Vista security issues?

[milkweg]

I was reading a security Usenet group and found this post from someone. Care to dispute his claims?

- you can spoof filename via desktop.ini, which itself can be triggered by shell namespaces
- UAC doesn't apply to all administrative actions and is trivial to spoof; if you run as admin, it is trivial to circumvent; it provides no isolation; if a file includes a prudent application manifest or triggers the setup program detection, it won't even let you run a program without elevation
- PatchGuard makes it trivial to corrupt kernel memory just by debugging an application in usermode
- not even talking about what system access you get granted for simply presenting a DRMed media file...

 

[devil22]

techno-babble meant to sound intelligent and confuse people. Ask for a URL that documents or demostrates these exploits (maybe something that writes 'helloworld.txt' in c:\windows), until provided, I'm think I'm going to call BS.

 

[milkweg]

I have asked him to qualify his comments but considering he is a whitehat I think he knows of what he speaks. I'll wait for his reply.

I've seen him post proof code in the past showing how any firewall can be circumvented so he is not just making it up.

 

[devil22]

Post a google groups link so we can see this 'white hat'. [edit] Also, what's the 'white hats' name, he must be famous..

 

[calebb]

techno-babble

 

[pxc]

If all are so trivial, i'm sure he posted links to a proof of concept for each one. <snicker>

 

[Keiichi]

Screenshot or it didn't happen.

 

[milkweg]

I'll post more when I get more info. Until then, I have my fire retardant underwear on.

 

[milkweg]

Yea, he's an arrogant SOB but what else did you expect from a "whitehat"? BTW, he's never said he is a whitehat but I can tell from his past posting history that he is.

> The best defenses are:
> 1. Do not work in elevated level;


Doesn't matter; in Windows Vista it's trivial to elevate with any consent.

> Day-to-day work should be
> performed while the User Account Control (UAC) is enabled.


UAC is trivial to spoof, and since it doesn't apply to all administrative actions it's trivially insecure. Even further, since there's no need to approve administrative actions if an elevated program is running in the desktop context of an unprivileged, it's even more insecure.


> 4. Reconsider the usage of IE.


There is nothing to reconsider. IE is a perfectly fine ActiveX Rich Platform Client, a wonderful platform to implement complex software clients in a trusted environment.
The only problem is that some people seem to understand it a webbrowser, and consequently abuse it as such. Obviously a stupid idea.

> 7a.If on high-speed internet use a router as well.


Huh? Why?

> 9. Regularly back-up data/files.


And why isn't this #1?

> 11.Utilize a real-time anti-virus application


Wonderful idea. Introduce a horribly buggy and pretty useless piece of software....



> I'm running Comodo firewall pro v3 on Vista and it's been fine.


Which only shows that you never bothered auditing it.

> I also like Online Armor

Which supports my claim, since this one is even worse.

OK, one shouldn't expect much if any understanding of security from a Windows Live Mail user... but please, if you have no clue, then please don't make suggestions to others.

 

[milkweg]

Hey, I posted not too long ago that UAC is inconsistent and got flamed for it. Well, what he says backs up my claim. Now I just need his proof of concept to put you all to bed.

 

[devil22]

Doesn't matter; in Windows Vista it's trivial to elevate with any consent.

> Day-to-day work should be
> performed while the User Account Control (UAC) is enabled.


UAC is trivial to spoof, and since it doesn't apply to all administrative actions it's trivially insecure. Even further, since there's no need to approve administrative actions if an elevated program is running in the desktop context of an unprivileged, it's even more insecure.

This is just a repeat of what you already told us milkweg. The rest of the post is not even related so I don't know why you included that. Anyway, when you run with UAC on, you run with a standard user token, so it is by definition IMPOSSIBLE to do admin level things without consenting to the elevation prompt (or enterring your password) which then gives you an Admin token for that one process (and it's children obviously). If it doesn't require an admin token (and therefore invoke a consent/password prompt) then it is not an admin task and therefore you are not violating security if you do it without a prompt and OK/password. But all software is capable of having bugs, so the expected behavior may not be witnessed in certain circumstances, this is why all OSes and browsers have unpatched exploits that you can look into over at secunia, and probably others not even listed there. However he seems to imply that UAC doesn't do as it portends to do when working properly, that wouldn't be possible, to be to the point, for the reasons I explained. Anyway, his writings lack any kind of specifics necessary to evaluate the truthfulness of his claims beyond what I've addressed, I mean, maybe he means UAC can be spoofed if someone logs onto your computer (because you set no password for the account) and then runs a program and hits yes on the UAC prompt. That is technically 'spoofing' UAC successfully by some definitions, but is not considered a security exploit since the user didn't take appropiate actions to mitigate that specific attack when that was easily possible (i.e. add a password and don't let anyone access your hardware unless you encrypt your files). UAC also locks out programs from sending keyboard or mouse messages when the prompt is onscreen, so no other program can send '<tab><tab><enter>' for example which would highlight 'OK' and then simulate an 'enter' key. I think you see where I'm going here, it is possible (as it is possible in all OSes) that the code has a bug that allows elevation, this is the reason you have to patch OSes, but that's not a design error. If he has such a bug, which is possible, he still hasn't documented or demostrated it, until he does he has no credibility. Anyways, it's become a world passtime to spout off about windows while not knowing what you're talking about, so odds are he's just looking to impress some impressionable and ignorant people if he can find them like so many others do every single day in every forum on the internet. Until he can provide a specific proof (with test code) or a security orginization or Microsoft makes a statement on it, it should be ignored as Yet Another Uncredible Claim About Microsoft Security.

