Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows Vulnerable To 'Token Kidnapping' Attacks

timothy posted more than 4 years ago | from the token-of-my-affection dept.

Security 126

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

Sorry! There are no comments related to the filter you selected.

About Software (0, Redundant)

Halborr (1373599) | more than 4 years ago | (#32939352)

All software has bugs, that's just a matter of fact. When computers are networked, some of those bugs can be used to exploit another computer.

Moreover, Windows has security problems. Film at 11. (Couldn't post without an anti MS joke! I think there's a filter or something...)

Re:About Software (4, Interesting)

iammani (1392285) | more than 4 years ago | (#32939438)

Really? Can you find a bug in this...

#include <stdio.h>
int main()
{
        printf("hello, world");
        return 0;
}

Yes (5, Insightful)

XanC (644172) | more than 4 years ago | (#32939456)

It doesn't do anything useful.

Re:Yes (4, Funny)

Windwraith (932426) | more than 4 years ago | (#32939490)

No, but it's polite, it's greeting the world. You are so insensitive!

Re:Yes (5, Insightful)

davester666 (731373) | more than 4 years ago | (#32940402)

Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

Re:Yes (2, Insightful)

pspahn (1175617) | more than 4 years ago | (#32939718)

Demonstrating "hello world" is useful to someone new to programming.

Re:Yes (1)

DaveV1.0 (203135) | more than 4 years ago | (#32940702)

As a demonstration of printing, maybe. But as a general demonstration, not so much.

Re:Yes (1, Funny)

Anonymous Coward | more than 4 years ago | (#32939898)

Neither does Windows.

Re:Yes (1)

MichaelSmith (789609) | more than 4 years ago | (#32940038)

It doesn't do anything useful.

Like MOTD?

Re:Yes (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32940236)

This is completely correct. A bug isn't simply a coding error but a design error. Programming takes an abstract concept and makes it concrete in a formal language. This involves filling in all the details -- which is quite a lot more than non-programmers think. How should the program behave if it runs out of resources, user inputs incorrect information, external system provides incorrect information, operating system error, what should the performance characteristics be, details of statecharts and sequences, security and many more details that I have missed. All of these require trade offs that also require engineering time. Omitting important factors is just as bad, sometimes worse, and a lot more prevalent, than coding errors.

In general, users don't care if a feature doesn't work because of a programming mistake or because it isn't implemented. If a feature doesn't work, they are both the same.

Re:About Software (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32939472)

Yep. It buggers up the prompt.

  printf("hello, world\n"); /*is better*/

*This message was compiled with -pedantic.

Re:About Software (1)

alexo (9335) | more than 4 years ago | (#32939810)

printf("hello, world\n"); /*is better*/

puts("Hello, world!"); /*is best*/

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32939514)

You are so funny.

Yes.... you forgot the comments ... (1)

AnonymousClown (1788472) | more than 4 years ago | (#32939518)

/* Really? Can you find a bug in this... */

#include <stdio.h>

int main()

{

printf("hello, world");

return 0;

}

Re:Yes.... you forgot the comments ... (1)

bejiitas_wrath (825021) | more than 4 years ago | (#32941378)

This is better.

int main(void) {
puts("Hello World.\n\n");
return 0;
}

Re:About Software (2)

Post-O-Matron (1273882) | more than 4 years ago | (#32939528)

You forgot the exclamation mark.

Re:About Software (1)

WeatherGod (1726770) | more than 4 years ago | (#32940362)

but, he didn't want to disturb everybody, just the world.

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32941208)

but, he didn't want to disturb everybody, just the world.

Then he forgot the period.

Re:About Software (5, Insightful)

ckdake (577698) | more than 4 years ago | (#32939552)

I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

Re:About Software (2, Funny)

Lord Juan (1280214) | more than 4 years ago | (#32939740)

Really? Can you find a bug in this...

  #include <stdio.h>
  int main()
  {
        printf("hello, world");
        return 0;
  }

But Microsoft did not write that routine, had they done it, it would read something like:

#include <stdio.h>
  int main()
  {
        printf("hello, world");
        get_administrative_privileges();
        collapse_system();
        return 0;
  }

Re:About Software (5, Funny)

DAldredge (2353) | more than 4 years ago | (#32939752)

You aren't checking the the return status of printf.

