Vista Protected Processes Bypassed

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

Why do they even bother?

[Mr_eX9]

All of this "security" is just crap if it can apparently be exploited so easily.

Re:Can't beat em, join em?

[Fallen Kell]

The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

DRM in Vista is misunderstood

[MarkByers]

> Not only threatening Vista DRM and friends

The DRM in Vista is not intended to lock down your computer so that evil companies can control what you watch. This is impossible to do without a TPM chip. Microsoft knows this.

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

'Cracking' DRM is on about the same level as downloading illegal copies online. Useful in some cases (such as when you bought a DRM'd song by mistake and wish to play it on your MP3 player/iPod), but still illegal (in the US at least).

Now mod me down, Vista bashers!

Re:Why do they even bother?

[cyphercell]

no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.

Re:DRM in Vista is misunderstood

[jomas1]

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

You can't possibly mean what you just wrote. Vista's DRM is needed to play DRM-encrypted files? Why can XP and Windows 2000 play encrypted files?

Ever since DOS

[Original Replica]

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.

Re:Can't beat em, join em?

[Anonymous Coward]

>>Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Microsoft can.

Re:Can't beat em, join em?

[misleb]

Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

-matthew

Re:Other OSes

[diegocgteleline.es]

No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.

You think so?

[Fallen Kell]

Do you really think so? Why would MS pay someone $300,000-500,000 when they have people who get $70,000 that could simply scan the code itself? They won't upset their current pay scales and pay grades to place "hackers" into their business units. For one, many of those "hackers" are hackers because they have a record of conduct that does not work in a normal business environment. Be it social, societal or other issues (potentially and not limited to criminal and trust issues). In fact, some people many not even be employable due to said activities due to security reasons.

Again, MS sure isn't going to hire a hacker who is paid more then their bosses and that is for sure.

Re:Source code

[Anonymous Coward]

It's 7K, command line, and does only one job. Anyone could reverse this in their sleep.

Re:Ever since DOS

[Anonymous Coward]

You should try this new Linux thing out!

It's awesome. I type commands, it obeys them. It never patronises me. The security works FOR me, not against me.

Now THAT is user-friendliness.

Re:Source code

[cyphercell]

no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.

Re:In related news

[_KiTA_]

A spokesperson for Microsoft was quoted as saying :

        This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans [out-law.com] the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

Disassemble it

[eddy]

Considering the executable is just about 6K and doesn't seem protected/compressed, reversing it ought to be fairly trivial. Try the demo version of IDA [datarescue.be].

Good, now MS cant dictate software advantage

[plasmacutter]

all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.

by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.

Good idea, bad implementation.

[Animats]

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE [linuxgazette.net] call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. [12.110.110.204] So SELinux already has "protected processes", but with a better security model.

If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

Re:Wait, wait...

[Anonymous Coward]

root can read and write kernel and process memory under Linux. (Via /dev/kmem and /proc//mem.)

WHat the heck? Windows processes are WEIRD

[Anonymous Coward]

http://www.microsoft.com/whdc/system/vista/process _Vista.mspx [microsoft.com]

Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?

Processes can "inject threads" into other processes? Buhuh?

Here's apparently more of what processes can't do to Protected Processes do in Windows:

Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process

So yer telling me, normal processes can do this to other normal processes in windows?

Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.

The footnote at the end is the best though!

"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "

Please play nice with our restriction scheme!

I bet this is what our enterprising hacker has done.

Before MS sics their lawyers on me, the above quotes were used for the purposes of review.

Re:Why do they even bother?

[Rodness]

I agree.

The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

My inclinations against myself or my family running vista just got a +1 Justification.

Re:Why do they even bother?

[Anonymous Coward]

Well, now I can honestly say "Wow!".

The Philosophy of Protection

[The Living Fractal]

I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.

So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.

The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.

In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.

Re:You're joking, right?

[jomas1]

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...

