Forgot your password?
typodupeerror
Windows Operating Systems Software Security IT

Vista Protected Processes Bypassed 221

Posted by CowboyNeal
from the falling-confidence-levels dept.
Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."
This discussion has been archived. No new comments can be posted.

Vista Protected Processes Bypassed

Comments Filter:
  • by tinkertim (918832) * on Saturday April 07, 2007 @12:46PM (#18647251) Homepage
    A spokesperson for Microsoft was quoted as saying :

    This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob [wikipedia.org]", instead.

    • Re:In related news (Score:5, Insightful)

      by _KiTA_ (241027) on Saturday April 07, 2007 @01:24PM (#18647637) Homepage

      A spokesperson for Microsoft was quoted as saying :

              This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.


      People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans [out-law.com] the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.
      • Re:In related news (Score:4, Informative)

        by tinkertim (918832) * on Saturday April 07, 2007 @02:48PM (#18648441) Homepage

        People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.


        It was a joke, just a joke and only a joke.

        The link given is to Microsoft Bob, which Microsoft gave up on shortly after launching it and (according to Wikipedia) later admitted the product was their single largest failure in their company history.

        You'd need to remember Bob in order to appreciate that Vista is well on its way to being "Bob 2".

        I suppose any joke could be taken as flamebait lol, but really, its just a joke. Better put in /. terms :

        its funny, laugh. .. or perhaps not, since I had to explain it :)
        • Re:In related news (Score:5, Interesting)

          by erroneus (253617) on Saturday April 07, 2007 @03:23PM (#18648821) Homepage
          I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

          Vista goes way ot of its way to reduce functionality for the user in order to make content providers happy. Think of what that really means. Company A sells something to Consumer A but that something is disabled in order to make Company B happy. Company B is happy because they can continue their old business model and maintain their dominance if and when they finally move into new business models when they feel ready. Meanwhile, companies C, D and E through M move to create, innovate and design new things only to be prevented by both Company A and Company B. Depending on how this is done and how much evidence can be produced, this is illegal behavior.

          • Depending on how this is done and how much evidence can be produced, this is illegal behavior.

            collusion happens all the time, and thanks to republican sellou.. i mean our fine pro market saviors, their activities are dismissed as "industry standards" and/or "the free market in action", and anyone who comes out calling a spade a spade is immediately plastered as a pinko communist.

            examples include rediculously unreasonable eulas, the incorporation of broadcast flag-like rules in the QAM cable standards (lever
      • Re: (Score:3, Insightful)

        by PingXao (153057)
        It's the same way with spam. Too many people are content to say it's only a problem if you're not using spam filters. They completely ignore the point that the spam exists in the first place and is transmitted hither and tither across the net, stealing bandwidth far and wide.
      • by Randseed (132501)

        Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

        I've seen that too many times to count. In fairness, though, the times I've seen it has not been with major ad companies, but rather more "shady" advertising companies. However, that doesn't mean that the user was doing anything "shady," and yes, the assertion that they must have been doing that is absurd.

        I sugge

  • Can we have Source? (Score:2, Interesting)

    by Anonymous Coward
    I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?
  • by Mr_eX9 (800448) *
    All of this "security" is just crap if it can apparently be exploited so easily.
    • by cyphercell (843398) on Saturday April 07, 2007 @01:02PM (#18647429) Homepage Journal
      no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.
    • by Surt (22457)
      Alternatively, it's great. By being so breakable we sucker the evil DRM lords into another copy protection regime that ultimately doesn't work.
    • by Rodness (168429) on Saturday April 07, 2007 @01:56PM (#18647909)
      I agree.

      The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

      Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

      They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

      My inclinations against myself or my family running vista just got a +1 Justification.
      • Re: (Score:3, Insightful)

        You're one hundred percent right - and the reason is simple: security doesn't make Bill any money, whereas "featuritis" - and deals with big content providers - does.

        Microsoft needs to be put out of business. Now. They have all the brains and social conscience of Enron.

  • At the moment these people are doing great work. Just take the promises MS made and see them being invalidated pice by pice!

    The bottom line is that no matter what OS, competent system administration is essentlial. However MS makes system administration a lot harder, than it is on other systems.
  • by NecroPuppy (222648) on Saturday April 07, 2007 @12:53PM (#18647337) Homepage
    With that OS protected space in Windows ME?