Re:About Software (3, Insightful)

buanzo (542591) | more than 4 years ago | (#32939946)

You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

Re:About Software (2, Interesting)

TheLink (130905) | more than 4 years ago | (#32943028)

Seriously though, what are you going to do if printf fails? Log to a file? What if that fails? Log an error message to syslog? Then what if that fails too?

At a certain point of time it's a waste of time and resource to add extra checks.

In this case the target user would likely notice if printf fails to produce output and deal with it accordingly.

If printf produces output and still fails for some strange reason, the user is unlikely to care.

A professional way is to document it. "NOTE: in some cases printf may fail and the program not produce the desired output", buy the customer dinner and get them to sign off on everything.

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32939996)

Your forgot the '\n' character! :P

Re:About Software (1)

KibibyteBrain (1455987) | more than 4 years ago | (#32940016)

It does not checks to make sure it has access to enough memory to load the string "hello world" into standard output. It also do no checks to see that the stack size allows it to return 0.

Re:About Software (4, Interesting)

greg_barton (5551) | more than 4 years ago | (#32940246)

Considering I once performed a security audit and found that the lead developer for the client had rewritten printf so it had damaging side effects...yes...

Re:About Software (1)

forkazoo (138186) | more than 4 years ago | (#32940588)

#include
int main()
{
                printf("hello, world");
                return 0;
}

It lacks i18n.

Re:About Software (3, Insightful)

gringer (252588) | more than 4 years ago | (#32940704)

you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

Re:About Software (2, Informative)

FrangoAssado (561740) | more than 4 years ago | (#32941478)

The file inclusion is done at compile time. Presumably, whoever is compiling the code has a good system (otherwise, the possibilities much worse that what you describe: the compiler might be hacked, for example).

Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include). This means that, if whoever compiles the code is being attacked this way, their system is already compromised.

Re:About Software (1)

BitZtream (692029) | more than 4 years ago | (#32942008)

On my desktop, no I don't check stdio.h

On our company buildfarm, yes, stdio.h is checked by the IDS before production builds run and after to confirm they are the originals.

Re:About Software (2, Funny)

rudy_wayne (414635) | more than 4 years ago | (#32940738)

Really? Can you find a bug in this...

#include
int main()
{
                printf("hello, world");
                return 0;
}

Yes. You left out goatse.cx

Don't be so smug; You have a major bug (1)

Zero__Kelvin (151819) | more than 4 years ago | (#32940764)

"Really? Can you find a bug in this... "

Easily. You are not handling error codes properly. printf is not guaranteed to succeed. Perhaps the system is out of memory or the program is running as a user that does not have write access to the terminal to which you are trying to write.

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32941096)

Can someone please just car bomb the black hat conference? All the bastards will be in one place so it's shouldn't take a big one.

Re:About Software (1)

PiAndWhippedCream (1566727) | more than 4 years ago | (#32941150)

Yes, "hello, world" should start with a capital letter and end with a punctuation mark. The comma is also unnecessary.

Re:About Software (1)

somersault (912633) | more than 4 years ago | (#32941464)

The comma is also unnecessary.

It is proper when addressing someone/something.

Re:About Software (1)

yargnad (1456405) | more than 4 years ago | (#32941454)

This code displays fine on my Windows system. I guess that means Windows doesn't have any bugs. I've written plenty of code in the past that didn't have any bugs until it was compiled.

hello bugs. (1)

leuk_he (194174) | more than 4 years ago | (#32941698)

It does not check the return value of printf.

Under windows it does only run in console mode.

Documentation is lacking.

The start of the source code is not marked. Since has a stop of line with a single "." there are 2 dots in start of the program that give a compile error.

Re:About Software (2, Insightful)

BitZtream (692029) | more than 4 years ago | (#32941998)

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.

It may not crash, but yes, its broken and buggy by my standards. You should probably not act like such a cocky fuck if you plan on doing any job interviews.

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32942032)

Actually it is possible to modify the call stack, so you might be able to take anything out of the ordinary from that printf.

