Windows? Insecure?

[Mercutio]

I'm sure cas has already heard about this but maybe the rest of you haven't.

The simple explanation is that the gentleman who wrote that article figured out an easy way to use a flaw in Windows message-passing code to grant himself higher-than-Administrator user rights from a guest account.

... and Microsoft says it isn't a problem.

In this case I do understand the microsoft point of view. But the fact that a hole like that exists is not entirely comforting.

 

[Will Rickards WT]

This is nothing new. And I'm pretty sure this is not the flaw that the MS VP was referring to in his testimony. Inter-process communication is useful and necessary but should be secured. What is even scarier than being able to send arbitrary messages to any window is being able to hook into any process you want and get your code to run.
I used this technique to get into Microsoft Word and put my own window in there in addition to filtering keystrokes to make a document truly read-only.

 

[simonstre]

And this is only what we see and know, Mercutio. I'm a developper, and I know how things are made... and it is less then uncomfortable. If they admit that there is a security hole and that they can't do anything about it... imagine what's not yet dicovered.

I don't really blame the guys who left the hole behind... I blame the manager that ordered the hole to be unfilled. Perhaps he needs more privileges

 

[Pradeep]

I'm sure cas has already heard about this but maybe the rest of you haven't.

The simple explanation is that the gentleman who wrote that article figured out an easy way to use a flaw in Windows message-passing code to grant himself higher-than-Administrator user rights from a guest account.

... and Microsoft says it isn't a problem.

In this case I do understand the microsoft point of view. But the fact that a hole like that exists is not entirely comforting.

Well once you have executed malicious code or have lost physical security of the machine then you are farked for sure. A truly secure computer is not connected to a network at all, certainly not the Internet.

 

[Mercutio]

A truly secure machine isn't connected to a network and is sunk in two feet of concrete (along with all its cables).

Oh. And it isn't turned on, either.

The other side of this is that I would've assumed Windows would do some kind of checking to determine the source of the messages being passed, since it's built for security and all (well, NT is, anyway).

 

[Pradeep]

While I enjoy using win2k (and winXP to a smaller extent) I would be the first to agree with you that I would never store any secrets pertaining to national security on an MS OS.

 

[cas]

Since the VirusScan Console runs on my desktop as LocalSystem…

Will is off base when he suggests that programs can send arbitrary messages to any window. In NT, Windows are secured by sandboxes called Window Stations. These stations are protected by standard ACLs. You may have noticed the check box Allow Service to Interact with Desktop. This is an example of window stations at work.

Keith Brown’s Programming Windows Security describes an imaginary USER exploit by pumping keystrokes in to the Explorer Shell. Effectively the reverse of what Foon describes. The rest of the chapter explains how Window Stations are design to prevent this type of attack.

In this case, an Administrator pierced the trusted computing base when they installed Network Associate’s software. There is no end to the number of dangerous programs an administrator can install; after all, 100% of kernel drivers can access all of the memory in the system. This is true of all operating systems.

The recommend practice which was not followed in this case, is to have the virus checker run in a non-interactive window station (not that it should ever create a window), and have the console use kernel IPC to communicate with the service. I have never written a service that did not work this way.

Microsoft deserves to be chastised for legitimate security holes in Windows, but not the sloppy practices of third party developers.

 

[Will Rickards WT]

Learn something new everyday...
So say I was to try and inject my code into a service process that isn't interacting with the desktop (no windows) using SetWindowsHookEx. Assuming I could get the ThreadId (is that even possible?) would this method even work since the process never creates any windows? Does it even have a message queue? Sorry, I don't know much about NT services just your standard everyday windows apps.

 

[cas]

I write software for Windows all of the time, but I almost never write software that pumps messages. Only interactive software, which creates visible windows should work this way.

NT services should not create windows at all. Even if they did, you would not be able to hook their messages, without access to the Window Station and its corresponding Desktop. These are protected with ACLs. Specifically, you would need DESKTOP_HOOKCONTROL permissions to do what you describe.

 

[Prof.Wizard]

... and Microsoft says it isn't a problem.

In this case I do understand the microsoft point of view. But the fact that a hole like that exists is not entirely comforting.

Are you still hunting MS Mercutio...? :wink:

Jee, I miss SF/SR so much! But from the beginning of September I'm back!

 

[Sol]

As I understand it windows 2000 has the nessasary security to be used for class 4 (US)government operations (Damn the US govenment and thier stupid codes) as long as its not plugged into a network.
So how can releasing the code jepardise national security if somone has to break in to a secure facility to access the system anyway.
Windows has many holes, everyone knows that, once somone has access to the actual PC you data is no longer secure, it doesn't matter what OS your using.

I guess its just another case of the blind judging the confusing, or some such.

 

[Mercutio]

There's a little bit of a myth in US government security classifications. NT was widely trumpeted to have "C2" security. The thing is, that security rating depends on 1.) Using a particular variety of Compaq server that hasn't been made since 1995 (the rating is for a particuar computer system, which includes both hardware and software) and 2.) NT 3.5.

Microsoft did not complete security certification for any more advanced version of Windows.

 

[cas]

This is not strictly true. More recent versions of NT have received C2 certification, nevertheless Mercutio makes a valid point. Certifications are valid only for specific configurations.

Even so, it is important to understand that the granting of C2 certification for any version of NT, requires the availability of certain features in the operating system.

The most important of these for C2 are the ability to authenticate individual users, and control access and auditing through ACLs. Other features of NT, such as zeroing memory and disk allocations are also important.

At the time of NT’s release, these features were rare in broadly used operating systems, and remain somewhat uncommon today.