Windows Vulnerable To 'Token Kidnapping' Attacks 126
cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."
"... by any user with impersonation rights." (Score:5, Informative)
That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).
So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.
Re:Apple replies (Score:4, Informative)
Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.
optimistic (Score:5, Informative)
Lately the security bugs I've seen are making me feel good.
Sounds weird I know, but it just seems like they are getting more and more bizarre.
Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...
Where will be in 5 years...probably in a relatively safe world.
I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.
When was the last major worm anyways?
Re:About Software (Score:3, Informative)
The file inclusion is done at compile time. Presumably, whoever is compiling the code has a good system (otherwise, the possibilities much worse that what you describe: the compiler might be hacked, for example).
Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include). This means that, if whoever compiles the code is being attacked this way, their system is already compromised.
Re:Apple replies (Score:3, Informative)
Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference is there's a larger pool of people with jobs as windows administrators without the skills and knowledge to back it up. As linux becomes ever more popular, expect to see the same thing to happen to it.
Re:Apple replies (Score:3, Informative)
I still love how *nix naturally allows individual services to run under different users [...]
There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.
Re:"... by any user with impersonation rights." (Score:2, Informative)
if you run IIS you may as well just post your admin password and social security number on your homepage
Really? Try a little comparison exercise:
IIS6: http://secunia.com/advisories/product/1438/ [secunia.com]
IIS7: http://secunia.com/advisories/product/17543/ [secunia.com]
Apache 2.2.x: http://secunia.com/advisories/product/9633/ [secunia.com]
In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19
Re:Apple replies (Score:3, Informative)
Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits.
ActiveX - ever heard of .xpi? Yeah, that pops up a prompt when you install it; so does ActiveX. And .xpi can contain native code (which many people don't even realize).
Windows Media does not "download code from the web". It's just a browser plugin, like MPlayer or VLC pugins.
Unless what you mean is that it can download codecs from the Net from a central repository (after popping up a confirmation dialog) - which e.g. Rhythmbox and Totem also do in Ubuntu, though those go through the centralized package system.
Windows Update - it's identical to a package management system in any Linux distro, except that it's bare-bones and for MS products only. In terms of "downloading code from the web", its attack surface is exactly the same - code comes from a centralized server.
Re:Apple replies (Score:3, Informative)
IIS improved seven years ago, not recently. Regardless of the reason for improvement, it did improve. IIS 6 and 7 both have excellent security records and both have a sound architecture.
Microsoft's far from perfect, but you've been holding a grudge for fourteen years. Did they eat your children?