Re:About Software (0)

Anonymous Coward | more than 4 years ago | (#32942214)

You aren't checking if you can write to standard output. Have fun doing ./hello.hex > res.txt in a directory where you can't write.

You don't need a return type (0)

Anonymous Coward | more than 4 years ago | (#32942776)

You do not need to use "int main()", and you can instead substite a slightly more efficient void return type (none in other words) and no need to return 0 either.

void main()
{
    printf("hello world");
}

That will do the job just as well and more efficiently.

Its a "Feature" not a bug. (1)

Bob_Who (926234) | more than 4 years ago | (#32941608)

Ironic how bugs are so well suited to infestation through windows. A RAID array might help....

Re:About Software (1)

Bert64 (520050) | more than 4 years ago | (#32941794)

There's an important distinction to be made, between bugs (eg a buffer overflow etc) which can be corrected with a relatively simple patch, and design flaws which may require serious changes breaking compatibility...

"Windows Vulnerable" (1)

batrick (1274632) | more than 4 years ago | (#32939358)

Fixed the title for you.

Solution sounds easy, right? (1)

DWMorse (1816016) | more than 4 years ago | (#32939392)

Just don't connect to a Token Ring LAN! =V

Re:Solution sounds easy, right? (1)

PolygamousRanchKid (1290638) | more than 4 years ago | (#32939540)

I think the problem would be finding a Token Ring LAN to connect to. I can't remember seeing one of those beasts in the last 10 years. Racks of 8228s with connectors that looked like mouths of aliens in a sci-fi flick . . . can't say that I miss them . . .

Re:Solution sounds easy, right? (1)

buanzo (542591) | more than 4 years ago | (#32939962)

You can find token ring all over IBM's building in Buenos Aires. I know. Don't say it.

Re:Solution sounds easy, right? (1)

DWMorse (1816016) | more than 4 years ago | (#32940336)

Ugh. Mayo Clinic still has some, at least it's ethernet and not BNC.

Re:Solution sounds easy, right? (1)

BitZtream (692029) | more than 4 years ago | (#32942058)

BNC is not a networking protocol, its a connector type. Generally attached to coaxial cable.

Ethernet works over many different cable types and connectors, but it is a set of signalling protocols not a connector or cable type.

Ethernet can use BNC connectors (connected to coaxial cable), as well as RJ45 connectors (connected to CAT3, 5, or 6 cable) and several other interfaces via AUI and the like. You can even signal ethernet over fibre.

What you probably meant to say was 'at least its CAT3, not coaxial' as otherwise your statement makes absolutely no sense. It may not be CAT3 cabling actually, but if their still using token ring, then its either CAT3 or a fat bundle, not likely to be CAT5 and still using TokenRing.

Re:Solution sounds easy, right? (1)

DWMorse (1816016) | more than 4 years ago | (#32942300)

Nitpicker. Yes, I find myself using terminology interchangeably incorrectly occasionally.

Granted I've never had to deal hands-on with coaxial data networks, yay. I'm quite happy enough being too young for all that.

Re:Solution sounds easy, right? (1)

TaoPhoenix (980487) | more than 4 years ago | (#32940458)

I read TFS a certauin way, and then searched for exactly your post... here it is!

"I think the problem would be finding a Tolkien Ring..."

PRECIOUSSSS!!!

Re:Solution sounds easy, right? (1)

Splab (574204) | more than 4 years ago | (#32941514)

Look in government institutions - I worked as "the IT guy" in 2005-2007 at a university in Denmark, parts of the LAN was still token ring, reason behind that was at some point during upgrade to ethernet, someone decided that the whole building needed to be overhauled, effectively freezing funds for infrastructure.

Right now they are demolishing it and building a new nice department - only took them something like 12 years from deciding something had to be done to actually do it.

Re:Solution sounds easy, right? (1)

selven (1556643) | more than 4 years ago | (#32941942)

One Ring LAN to rule them all and in the darkness bind them?

Windows Vulnerable To 'Token Kidnapping' Attacks (2, Insightful)

omar.sahal (687649) | more than 4 years ago | (#32939466)

if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

  • win 95, usability of GUI
  • win xp, stability of software, less crashes
  • xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
  • windows 7, all the above and smaller foot print when installed

Re:Windows Vulnerable To 'Token Kidnapping' Attack (1)

yuhong (1378501) | more than 4 years ago | (#32941136)

This is way too incomplete. For one thing, you forgot NT and 2000.