Ok so your original quote that suggested Vista's DRM, which is clearly different when compared to XP's and 2000's DRM mechanisms, is somehow a good thing was wrong? Or were you trying to say that some type of DRM is necessary? If the latter, then I don't know yet if I disagree. I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy. Ionescu did not make Vista any less secure than it was a week ago. He's simply let some of us know that Vista is really not ready for the mainstream market. Who knows, maybe he's even inspired Redmond to get Vista SP1 out the door earlier.

I still use Windows 2000 from time to time and don't yet see what advantages Vista has but I'll give the OS some time to mature.

User competence

[Anonymous Coward]

I have been using ME for years without ANY problems with spyware or malware. Zip.
I still use ME for one and only one purpose, to play World Of Warcraft (incidentally WoW officially does not support ME, but it runs great). For all other things I use my linux box (and I use THAT competently as well).

Why am I not infected? Simple: I am a very competent user. I know how to configure my router and my system properly, and I know how to avoid doing the sorts of things that get a system compromised. ME was one of Microsoft's weakest releases...but when used intelligently it is quite solid and safe.

The problem is that Microsoft is trying to make the OS protect its users from their own incompetence. It is a noble idea, but it is doomed to failure. No matter how secure they make it, their users will fall victim to the socially-engineered exploits of malicious developers every time. Furthermore, the attempts made to protect the user from this will actually make it harder to fix the system after it has been compromised, and will make it harder for competent administrators to do their job.

Microsoft winds up with the worst of both worlds.

Computers are not like cars. The complexity that they represent cannot be neatly tucked away under the hood. I know that people would prefer to avoid dealing with this complexity (it is tedious and uninteresting to most people, and I sympathize), however, the reality of the situation is that computers are and will remain complicated. Those who don't learn the details are and will always remain a danger to themselves and to everyone on the net, despite Microsoft's best efforts.

Re:In related news

[LighterShadeOfBlack]

You're wrong. The "collective observations of thousands of admins" is in fact little more than assumptions and anecdotes perpetuated by people such as yourself.

Do a significant proportion of porn sites have malware? Probably.

Is there a greater risk of getting infected by malware when surfing for porn than doing "wholesome" surfing? Perhaps.

Is a malware infection reason enough to presume that they got it from browsing porn and/or piracy-related sites? Not in the slightest in my experience. If you've got differing experiences that prove me wrong, by all means collate your data and present your findings because I and I'm sure many other people working in admin or IT roles would love some hard numbers on the nature of malware sources online. Until then I'll have to assume the "observations of thousands of admins" you speak of are in fact nothing more than your own pre-conceptions.

Re:In related news

[PingXao]

It's the same way with spam. Too many people are content to say it's only a problem if you're not using spam filters. They completely ignore the point that the spam exists in the first place and is transmitted hither and tither across the net, stealing bandwidth far and wide.

Re:Why do they even bother?

[Master of Transhuman]

You're one hundred percent right - and the reason is simple: security doesn't make Bill any money, whereas "featuritis" - and deals with big content providers - does.

Microsoft needs to be put out of business. Now. They have all the brains and social conscience of Enron.

Re:No, debuggers can't have special privileges

[Henk Poley]

Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?

Only make programs 'unprotected' if they are started by a debugger. For example, run them in VM in the debugger address space. This way you can't hijack already running programs.

But yeah, I am aware that there always is an 'outside' to a thread, program, kernel or computer. From the outside you could read values directly. Ex: a computer that is not running could have it's kernel changed so it gives memory dumps of certain programs.

Protected processes. Sheesh.

[FoamingToad]

Agree with you. If I am the computer _administrator_, I want complete and utter control over what is running on the machine. It's all or nothing.

The vista model of watered-down administrator may make life easier for migrants from Win 9x, but ultimately restricts the functionality for high-end users.

I'd rather they still allowed full, uber-privileged rights to one account - be it administrator or whatever, irrespectve of what additional restrictions MS choose to place on other "administrator" accounts (which are apparently degraded to "power user" accounts these days anyway).

Anyway, as I may have stated previously, Windows 2003 Server for the win.

F_T