 

[milkweg]

I only posted it to show you he is arrogant. He is german BTW so it is understandable.

I've asked for his proof and will see what he gives me and post it here.

Please attempt to use paragraphs in future. Makes it easier to follow what you are saying. This is not a flame, just a request.

 

[pigster]

Here's the newsgroup thread in question:

http://groups.google.com/group/comp...608fa26551a/dcb9effb14c06b9e#dcb9effb14c06b9e

You can also look at his other posts to get some idea of his credibility.

 

[junglicious]

This guy is blocked from me and I still find this thread funny. Mr. I been trained by the professional and using computers since what was it...89?

My apologies though since I don't even know what this thread is about since I blocked him but I just found it funny.

 

[milkweg]

If you have me blocked and don't even know what the thread is about then WTF are you even posting? Oh, yeah, just so you can make a personal attack. Piss off.

 

[milkweg]

Here's the newsgroup thread in question:

http://groups.google.com/group/comp...608fa26551a/dcb9effb14c06b9e#dcb9effb14c06b9e

You can also look at his other posts to get some idea of his credibility.

Yea, and that's me who said he is talking out of his arse.

He says read this for proof.

Actually you can easily derive a PoC just from the description. For example the filename localization issue is well known, and you can take already existing desktop.ini files utilizing this feature directly from the Vista installation. Or, for example, a privilege that doesn't UAC consent is SE_BACKUP_RESTORE_PRIVILEGE, which allows you to bypass all ACLs and grants access to the raw disk.
On the other hand, you'll find in-detail information about the implementation of PatchGuard at <http://uninformed.org/>. With a bit detailed understanding, you'll see that debugging heavily interacts with PatchGuard in almost unforseen ways (since it is, by itselt, nothing but a dirty kernel hack).

 

[pxc]

LOL @ how he dances around when he's asked for proof. He has nothing that doesn't already involve a hacked system.

 

[milkweg]

What do you mean a hacked system? Where does he once mention an already hacked system? He doesn't so stop making shit up. Go read the url posted at least before you make uninformed comments. You know? The more I read this forum the more certain I am that it has Microsoft plants doing damage control. Any negative opinion of Microsoft's OS at all and the rabid dogs are unleashed. He's posted his shit to back up his comments now lets see yours that prove he is wrong. Haven't seen any yet, just rabid dogs yapping away at my heels.

 

[pxc]

Care to dispute his claims?

Well, it doesn't work that way. The person making the claims has the burden to back it up, and not just point to the main page of some site.

IOW, he can put up or shut up. Talk about people who blindly want to believe something.

 

[milkweg]

That site is full of various exploits. Only need to read some of it to see he is not making it up.

As I've said before. I've seen him post code with a link on how to spoof any software firewall so I know he is not just some Usenet troll.

 

[pxc]

I just invented tabletop cold fusion. For reals this time! It generates power beyond the input power and everything. http://en.wikipedia.org/wiki/Fusion_power

Care to dispute my claims?

I've posted several true things on [H] so you know I'm not just some forum troll.

Just amazing.

 

[devil22]

Yea, and that's me who said he is talking out of his arse.

He says read this for proof.

Actually you can easily derive a PoC just from the description. For example the filename localization issue is well known, and you can take already existing desktop.ini files utilizing this feature directly from the Vista installation. Or, for example, a privilege that doesn't UAC consent is SE_BACKUP_RESTORE_PRIVILEGE, which allows you to bypass all ACLs and grants access to the raw disk.
On the other hand, you'll find in-detail information about the implementation of PatchGuard at <http://uninformed.org/>. With a bit detailed understanding, you'll see that debugging heavily interacts with PatchGuard in almost unforseen ways (since it is, by itselt, nothing but a dirty kernel hack).

There is still no proof of concept for any of these 'exploits'. The only one that isn't total BS, is the patchguard thing on that uninformed.org website. There is actually a 'paper' for this. However two things, 1. no proof of concept code so we don't know if the paper is BS or not 2. patchguard is not real protection, by design. It's supposed to make it hard for programs that already have admin access to modify certain parts of the kernel, and only does this by lightly obscuring the kernel parts in question, from what I recall reading not too long ago. There is no way to make patchguard 'uncrackable' it just makes it unlikely things you ALREADY GAVE ADMIN ACCESS TO and therefore can modify anything on the system anyways will modify parts of the kernel without the system immediately shutting down. Non-admin things still can't access the kernel even if patchguard is completely 'cracked' (ie, the obsfucation employed is completely reversed engineered). Patchguard is not actually a security feature from that perspective. Even though the burden of proof is on you and your friend from usenet, I did a google search for the desktop.ini thing and the SE_BACKUP_RESTORE thing and found nothing at all. You have no proof of concept code for anything, you have no web source for the actual things that could be considered 'security exploits' nor can anyone else find them. With all of this in hand, you come in here charging we are "MS plants" intent on deception and lies because we point this out. You can't possibly be serious? You need to run back to usenet where BS passes for fact and logic, because it's not really going to fly here.

That site is full of various exploits. Only need to read some of it to see he is not making it up.

But they aren't exploits of Vista or any of the subsystems you asked about in your original post on this topic.

As I've said before. I've seen him post code with a link on how to spoof any software firewall so I know he is not just some Usenet troll.

Just because you saw code doesn't mean it performed as promised. Did you try it out? Can you point us to it? I mean, your friend has all this amazing hacker knowledge, yet malware
doesn't use any of it, don't you find that a little suspicious? If all software firewalls could be bypassed, all malware would do it and we'd see it in the news of sites like [h]ard and security sites. This guy could sell you beach front property in arizona, from the looks of it, all he'd have to do is use some long words..

 

[calebb]

That site is full of various exploits. Only need to read some of it to see he is not making it up.

As I've said before. I've seen him post code with a link on how to spoof any software firewall so I know he is not just some Usenet troll.

You should spend some time reading up on logical fallacies.


i.e.,
http://en.wikipedia.org/wiki/Negative_proof
http://en.wikipedia.org/wiki/Burden_of_proof_(logical_fallacy)

e.g.,
This newgroup poster has stated that Vista is insecure - and since [H] members have not proven that Vista is unequivocally secure, he must be (or it is likely that he is) correct.

The two logical fallacies here:
1. Since we have no specific examples to go by, the burden of proof on us (to prove that Vista is unequivocally secure) is impossibly high.
2. Proof of negative: "X is true because there is no proof that X is false."

 

[milkweg]

I just invented tabletop cold fusion. For reals this time! It generates power beyond the input power and everything. http://en.wikipedia.org/wiki/Fusion_power

Care to dispute my claims?

I've posted several true things on [H] so you know I'm not just some forum troll.

Just amazing.

What's amazing is your poor attempt to obfuscate the facts and try and discredit my post.
Come on, admit it. You are a Microsoft employee.

And let's get something straight. He is not my friend at all and we have locked horns quite a few times in the past. But now I am giving him the benefit of the doubt and am trying to get more info out of him. I told him he is talking out of his arse but I have apologized for that comment because it is to my benefit to play it neutral with him right now. Will post more when I get more info. If he doesn't provide it then he will be getting a mouthful. At least on Usenet I can flame with impunity.

Also, it is common knowledge to many people involved in computer security that software firewalls can be bypassed. The reason not all malware can do it is because the programmer of the malware doesn't know how to do it.

 

[milkweg]

The two logical fallacies here:
1. Since we have no specific examples to go by, the burden of proof on us (to prove that Vista is unequivocally secure) is impossibly high.
2. Proof of negative: "X is true because there is no proof that X is false."

Yea, but I have posted *some* evidence of proof and yet you all discount it as the ramblings of an internet loon. Who is the more objective here?

 

[heatlesssun]

To be honest, there's just not been that many Vista exploits, and Vista's security seems to have helped mitigate a number of general Windows exploits. In the real world, my biggest concern are silent attacks like worms and browser attacks.

Can some one intelligently discuss REAL WORLD examples of dangerous and active malware that's attacking Vista sucessfully. That's the stuff that people really are curious about, not theoretical attacks. While intresting, if they are still theoretical, they don't pose a real threat at least not yet.

