry Seltzer cures your indigestion: [You're fired -Ed.]
Almost the whole point of UAC is so that you can run a system as a standard user and have the option, on the odd occasion when necessary, to elevate privilege to administrator. The logins can be annoying, but they should be infrequent ... Some in Microsoft will tell you, mostly off the record, that the whole point of UAC was to force ISVs to fix their software so that it ran properly for standard users.When you think about it, the logic of this attack is not that there is a vulnerability in Windows 7, but that the default design decision of making UAC more lenient was wrong. You can always change it to make it more stringent, but how many of you really want to do that?
Bryant Zadegan really wants you to do that:
Im going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center ... and setting it to the maximum ... This flaw is so ridiculously and utterly bad that it brings us right back to the times that people used XP with an unprotected administrative account ... This essentially negates any benefit that UAC gives to the user.
...People saw ... the UAC posts by Rafael Rivera and Long Zheng ... and immediately assumed that this issue is only relevant for users who download malware ... [But] if a security hole is found in any user-mode application, that application can be infected and used to silently attack the system ... Prior to this new non-invasive UAC, the number of silent attack vectors was limited to any flaws in elevated Windows components.
Harry McCracken is the summarizer:
There may be a rational argument for why Windows 7s approach to UAC makes sense, but so far, Microsoft doesnt even seem to be trying to make it.
Other Computerworld bloggers:
- Seth Weintraub: Google Latitude - Ten uses
- SJVN: Ubuntu Server Linux is for business
- Eric Lundquist: Google Latitude, the corporate spin
- Eric Lundquist: Tech could make bank bailout salaries transparent
- Preston Gralla: Internet Explorer for Linux: Microsoft has been there before...sort of
- Eric Lundquist: Facebook turns five, time to earn a living
- Douglas Schweitzer: Nato trying to keep ahead of espionage and other security threats
- Mark Everett Hall: Are SaaS user groups necessary?
- Shark Tank: Pick a card, any card ...
- Shark Bait: My nemesis: Excel
Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: email@example.com.
Previously in IT Blogwatch: