Forgot your password?
typodupeerror
Microsoft Security Windows Technology

New Windows Kernel Vulnerability Bypasses UAC 303

Posted by timothy
from the happy-thanksgiving-everyone dept.
xsee writes "A new vulnerability in the Windows kernel was disclosed Wednesday that could allow malware to attain administrative privileges by bypassing User Account Control (UAC). Combined with the unpatched Internet Explorer vulnerability in the wild this could be a very bad omen for Windows users."
This discussion has been archived. No new comments can be posted.

New Windows Kernel Vulnerability Bypasses UAC

Comments Filter:
  • Bad omen? (Score:5, Funny)

    by ScrewMaster (602015) * on Thursday November 25, 2010 @02:04PM (#34343930)

    this could be a very bad omen for Windows users.

    Only if Microsoft doesn't fix it. Of course, somebody sharp could submit a patch ... oh wait.

    • Re:Bad omen? (Score:5, Insightful)

      by ColdWetDog (752185) on Thursday November 25, 2010 @02:15PM (#34344006) Homepage

      Only if Microsoft doesn't fix it. Of course, somebody sharp could submit a patch ... oh wait.

      The traditional method of bypassing the UAC has been the average user mindlessly clicking "OK". Have you got a patch for that which does not involve firearms, poisons or BDSM stuff?

      • by michelcolman (1208008) on Thursday November 25, 2010 @02:53PM (#34344298)
        You could occasionally give them a box like "Do you want to allow the following program etc...", program name "wipeharddisk.exe", File origin "compromised internet site" and then give them a big red box with "You stupid idiot!" if they click "Yes" anyway. At least one out of every three boxes should be of this kind, and of course various program names, publishers and origins should be used. After three of those "idiot" boxes, next time show them a progress bar with "wiping hard disk...".
        • And then proceed to wipe the hard disk, right?

        • by caluml (551744) <slashdot&spamgoeshere,calum,org> on Thursday November 25, 2010 @08:38PM (#34346512) Homepage
          There was a .exe - I can't remember what that rebooted a Windows box with no warning. We were trying to educate people about not clicking attachments blindly (this was around the Melissa/Iloveyou time), so I renamed it to do-not-run-this.exe or something equally similar, attached it to an email, wrote in the email NOT to run it, and sent it to the company (about 70 people).

          I then had to put up with people complaining that their computer rebooted, and they lost work they were working on.
  • This virus can't scratch me, I run everything with Administrator privs... oh snap!

  • UAC? (Score:5, Funny)

    by Forrest Kyle (955623) on Thursday November 25, 2010 @02:15PM (#34343998) Homepage
    They bypassed the UAC? We're DOOMED! [wikia.com]
  • What do you bet this was the result of some government agency/powerful private entity saying they want easier access into remote machines?

    • Re: (Score:3, Interesting)

      That's a bet I wouldn't take. Given the well-known existence of both more or less free-floating criminal elements and multiple nations with reasonably substantial CS capabilities more or less tightly integrated into their military and/or clandestine capabilities(and sometimes shading into the first category...) any one entity asking for a backdoor is making the (painfully stupid) bet that nobody else is going to find it. Obviously, virtually everyone would love to have a backdoor of their very own; but even
  • This exploit still requires the code to be run (ie for the system to already be compromised). UAC is just an extra hurdle malware has to clear, it's not meant to be the be all and end all to stop malware.

    The IE exploit mention is meaningless (other than for flamebaiting). You can quite easily catch a virus using a fully patched version of Firefox with up to date plugins through regular browsing (noscript is not regular browsing).
    • by gstoddart (321705) on Thursday November 25, 2010 @02:25PM (#34344086) Homepage

      noscript is not regular browsing

      No, it's better. It's like browsing that goes all the way to 11. Much of the suck just magically disappears.

    • by 0123456 (636235)

      The IE exploit mention is meaningless (other than for flamebaiting). You can quite easily catch a virus using a fully patched version of Firefox with up to date plugins through regular browsing (noscript is not regular browsing).

      So an unknown vulnerability in Firefox is just as likely to infect your machine as a known vulnerability in IE?

    • by js3 (319268)

      Actually java is more dangerous that IE in this case. Java can download apps disguised as jpeg files and execute them from the appdata/roaming folder (then again, most trojans that do this already exploit other methods to screw up the system)

    • by sponga (739683)

      I always get a kick how they dumb down the articles for the audience around here. It's like 'don't you people work in the IT industry and this is common knowledge that code run from any machine by the user will compromise it'.

      Virus- 'You wanna run me so I can infect though... I mean give you money...?'
      UAC- 'Do you want to run this Yes/No'
      User- 'Yes'

      hmmm somewhere there is a weak link in that security somewhere.

      KEEP FEAR ALIVE!!!

  • Microsoft has the capital to develop a new operating system from the ground up. This bolting on of security solutions like UAC isn't going to to cut it anymore. Heck keep the same user interface design for all I care, but change the underlying OS. I am a technology atheist, so I don't get religious about platforms, but what Apple did by porting OSX for Intel in parallel says volumes about their company.

    I know it might be hard, but Microsoft needs a little vision and little less greed to do the same thing, b

    • by js3 (319268)

      aren't you being overly dramatic there. Every system has had some known exploit at one point or other to gain elevated privilages, this bug seems to exploit left over junk from older oses that (ntsys calls) that exploits a buffer overflow in one of the methods to extract reg key values.

      Easy buffer overflow problem that shouldn't be hard to fix

      • by causality (777677) on Thursday November 25, 2010 @02:49PM (#34344254)

        Easy buffer overflow problem that shouldn't be hard to fix

        I believe you miss his point.

        It's an easy buffer overflow problem that shouldn't have been hard to prevent if you have even a fraction of the talent and resources at Microsoft's disposal.

        If this bug is as you say, and it exploits "left over junk from older OSes" that only means one thing: there has been more than adequate time for an internal security audit to have found and fixed this bug. Consider the personnel and capital available to the OpenBSD group, then compare that to the personnel and capital available to Microsoft. You're telling me Microsoft couldn't do better than the OpenBSD group?

        Why do so many people want to give Microsoft a pass in these matters? It's hard to think of any other entity in the world that would be more capable of doing better than this. It's obvious they don't give a damn about security as long as the sales keep coming. That's what you want to excuse, portray as understandable, smooth over, and encourage by example in other companies? I won't.

        • Re: (Score:2, Insightful)

          OpenBSD doesn't have the same goals and doesn't have to provide the same level of compatibility.

          Windows Security 2008R2 actually has a pretty impressive security record so far. If they stripped it down and provided only core services like OpenBSD it would be even better. The problems really exist in user space where you have a lot of naive people running random executables provided by some very bad people who spend all day looking for holes.
          • If they stripped it down and provided only core services like OpenBSD it would be even better.

            Then you want the Server Core [wikipedia.org] installation option of Windows Server. About bloody time too!

            The problems really exist in user space where you have a lot of naive people running random executables provided by some very bad people who spend all day looking for holes.

            That is easily fixed. Don't give them a mouse. They won't be able to run ANY software then! It won't affect power users, as they should be able to do just about everything using keyboard shortcuts.

    • that will brake to many apps so people will not buy it. Windows is too big to do a apple and just cut off that many people.

    • by DAldredge (2353)
      I know it might be hard but you could look at research.microsoft.com and see all the nextgen OS research they are doing.
      • by cyberkahn (398201)

        Yes, I know about research.microsoft.com, but I am looking at what is, not what could be. Unless thy were to make a major announcement about a new path forward I don't take what comes out of research.microsoft.com very seriously.