    I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.
  • by imbaczek (690596) <imbaczek@pocz t a .fm> on Saturday April 07, 2007 @12:58PM (#18647391) Journal
    ...to start considering Vista as an usable OS.
  • Wait, wait... (Score:5, Interesting)

    by kripkenstein (913150) on Saturday April 07, 2007 @01:00PM (#18647405) Homepage

    A typical process cannot perform operations such as the following on a protected process:
    [...]
    Access the virtual memory of a protected process
    It's been a while since I knew squat about operating system internals, but aren't processes supposed to not be able to access other processes' memory anyhow? I assume, then, that this means that 'protected processes' are special in that they are also protected from any 'supervisor'-type processes, not just run-of-the-mill? In that case, are 'protected processes' meant to protect the kernel from itself, in some sense?

    Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.
    • Re:Wait, wait... (Score:4, Informative)

      by Guilly (136908) <theonlyguillsNO@SPAMgmail.com> on Saturday April 07, 2007 @01:10PM (#18647505)
      There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

      It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

      This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.
      • There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

        Interesting.

        This seems very non-secure to me. Any idea if this is standard on other OSes than Windows?
        • Re: (Score:2, Insightful)

          by Anonymous Coward
          root can read and write kernel and process memory under Linux. (Via /dev/kmem and /proc//mem.)
      • Does that mean you could make a WoW hack in a protected process?
      • by faragon (789704)
        You're right, it also work in Vista (the only intouchable processes are the "protected" ones, like Winlogon). Unfortunately, we are forced to use it [microsoft.com], for achieve trivial tasks such grabbing the cursor icon used inside third party application window, and other "accessibility" hooks, as the officially provided by Microsoft are not enough. Personally, I hate to use these tricks, IMO it is the result of a bad OS design, as we are not using it for "evil" applications, just normal ones that make the average Joe's
    • Re: (Score:3, Interesting)

      by randyflood (183756)
      I could be wrong, but I think Windows (2000, XP) generally allows processes running under the same user to look at each other's memory and such. This is useful when you want to debug a program or whatever. It's generally designed to protect users from each other, rather than protect users from themselves.

    • What is not supposed to happen in "normal" circumstances, is that one process "accidently" accesses a part of memory not assinged to it. However plenty of programs work by doing this on purpose and as long as they behave, there is nothing wrong with it. It just so happens that trainers are a common example.

      However typically with trainers, the user level is the same. There is no real problem with a trainer I run, modifying the memory of a program I am also running. It becomes more of a problem if user level

    • by kinkie (15482)
      Under Linux, it's /proc/pid/mem:

      kinkie@loki:~$ll /proc/6282/mem
      -rw------- 1 kinkie kinkie 0 Apr 7 22:02 /proc/6282/mem
      kinkie@loki:~$echo $$
      6296

      see? I can alter my own processes' memory, no problem.
  • Ever since DOS (Score:5, Insightful)

    by Original Replica (908688) on Saturday April 07, 2007 @01:05PM (#18647443) Journal
    I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      You should try this new Linux thing out!

      It's awesome. I type commands, it obeys them. It never patronises me. The security works FOR me, not against me.

      Now THAT is user-friendliness.
      • by syrion (744778)
        I installed Fedora Core 6 yesterday, and I have actually gotten a few "that operation is not allowed" messages trying to chown directory on a drive mounted by root. That's getting kind of annoying, I have to say. (Is there a good userspace mount utility?)
    • by Anonymous Coward on Saturday April 07, 2007 @01:37PM (#18647743)

      I miss the days when I gave my computer commands not suggestions.

      You are becoming nostalgic, Deny or Allow?

      • by Kjella (173770)
        You are becoming nostalgic, Deny or Allow?

        I much prefer the Windows XP auto-update dialog. "(blahblahblah) Would you like to reboot now?" with exactly one button: "OK". Where's my "No it's NOT fucking ok!"
      • by Khyber (864651)
        I choose Fail, because that's usually the problem with the hardware, in the first place, and I just need to replace it ;)
    • by ColdWetDog (752185) on Saturday April 07, 2007 @01:43PM (#18647791) Homepage
      Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

      So get off your old, tired, 20th Century horse and get with the new paradigm.

      Just a suggestion of course.

      • by Randseed (132501)

        Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

        So get off your old, tired, 20th Century horse and get with the new paradigm.

        Just a suggestion of course.

        And if Microsoft has its way, just like women, the OS will have the option of deciding to stop working with you, then walk off, taking half your assets a

    • by Udo Schmitz (738216) on Saturday April 07, 2007 @05:02PM (#18649791) Journal

      I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
      So, is using a Vista PC like talking to the bomb in Dark Star?
  • by kv9 (697238) on Saturday April 07, 2007 @01:06PM (#18647455) Homepage

    He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.

    not for long, I bet.

  • by BoRegardless (721219) on Saturday April 07, 2007 @01:28PM (#18647675)
    Genuine Advantage seems to now benefit the bastards too.
  • by Trailer Trash (60756) on Saturday April 07, 2007 @01:30PM (#18647689) Homepage
    Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...
    • I wonder whether Cygwin runs on Vista yet. If it does, then that may be a solution for your copy problem.
  • by loconet (415875) on Saturday April 07, 2007 @01:32PM (#18647705) Homepage
    If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.
    • If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.