Re:Windows Vulnerable To 'Token Kidnapping' Attack (0)

Anonymous Coward | more than 4 years ago | (#32941556)

...windows 7, all the above and smaller foot print when installed...

Smaller footprint than what? The default install clocks in at around 13GB of disk space!

Apple replies (1, Troll)

irrg (1858530) | more than 4 years ago | (#32939480)

After hearing about this exploit, an Apple VP referred to this as "Microsoft's Iphone 4".

Re:Apple replies (1)

bsDaemon (87307) | more than 4 years ago | (#32939542)

You mean that every other operating system has this same bug? Including MacOS X, then. So, no... I doubt it's their iPhone 4. MS also has more experience dealing with stuff like this. Apple is currently experiencing what its like for a pretty girl the first time she gets blown off by some random dude she's attempting to con into doing her a favor.

Re:Apple replies (3, Funny)

$RANDOMLUSER (804576) | more than 4 years ago | (#32939636)

Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.

Re:Apple replies (2, Insightful)

bsDaemon (87307) | more than 4 years ago | (#32939746)

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

Re:Apple replies (1)

timmarhy (659436) | more than 4 years ago | (#32939784)

you don't live in the real world do you? in the real world there is a direct relation between easyness and getting laid that fat ugly girls know how to play.

Re:Apple replies (2, Funny)

$RANDOMLUSER (804576) | more than 4 years ago | (#32939804)

Windows has shown it will let ANYBODY fuck it. Low self-esteem and all.

Re:Apple replies (3, Insightful)

Bengie (1121981) | more than 4 years ago | (#32939782)

I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

And some quotes from the above link

"regularWindows users can’t exploit them"

"if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

It's bad, but not *as* horribly bad as the title suggests.

A properly locked down Windows machine should have been mostly immune to this anyway.

I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

Re:Apple replies (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32939984)

I actually remember quite a few times in the past when Linux had root elevation exploits.

[Citation needed]

The Linux community just replied with "don't let people you don't trust have console access".

[Citation needed]

I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything.

[Clue (desperately) needed]

Re:Apple replies (0, Insightful)

Anonymous Coward | more than 4 years ago | (#32940206)

If you need citations for those things, then it's you who desperately needs the clue.

Re:Apple replies (2, Informative)

Kaboom13 (235759) | more than 4 years ago | (#32941482)

Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference is there's a larger pool of people with jobs as windows administrators without the skills and knowledge to back it up. As linux becomes ever more popular, expect to see the same thing to happen to it.

Re:Apple replies (1)

Bert64 (520050) | more than 4 years ago | (#32943628)

Although windows can run services under limited accounts, it is far less common to do so... And i believe more difficult because you have to store a password for the user rather than just being able to setuid() on unix... So some unix services will start as root, and then drop privileges later.

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

Re:Apple replies (2, Informative)

drsmithy (35869) | more than 4 years ago | (#32941550)

I still love how *nix naturally allows individual services to run under different users [...]

There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.

Re:Apple replies (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#32942282)

You also don't have to go back too far to find a time when the phrase 'UNIX security' had the same sorts of connotations as 'military intelligence'. People who used systems like VMS laughed at it, as a concept. Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS. Security, in most cases, is a usability problem. It's easy to make a secure system. It's hard to make a usable system. It's much harder to make a secure, usable, system.

Re:Apple replies (2, Interesting)

Rubinstien (6077) | more than 4 years ago | (#32943614)

Thank you for your, as usual, rational observation.

Unix-derived OS's are only recently gaining proper fine-grained security controls, and most are still hacks, IMHO. Newer Linux has "capabilities" that allows one to mark a binary as allowed to use certain privileges, such as CAP_NET_BIND_SERVICE, but this can't be used with *scripts* due to the fact that it is the *interpreter* that would need the privilege (*bad* idea to always give it to the interpreter). Solaris 10 has user privileges such as net_privaddr, which is closer to the VMS way, but in my experience it is easier to get a customer to install a script that starts the web server as root than it is to get them to create a user for that specific purpose and type 'usermod -K defaultpriv=basic,net_privaddr webservd'. Often the customer admin'ing the box is just the most-technically-competent user, with the job dumped into his lap, rather than a "real" admin who understands that job. He's OK with things he's been asked to do before, and suspicious of anything he's never seen or does not understand. It's even difficult to get other developers to understand half of this stuff (tried unsuccessfully with ACL's a while back, for example, and they interact poorly enough with "standard" Unix file security to frustrate people with 30+ years Unix experience).