        • by DAldredge (2353)
          You don't take the enhancements that Research has contributed to .Net, Visual Studio, Exchange, SQL Server, NT 6.0 / 6.1 seriously?
          • by causality (777677)

            You don't take the enhancements that Research has contributed to .Net, Visual Studio, Exchange, SQL Server, NT 6.0 / 6.1 seriously?

            I take them seriously because they are highly effective business strategies for making money for Microsoft, in no small part because a shop using those would have great difficulty migrating to another platform.

            Now if more of that research effort went into making Windows less prone to malware we'd start seeing some progress and the Internet would become a better place for everyone, including people who don't use Windows.

    • by gstoddart (321705)

      Microsoft has the capital to develop a new operating system from the ground up.

      Have you even been involved in rewriting software from scratch? Usually you end up missing a whole bunch of use cases, introducing new errors, and completely not getting old ones. It just never seems to work the way people hope it will, and it ends up costing way more than you thought.

      I fear that if MS tried to write an OS from scratch, it would likely be a big step backwards, do less than what we're accustomed to now, and take

      • by cyberkahn (398201)

        "I fear that if MS tried to write an OS from scratch, it would likely be a big step backwards, do less than what we're accustomed to now, and take years of incremental improvements to get back to where we are now. I don't see what you propose as being either viable or possible."

        Why is that? Moving from OS9 to OSX was a major leap. I know it was far easier, since they control the hardware platform, but it has been done before.

        • by gstoddart (321705)

          Why is that? Moving from OS9 to OSX was a major leap. I know it was far easier, since they control the hardware platform, but it has been done before.

          Well, not knowing much details about the innards of OS9/OSX -- was this truly a "rewrite" of the OS as the you initially said? ("Microsoft has the capital to develop a new operating system from the ground up.")

          Was the transition from OS9 to OSX a "ground up" change? Or was it a swap of the kernel for a more modern one?

          My first thought is that trying to build

          • by Yvan256 (722131)

            Microsoft's problem right now is exactly that: backward compatiblity. I remember when they said that Windows Vista was supposed to be a complete rewrite from the ground up, that there would be amazing XYZ features, etc. Then they slowly began to remove everything, including the rewrite, until it was basically back to what we could call Windows XP2 (whatever the name).

            When Apple introduced Mac OS X, they had a "classic mode" to allow you to run older Mac OS 9 software on the new OS. Then they added Rosetta,

            • by sirsnork (530512)
              Firewire is already gone from a lot of the Mac range, they are USB only now. Sadly that also means no more target disk, but thems the breaks
              • by Yvan256 (722131)

                I think the non-Firewire models support target disk mode via USB. What's strange is that Firewire got upgraded to FW800 on the new Mac mini models.

          • Re: (Score:3, Informative)

            The OS9/OSX change was, ironically, actually a demonstration of A)how hard it can be to change your OS from the ground up and B)how Apple wasn't up to the challenge.

            Back in the System 7 days, Apple started "Copland [wikipedia.org]" as a next-gen OS to remedy the numerous and hilarious deficiencies in their existing OS. The project was a miserable failure and, after about as much schedule slipping as Apple could afford at that time, they took it out back, shot it, and bought NeXT, and then proceeded to adopt more or less
        • by TheSunborn (68004)

          Yes, but remember that the original rewrite of Mac OS by Apple(Copland i think it was called) was a total failure which newer reached a state where it could be released.

          And the Apple bought Next and used their os instead, and the rest is history.

          I don't think that that Microsoft can write a total new from start os which would be able to run existing Windows Software. The amount of undocumented but used side effects in the existing Windows api is simply to big. If you don't belive that, just try to look at s

        • And because they reused the XNU (which they bought), which uses parts of the FreeBSD kernel and of the Mach micro-kernel, which was developed at the Carnegie Mellon University.

    • by Bert64 (520050) <bert@slash d o t . f i renzee.com> on Thursday November 25, 2010 @02:41PM (#34344192) Homepage

      Developing an entirely new os is about the worst thing microsoft could possibly do from a business perspective...