 

[devil22]

Yea, but I have posted *some* evidence of proof and yet you all discount it as the ramblings of an internet loon. Who is the more objective here?

What you posted is not actually proof though. Proof is code that actively exploits these vulnerabilities, or a statement from a known and credible security orginization (or microsoft) that the vulnerabilities exist. No matter how many technical sounding arguments your friend on usenet makes, it still doesn't qualify.

Also, it is common knowledge to many people involved in computer security that software firewalls can be bypassed.

No it is not common knowledge that software firewalls can be bypassed. It's possible for any firewall, software or hardware, to have a bug that can be exploited that may allow the firewall to be bypassed, but you insuate that it is impossible to have a software firewall that actually works, and that's not true, and again you have no proof of concept code nor statements from security orginizations, just usenet rumors. And in fact it makes no sense, since a 'software' firewall is no different than a 'hardware' firewall, they are both software running on a piece of hardware, people just call them 'hardware' firewalls in a metaphorical way that indicates it does that and not much else or nothing else as opposed to being a 'general' purpose computer. The difference has nothing to do with the effectiveness of the firewall, but running a so-called 'hardware' firewall lessons the resource usage on your computer, so they are seen as a positive.

The reason not all malware can do it is because the programmer of the malware doesn't know how to do it.

Doesn't matter, if any malware did it, that malware would be extremely common, and would get press coverage like blaster, and code red and iloveyou. Hardware firewalls aren't that common, yet there hasn't been a major worm in the news since SP2 for XP went out, which included a software firewall turned on by default. If software firewalls are known to be easy to bypass, why aren't there any worms in the news these days infecting all the XP SP2 and Vista machines? Simply because it is another internet rumor with no truth in it. And if it's 'common knowledge' software firewalls can be bypassed, then a lot of malware writers would know too. If you could find one piece of malware that could bypass all software firewalls, then you would win the argument. All you have to do is go to security sites that describe malware and find one with a description that says 'this malware can bypass all software firewalls', until you do that or show proof of concept code, you have no facts on your side, just stupid internet rumors.

 

[heatlesssun]

Hardware firewalls aren't that common, yet there hasn't been a major worm in the news since SP2 for XP went out,

I agree with everything you said, except I think that hardware firewalls are pretty common these days. If you have a wireless router, you have a firewall. Not saying that most are setup properly, but they in millions of homes these days.

Once again, I ask, what are the current real threats against Vista. Not user installed trojans and email, I'm talking about worms and web hosted threats that can silently and without user interaction affect a system. These are the threats concern all users by their nature.

 

[devil22]

I agree with everything you said, except I think that hardware firewalls are pretty common these days. If you have a wireless router, you have a firewall. Not saying that most are setup properly, but they in millions of homes these days.

I know routers have firewalls, but most people don't have them that connect to the internet. Average users aren't [h]ardforum members, they are people that don't even know what a router is. And I know my cable ISP's modem has no hardware firewall and it is the biggest cable internet provider in the US (comcast). And why didn't all these hardware firewalls protect against blaster and codered, etc? There is no evidence hardware firewall usage significantly picked up between then and now.

Once again, I ask, what are the current real threats against Vista. Not user installed trojans and email, I'm talking about worms and web hosted threats that can silently and without user interaction affect a system. These are the threats concern all users by their nature.

The reasons you aren't getting any answers is because there are no threats against Vista, except user installed crap. The firewall keeps out worms, Protected Mode IE7 keeps out 'driveby' spyware and trojans, and auto-updates doubles the protection of those components. Some people can't believe MS could secure Windows, but that's exactly what happened with Vista, it's virtually malware proof unless the user installs the malware.

 

[pxc]

Strange that the expert cited by the OP didn't claim the $20,000 prize yesterday or $10,000 prize this week in the CanSecWest contest. LOL

Such "trivial" security hacks should have been used by now, or both are full of hot air.

 

[devil22]

Strange that the expert cited by the OP didn't claim the $20,000 prize yesterday or $10,000 prize this week in the CanSecWest contest. LOL

Such "trivial" security hacks should have been used by now, or both are full of hot air.

I was just going to post about that, lol. Oh yea, the contest was organized so that yesterday network attacks were allowed. This was solely a test of each OS's SOFTWARE firewalls. None of the machines were hacked. For 20,000 dollars! More proof that software firewalls being easy to bypass and this being 'common knowledge' is a bunch of BS.

Btw, Mac OS X was hacked today (the day browser attacks were allowed), and was hacked in 2 minutes. Vista and linux have still not been hacked. That should say something about Vista security to those who were wondering about active attacks out there. Remeber this is for a LOT of cash and a notebook..

