Windows RT: Bug not a bug?
Microsoft, kernel expert take sides on whether this week's Windows RT flaw is a security vulnerability that needs to be patched
Computerworld - Microsoft and a respected researcher disagreed this week about whether a bug in Windows RT is actually a security vulnerability that should be patched.
The bug, revealed Jan. 5 by a hacker known as "clrokr," can be used to bypass a restriction in Windows RT that prevents its "desktop" mode from running anything but select, Microsoft-made software. By changing a byte in the Windows RT kernel, said clrokr, Windows RT users could install standard Windows applications -- assuming they had been recompiled for the OS's ARM processor -- and run them on the desktop.
By default, only Microsoft's Office RT, a scaled-down version of Office 2013; Internet Explorer 10 (IE10); the File Explorer file manager; and several other utilities created by the Redmond, Wash. developer, are allowed on the Windows RT desktop.
Other hackers have taken clrokr's work to actually install recompiled Windows apps on RT-powered devices.
Most have portrayed clrokr's discovery as a "jailbreak," meaning a way for do-it-yourselfers to sneak unauthorized software onto a tablet running Windows RT. Jailbreaks have been used for years by iPhone owners to install apps that have not been approved by Apple for its App Store distribution market.
But the same technique could also be used to install malicious software, argued Tarjei Mandt, a researcher who has found dozens of security vulnerabilities in the Windows kernel, and reported them to Microsoft for patching. Mandt works as a senior security researcher for Azimuth Security, an Australian security consultancy founded by researchers formerly at IBM's Internet Security Systems XForce.
"This is not your traditional security vulnerability, as it already requires the user to have administrative privileges, [which is] the reason why Microsoft doesn't classify it as a security vulnerability," Mandt said in an email interview. "[But] if the goal of the operating system is to prevent unverified drivers and executables from running, as the case is with Window RT, then in my opinion it should be classified as a security issue or security bypass."
Microsoft doesn't see it that way.
"The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users," Microsoft categorically said Tuesday in a statement. The company also hinted at its rationale: "The mechanism described is not something the average user could, or reasonably would, leverage as it requires local access to a system, local administration rights and a debugger in order to work," Microsoft said.
True, acknowledged Mandt, who admitted clrokr's tactic had flaws. "Although the attack in this case can be used to disable [Windows RT's] signature enforcement at runtime, launching something that can survive a reboot is a completely different story due to the extensive verification made by UEFI Secure Boot," Mandt said.
- Microsoft support tells Surface Pro 2 owners firmware fix will ship Jan. 14
- As customers fume, Microsoft promises Surface Pro 2 firmware fix ASAP
- Analyst credits Surface sell-out to Microsoft swinging conservative
- Best Buy does what Microsoft won't: Takes Surface tablets in trade
- Deja vu all over again: Microsoft warns of Surface 2 sell-out
- Microsoft steers same strategic course in Surface do-over
- Dumping a Surface? eBay averages double the return of a buyback vendor
- Microsoft's Surface to be under revenue microscope
- Microsoft's most loyal users ask for Surface trade-in program
- Microsoft takes second swing at tablets with new Surface 2 lineup
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Three Best Practices to Help Government Agencies Overcome BYOD Challenges This paper highlightschallenges facing government IT in a BYOD environment and discusses strategies for network preparation, ongoing support, and securing information to enable...
- 3 Steps to Content Sharing and Collaboration ft. Forrester Research Consumer sync and share tools help people access and send personal files, but smart IT leaders know that businesses require more than just...
- Empowering Your Mobile Workers A modern mobile IT strategy is no longer an option, it is an absolute necessity. Here's how some of the nation's most progressive...
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Workforce Mobilization for Improved Productivity A mobility research director from Aberdeen discusses reasons for extending legacy applications to mobile devices, and an integration strategist from Attachmate shows how...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Mobile/Wireless White Papers | Webcasts
As emerging technologies evolve they often find an initial niche in highly specialized scenarios, or in specific industry verticals, before expanding to wider areas of applicability. Within these initial niches, the early adopters can be anything from digital enthusiasts to fashionistas, or they can be folks simply using the technology because it serves a specific need extremely well. (free registration required) more