      Currently their single biggest selling point is compatibility, sure as you point out compatibility with something that has a fundamentally flawed design but still compatibility... If they were to ditch compatibility, then users would have to ditch all their existing apps (especially legacy apps which may be abandonware) and learn a completely new system thats not been tried and tested...

      In other words, they would now saddle themselves with the biggest disadvantages associated with other platforms while offering none of the advantages of those platforms...
      Microsoft ditching compatibility with all their legacy cruft would probably be the best news apple and linux distros could ever receive.

      • Re: (Score:3, Interesting)

        by gstoddart (321705)

        If they were to ditch compatibility, then users would have to ditch all their existing apps

        And, if that happens, there is literally nothing to suggest that they would land on a Microsoft platform.

        It would be bordering on suicide for Microsoft to lose backwards compatibility -- because people could be swayed to end up someplace else.

        Microsoft ditching compatibility with all their legacy cruft would probably be the best news apple and linux distros could ever receive.

        Exactly ... I mean, you can see the ad cam

      • Re: (Score:3, Interesting)

        They might well be able to get away with designing (another, NT being their first) new OS; but a new userspace API or huge security model change would get ugly...

        Even Vista's "Hey, let's actually slightly enforce all those best-practices things about not assuming that everyone is running with Admin privileges at all times, as though it were still Windows 95" was met with a firestorm of nearly pure hate. So much so that, even with Vista to take the flack and several years for 3rd parties to get their act
    • by Sycraft-fu (314770) on Thursday November 25, 2010 @02:50PM (#34344262)

      Seriously, let's hear this brilliant idea that a number of geeks on Slashdot seem to have as to how to design an OS that is perfectly secure against Malware and so on, yet still gives the user full administrative control over their system. So show us a framework or example of some kind where users have the full control they must over personally owned systems, yet the system is 100% secure over bad code. Also then show the design methods that can be used to ensure that there are zero bugs, anywhere, ever, in the design or the implementation and that allow a product to be produced in the timescales demanded by the consumer world (as in it can't take 10 years of validation).

      If you put any real thought in this, you'll realize it can't be done. There is no power without responsibility, there is no perfect system that is 100% bug free.

      That being the case, stop whining.

      For this particular thing, this is a local privilege exploit. It is a bug, a mistake, one that will be fixed. If you Google around you'll find that Linux has had plenty of these through out its history. Something is done wrong such that a program can elevate when it isn't supposed to. They are bugs to be patched, but not super critical since you still have to get malicious code on to the local system and get it to execute. They are more of a concern on multi-user systems but even then it is rarely a panic situation.

      So seriously, enough with this "OMG MS just needs to make a 100% perfectly secure OS!" shit. It shows massive ignorance of how complex and OS is, and what all you have to balance. No problem with that, you needn't learn about it if you don't want, but then don't argue from a position of ignorance and assume that they could make a perfect OS if only they wanted to bad enough.

      No security is perfect. People who do security in the real world, physical security, have always known this. For some reason many people who do virtual security delude themselves in to thinking it is different. No it isn't, there is no perfect security. So have defense in depth. Be mindful of where you visit on the web, don't download random shit, run a quality virus scanner that checks data as it comes in from the web, use a deprivileged browser (somethign in protected mode, if your browser supports it), have a firewall, have UAC turned on, think before you execute a program. None of that is perfect, none of that is something that can't ever fail, but with layers of protection if one fails, you've others to fall back on.

      • Re: (Score:3, Insightful)

        by Myopic (18616)

        I only read your first sentence. I'm pretty sure the brilliant idea is install NetBSD.

    • This bolting on of security solutions like UAC isn't going to to cut it anymore.

      Why? And what will be improved by rewriting the OS? There still has to be some permission system to be able to install software without having to login to another account. What mechanism would you suggest they use? How would that be immune to security bugs?