      Hah! Shows what you know. I don't have to paint my excrement to get it that pink color...
  • Again? (Score:3, Interesting)

    by Proudrooster (580120) on Saturday April 07, 2007 @01:38PM (#18647751) Homepage
    VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.

    Bill Gates wants more cheap labor [infoworld.com] to waste of useless software [theinquirer.net]. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?
    • Bill Gates and company have successfully created the software version of Soviet Russia, where software runs you. I've always complained that Microsoft never understood that the software should work for you, not you work for it, and Vista seems like a step _further_ in the direction of making the user do work.

      Of course, I guess that's better than something like Word, where it takes 3 times as long to get anything done as it should because of all the unpredictable and illogical "helpful" stuff that the progr
  • by plasmacutter (901737) on Saturday April 07, 2007 @01:40PM (#18647767)
    all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.

    by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.
  • by Animats (122034) on Saturday April 07, 2007 @01:41PM (#18647773) Homepage

    "Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

    Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

    In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE [linuxgazette.net] call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. [12.110.110.204] So SELinux already has "protected processes", but with a better security model.

    If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

    • "Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

      youre kidding right? securing the computer's processes against its own owner without any option for override is reasonable?
      how about i do that to your house, and make you pay me rent on top of your mortgage for the "right" to use those extra bedrooms, kitchen cabinets, and garage space?

      Microsoft has for some

    • by Spy Hunter (317220) on Saturday April 07, 2007 @09:50PM (#18651857) Journal
      Protected processes are a terrible idea, and they have no analog in Unix. You have misunderstand the purpose of protected processes. It has nothing to do with protecting processes from each other for better security. It is *only* about protection from the *user* for media. Protected processes cannot be written by anyone but Microsoft and "trusted" partners (theoretically) and are supposed to be immune from tampering by every user, even one with the highest possible administrative rights. No Unix has this concept, because it is retarded. It removes your own control over what your computer is doing and hands it to Microsoft and a few "trusted" companies which are allowed to write protected processes.
  • by Anonymous Coward
    http://www.microsoft.com/whdc/system/vista/process _Vista.mspx [microsoft.com]

    Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?

    Processes can "inject threads" into other processes? Buhuh?

    Here's apparently more of what processes can't do to Protected Processes do in Windows:

    Inject a thread into a protected process
    Access the virtual memory of a prot
    • Apparently you haven't heard of ptrace() on Linux or vm_write() on OS X, which are more or less the equivalent of the operations in Windows.

      Windows processes have access control lists like files do; you can't inject a DLL into winlogon.exe without LocalSystem ("root") access. Linux and OS X go by the associated UID; if the requesting UID is unequal and is not zero (root), the attempt is denied.

      As for SELinux, many systems can get around the ptrace() lockout. Pipe a connection to gdb and have it do the dir
  • by Anonymous Coward on Saturday April 07, 2007 @01:51PM (#18647847)
    The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...
  • by The Living Fractal (162153) <(banantarr) (at) (hotmail.com)> on Saturday April 07, 2007 @02:05PM (#18648011) Homepage
    I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.

    So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.

    The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.

    In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.

  • Looks like 32-bit (Score:4, Interesting)

    by figleaf (672550) on Saturday April 07, 2007 @02:08PM (#18648031) Homepage
    I would like to see him do this in 64-bit.
    32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.
  • Tell me Bill, which version of Vista are you referring to?

    "We made it way harder for guys to do exploits," said Mr. Gates. "The number
    [of exploits] will be way less because we've done some dramatic things
    [to improve security] in the code base."

    http://www.toptechnews.com/story.xhtml?story_id=49 854 [toptechnews.com]

  • by SLi (132609)
    Malware is not annoying. It's downright hostile. Once untrusted code has run as administrator/root/system/whatever on your computer, it's the end of the game. You need to reinstall and never trust the compromised data again, as any competent security expert will tell you. Only the anti-malware corporations, unsurprisingly, tell you otherwise.
  • Personally this sounds like exactly what I've been looking for to get drivers that'll read my Ext3 partitions installed and loaded without all the Vista SDK nonsense required to get past the signing crap. If I'm scared of malware and virii, I'd use something by a company I trust and respect (Kaspersky is my personal favourite, especially since it's easy to exclude files/folders on the basis of "if you detect X here, ignore" so I can keep false positives or test samples or anonymail or etc), not Microsoft!
  • Just trying to hold on to his job by helping out the trojan and virus writers.

As far as we know, our computer has never had an undetected error. -- Weisert

Working...