Russinovich Says, Expect Vista Malware 193
Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'
And ... ? (Score:5, Interesting)
Where's the clean boot disk that I can use to scan a Vista box? How do I validate all the files on it?
What is your answer to AFTER the box has been cracked?
Re:And ... ? (Score:2, Interesting)
Nuke it from orbit, reinstall.
The only difference is the hope they don't deny your registration after doing that too many times.
I suppose they could have a "Boot from CD and validate" option, but, because of subsequent system changes as the user installs drivers and other legitimate software (which could still include bogus stuff), it would probably be tricky to implement except for a few key system files that don't (or shouldn't) ever change, and that would miss alot of malware. More useful would be if it were possible to create a "known good" system image, and a way to compare that to the present state of the system or to reinstall that image. I know that XP has system save points (or whatever they are called), but I'm thinking about something more comprehensive. Do they have anything like that yet?
Re:Actually (Score:5, Interesting)
(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)
(And whilst I'm posting, "...a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file"? If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake? Surely a fake/spoofed dialogue box wouldn't *actually* be able to grant elevated rights (pretty much by definition); and the text in the *real* elevation prompts can't be changed, since they run in 'secure desktop' sandbox mode, no?)
Not necessarily. (Score:5, Interesting)
Then I simply match each and every file on the hard drive to the package that it should have come from and validate the md5 checksum.
Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable.
Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.
Any system that REQUIRES a complete tear down after ANY vulnerability is exploited is NOT a well designed system. There has to be a way to validate each section of the system.
Unix-style permissions are not enough. (Score:5, Interesting)
There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.
Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!
So, that's what's on my wishlist for the future of OS level security.
Re:Not necessarily. (Score:2, Interesting)
Re:Actually (Score:3, Interesting)
Re:Flash BIOS exploits (Score:3, Interesting)
Re:Actually (Score:3, Interesting)
Re:Actually (Score:5, Interesting)
Too bad there are lazy software companies pulling this kind of shit [chessok.com]. The developer's link to this piece of shit "patch" is listed under the headline "Convekta's products are compatible with Windows Vista !!!" (just disable the single most important security feature of the OS). I'd bet that over half of all Vista boxes will have LUA disabled within 12 months of installation. What do you have then? A new OS with the security enhancements removed and untested code running in "every user is a superuser" mode, just like XP without the 6 years of bugfixes. Don't tell me XP has limited accounts; using XP under a limited account takes more effort than using Linux ever did.
The only thing keeping the malware writers away from Vista so far is its piss-poor market penetration, not its security enhancements.