      ...what Apple did by porting OSX for Intel in parallel says volumes about their company.

      What does it say about them? How does that compare with Microsoft writing Windows NT for Intel x86 PC compatible, DEC Alpha, and ARC-compliant MIPS platforms, with PowerPC being added later?

  • by harryjohnston (1118069) <harry.maurice.johnston@gmail.com> on Thursday November 25, 2010 @02:53PM (#34344294) Homepage

    This is a perfectly ordinary elevation-of-privilege vulnerability. Just like every other elevation of privilege vulnerability it also happens to be capable of bypassing UAC's split-token protection, but the vulnerability itself isn't related to UAC in any way.

    In particular, if the workaround suggested in the article is correct, this vulnerability can't be used to escape from Internet Explorer Protected Mode (the other major function of UAC).

    • Of course (Score:2, Insightful)

      by Sycraft-fu (314770)

      UAC isn't really anything special, just an easy way for running as a deprivileged user. However many Slashdot types love to hate on it not only because it is from Microsoft, but because it messes with one of their talking points. For the longest time Linux (and OS-X) types hated on Windows because people ran as administrators. They talked about how amazingly insecure that was, how big a problem, how MS didn't care about security and so on. Many people tried to explain to them that it really doesn't matter,

      • Re: (Score:3, Funny)

        by Myopic (18616)

        I don't hate UAC because it's from Microsoft. I hate UAC because I think it is totally stupid that I have to change a filename, then say yes I want to change the filename, then say yes I really want to change the filename, then say yes I really, really want to change the filename. Four times? Why is four times the magical threshold between security and insecurity? For me, the number of times is zero (I know when I want to change a filename, and no amount of dialog boxes is going to change my mind, so they s

  • Registry (Score:2, Insightful)

    by lyinhart (1352173)
    From the article: "The flaw is related to the way in which a certain registry key is interpreted..." Another argument for abolishing the Windows registry and storing setup information in plain text files. Not like that's going to happen...
    • Re:Registry (Score:5, Insightful)

      by Spad (470073) <slashdot@nOspaM.spad.co.uk> on Thursday November 25, 2010 @03:19PM (#34344472) Homepage

      "The flaw is related to the way in which a certain config file is interpreted..."

    • The Windows registry is just a database that sits on the file system. Parts of the database are maintained in memory for extremely fast access. The database also handles locking when multiple applications need to have access, or write to the same piece of data at the same time. The registry was made to replace the need to keep the following from happening...
      (My application needs and INT value that describes something.)
      1. opening a file.
      2. locking a byte range.
      3. seeking to the byte range on the disk.
      4

      • There's nothing "special" or evil about the windows registry.

        IMO, the stupid thing about the registry is that they made up a bizarre byzantine custom API for it, when it could have been done with the familiar POSIX file API, like the /proc filesystem in Linux. (Having to call atoi() on a retrieved data value is not going to noticeably slow down your app relative to the overall system call overhead.)

        It didn't help that the whole thing tended go corrupt and die back in the early days. It's never really shaken that initial reputation.

    • by Soko (17987)

      Really? Switching to text files would magically fix this??

      This flaw is not related to how the registry is loaded and/or interpreted, actually it's not the fault of the registry at all - it's a kernel exploit. The mitigation is to tweak *permissions* on a couple of reg keys that should have been tightened up in the first place. It's akin to allowing SUID root on the sudoers file and a kernel vulnerability that allows $BAD_GUY to use that fact - it's not the file itself.

      Whether the info is in a database of bi

  • Can't we just say "uncle" and start over with something else?  I'd give anything to be rid of Exchange and Active Directory.
  • by nurb432 (527695) on Thursday November 25, 2010 @03:40PM (#34344618) Homepage Journal

    No, but the 'windows startup sound' is.

How much net work could a network work, if a network could net work?

Working...