The other issue is a complete lack of consistency between Unix variants on how any of this stuff is enabled, configured, managed, or audited. Unless you have a lot of programming and testing resources at your disposal, developers need to limit themselves to those things they can rely on having as "standard" across the platforms supported. The company I work for supports 3 Unix variants, and tests on more than that. Even something as simple as querying directory services is a cross-platform mess, and security-related issues are a whole new weed patch. Of course, VMS did not have this issue to deal with, but that OS is at least consistent from top to bottom. Anytime I have to do anything security-related on Unix I cringe and wish I was working with VMS again (when will Unix get installed images? http://hoffmanlabs.org/vmsfaq/vmsfaq_007.html [AIX almost has this -- equivalent to /SHAREABLE] ).

Even VMS is not invulnerable. The last exploit I know of was verified in 2008.

Re:Apple replies (1, Insightful)

Whuffo (1043790) | more than 4 years ago | (#32941722)

Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as useful as trying to bail out the ocean with a teacup.

Their "authenticode" signatures are just an example of "security through obscurity" and have already been compromised. All of the other security fixes are nice, but they don't deal with the gaping wide holes that MS has built into their products. It doesn't matter how many buffer overflows you fix (they claimed they were all fixed - not so) or how you partition memory - when you give execute privileges to code downloaded from the web you're bypassing all of those "security" restrictions. Am I being clear enough here? Microsoft has built into their operating systems services and programs which download and execute code from the internet. Everything else is useless when you leave this door wide open.

Sure, all operating systems are subject to having their bugs be exploited. But it appears that Windows is the only one which has these "come screw me" doors wide open - can they be closed? By the average user? Sheesh.

Re:Apple replies (3, Informative)

Blink Tag (944716) | more than 4 years ago | (#32939744)

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Re:Apple replies (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32939842)

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Indeed. Although, I would have preferred if they had posted "After hearing about this exploit, an Apple VP referred to this as "Microsoft's Vista ". ;-)

Re:Apple replies (0)

Anonymous Coward | more than 4 years ago | (#32939980)

I just shot milk through my nose. Or, at least, I would have if I'd been drinking milk. Well played, sir.

Re:Apple replies (1)

bonch (38532) | more than 4 years ago | (#32940116)

I love that Microsoft is essentially saying, "They suck as much as us!" How the mighty have fallen. Too bad the Vista analogy doesn't work though since people are actually buying the iPhone 4.

Re:Apple replies (1)

Phroon (820247) | more than 4 years ago | (#32940170)

My bad, my humor sensor is broken today. Commented to remove said moderation.

Re:Apple replies (1)

beerbear (1289124) | more than 4 years ago | (#32942216)

I pull my hat in respect. Too many people here don't have the maturity to admit they were wrong.

This is what you get, America (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32939512)

for electing Obama instead of Ron Paul.

Re:This is what you get, America (0)

Anonymous Coward | more than 4 years ago | (#32941994)

Ron Paul !? LOL. Dude, nobody wants a racist lunatic in the white-house.

Ron Paul cheerleaders are starting to become more annoying than Apple fanboys.

Re:This is what you get, America (1)

TheRaven64 (641858) | more than 4 years ago | (#32942296)

Dude, nobody wants a racist lunatic in the white-house

Wow, you're seriously out of touch with a large fraction of the American electorate...

Re:This is what you get, America (0)

Anonymous Coward | more than 4 years ago | (#32942474)

Some might argue that is exactly what you have now.