 

[number69]

This is a slightly amusing but mostly boring thread with that guy Sebastian and some other arrogant intelligent fellow...
Jeroen Mostert ... going back and forth over ANSI C code.


http://groups.google.com/group/comp...b/c07417e36f9f8feb?lnk=st&q=#c07417e36f9f8feb

 

[TechieSooner]

Btw, Mac OS X was hacked today (the day browser attacks were allowed), and was hacked in 2 minutes. Vista and linux have still not been hacked. That should say something about Vista security to those who were wondering about active attacks out there. Remeber this is for a LOT of cash and a notebook..

Linky to this stuff? Not doubting you at all, just want to read the whole article

And I'm with the others. If there is some magical code that could crack any software firewall, why isn't it spreading like mad?

And these examples he posted are really flaws of the user, not the OS. (like logging into a machine with no password, or tricking the user, or already having malicious software prior to the "exploit").

 

[devil22]

Oops, sorry TechieSooner, here ya go:

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

 

[milkweg]

What you posted is not actually proof though. Proof is code that actively exploits these vulnerabilities, or a statement from a known and credible security orginization (or microsoft) that the vulnerabilities exist. No matter how many technical sounding arguments your friend on usenet makes, it still doesn't qualify.

If you want to me to give you any credibility then why say "my friend" when it's quite obvious to both of us you say that as a way to try and discredit me. I am not that dumb, "my friend". Go do some research on what I speak of instead of spouting BS that you know nothing about. There's a reason software firewalls are called snake oil.

 

[milkweg]

You should spend some time reading up on logical fallacies.


i.e.,
http://en.wikipedia.org/wiki/Negative_proof
http://en.wikipedia.org/wiki/Burden_of_proof_(logical_fallacy)

e.g.,
This newgroup poster has stated that Vista is insecure - and since [H] members have not proven that Vista is unequivocally secure, he must be (or it is likely that he is) correct.

The two logical fallacies here:
1. Since we have no specific examples to go by, the burden of proof on us (to prove that Vista is unequivocally secure) is impossibly high.
2. Proof of negative: "X is true because there is no proof that X is false."

Straw man argument and an attempt to obfuscate the real issue at hand. Definitely a Microsoft plant.

 

[devil22]

If you want to me to give you any credibility then why say "my friend" when it's quite obvious to both of us you say that as a way to try and discredit me. I am not that dumb, "my friend". Go do some research on what I speak of instead of spouting BS that you know nothing about. There's a reason software firewalls are called snake oil.

"your friend" is a figure of speech, I don't really care what he is to you. And you still have no proof that all 'software' firewalls (which are the same as 'hardware' firewalls, in that it is software running on hardware, duh kid) are easily bypassed, such as proof of concept code, until you do, YOU'RE the one 'spouting BS that you know nothing about'. And only idiots call 'software' firewalls 'snake-oil'. You came here asking for help with an issue, when we tell you that the issue is a non-issue because there is no proof it exists, you get defensive and insulting. Get a clue and a life.

Straw man argument and an attempt to obfuscate the real issue at hand. Definitely a Microsoft plant.

The epitime of arrogance and ignorance right there, presuming anyone that disagrees with you was paid to do so makes you an idiot, give it up already kid.

 

[milkweg]

I>and auto-updates doubles the protection of those components.

Which is only made available usually on the second Tuesday of every month. Power users don't use auto update because they know that too often people get bitten by bad updates doing that. You walk and talk like a Microsoft drone. You must be one!

 

[milkweg]

"your friend" is a figure of speech, I don't really care what he is to you. And you still have no proof that all 'software' firewalls (which are the same as 'hardware' firewalls, in that it is software running on hardware, duh kid) are easily bypassed, such as proof of concept code, until you do, YOU'RE the one 'spouting BS that you know nothing about'. And only idiots call 'software' firewalls 'snake-oil'. You came here asking for help with an issue, when we tell you that the issue is a non-issue because there is no proof it exists, you get defensive and insulting. Get a clue and a life.

The difference being that hardware firewalls are written to eprom and not a file on your HDD and are always password protected, unless you are really dumb. But many firewalls of all kinds are spoofed every day so your claim that it can't be done and they really do protect us is pure BS. If a hacker wants in they will get in. The only way you are secure is to pull the internet connection from out of the wall. Let's not kid ourselves and pretend we are ever secure. No such thing exists.

 

[milkweg]

The epitime of arrogance and ignorance right there, presuming anyone that disagrees with you was paid to do so makes you an idiot, give it up already kid.

What are your motives to tell lies then?