"... by any user with impersonation rights." (4, Informative)

n0-0p (325773) | more than 4 years ago | (#32939704)

That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

Re:"... by any user with impersonation rights." (3, Insightful)

toadlife (301863) | more than 4 years ago | (#32939862)

Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

Re:"... by any user with impersonation rights." (0, Troll)

Lehk228 (705449) | more than 4 years ago | (#32940924)

if you run IIS you may as well just post your admin password and social security number on your homepage

Re:"... by any user with impersonation rights." (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32941020)

Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.

Re:"... by any user with impersonation rights." (1)

ffreeloader (1105115) | more than 4 years ago | (#32943378)

Just what is it of his that is a little confused?

Re:"... by any user with impersonation rights." (2, Informative)

Anonymous Coward | more than 4 years ago | (#32941606)

if you run IIS you may as well just post your admin password and social security number on your homepage

Really? Try a little comparison exercise:
IIS6: http://secunia.com/advisories/product/1438/ [secunia.com]
IIS7: http://secunia.com/advisories/product/17543/ [secunia.com]
Apache 2.2.x: http://secunia.com/advisories/product/9633/ [secunia.com]

In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19

Re:"... by any user with impersonation rights." (2, Insightful)

TheLink (130905) | more than 4 years ago | (#32943074)

Yeah.

That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.

Nope, problem is in architecture. (0)

Cyberax (705495) | more than 4 years ago | (#32940598)

Problem is in Windows architecture. Its security subsystem is so complex that it's nearly unusable. You can, in theory, create very flexible security policy using ACLs which can be attached to almost all objects in Windows but in practice nobody uses it. So glaring security bugs can live for years.

It's almost like SELinux.

Re:Nope, problem is in architecture. (0)

Anonymous Coward | more than 4 years ago | (#32941056)

I agree that there are aspects of the security system that are complex, however for the people who's job is security (e.g. IT), this isn't a big deal. Computers are complex, they almost always are for good reasons, get over it.

Yes, people use ACLs; they do it all the time. I have seen many companies have their own groups setup and custom ACLs on file system directories. Also anyone who does Windows programming has to deal with security on OS objects like mutexes and named pipes. Sometimes they do so badly but they always have to deal with it.

Re:Nope, problem is in architecture. (1)

linzeal (197905) | more than 4 years ago | (#32941100)

If you are being paid to run a SELinux box, you pry know more than 10 windows admins put together or 4-5 Linux Admins even.

This just in... (0, Troll)

ascari (1400977) | more than 4 years ago | (#32939928)

Next release Windows is codenamed "Phoenix" see link for details:

http://www.nationalterroralert.com/updates/2009/02/13/kidnapping-capital-of-the-usa-phoenix-arizona/ [nationalterroralert.com]

Re:This just in... (1)

bonch (38532) | more than 4 years ago | (#32940130)

This is why the majority of the public supports the Arizona legislation.

Oh, wait, this is a Windows story. Why'd you post that?

Get a Life Already Hackers!! (0, Funny)

Anonymous Coward | more than 4 years ago | (#32939950)

I bet these without-a-life hackers are so lame they go on slashdot on a Saturday night! Poor saps don't have a life. Wouldn't want to be them, that's for sure!

optimistic (4, Informative)

Twillerror (536681) | more than 4 years ago | (#32940918)

Lately the security bugs I've seen are making me feel good.

Sounds weird I know, but it just seems like they are getting more and more bizarre.

Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

Where will be in 5 years...probably in a relatively safe world.

I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

When was the last major worm anyways?

Re:optimistic (1)

dna_(c)(tm)(r) (618003) | more than 4 years ago | (#32941490)

When was the last major worm anyways?

Disable all spam filtering your ISP provides, wonder where all the spam is sent from... Blissful ignorance is not improved security

Old News (2, Insightful)

dzr0001 (1053034) | more than 4 years ago | (#32941252)

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

Re:Old News (1)

dzr0001 (1053034) | more than 4 years ago | (#32941690)

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

Ok, so I read the zdnet article and the article does appropriately state that the exploit was discovered in 08. However, the zdnet article linked by OP is also a year old.

First they kidnapped Token (0)

Anonymous Coward | more than 4 years ago | (#32942352)

then they killed Kenny!

You bastards!

Patch Release (1)

helix2301 (1105613) | more than 4 years ago | (#32942692)

So they know there is an issue with this but yet there is not another patch being released to fix this?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?