| |
|
Tuesday, February 13, 2007
|
|
Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC
(User Account Control) and found out -- from Microsoft officials --
that the default no-admin setting isn't even a security mechanism
anymore.
Rutkowska, a hacker with a track record of defeating Vista's security mechanisms,
believes UAC has a major flaw in the way it automatically assumes that
all setup programs (application installers) should be run with
administrator privileges.
"[When] you try to run such a program, you get a UAC prompt and you
have only two choices: either to agree to run this application as
administrator or to disallow running it at all. That means that if you
downloaded some freeware Tetris game, you will have to run its
installer as administrator, giving it not only full access to all your
file system and registry, but also allowing it to load kernel drivers!
Why should a Tetris installer be allowed to load kernel drivers?,"
Rutkowska asked in a post on her Invisible Things blog.
That's because Vista uses a compatibility database and several
heuristics to recognize installer executables and, every time the OS
detects that an executable is a setup program, "it will only allow
running it as administrator."
This, in Rutkowska's mind, is a "very severe hole in the design of UAC."
"After all, I would like to be offered a choice whether to fully trust given installer executable
(and run it as full administrator) or just allow it to add a folder in
C:Program Files and some keys under HKLMSoftware and do nothing more. I
could do that under XP, but apparently I can't under Vista, which is a
bit disturbing," she added.
A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation
of the way the mechanism works. One thing that stood out in
Russinovich's explanation is an admission of sorts that the default
configuration of UAC puts the user at risk of a sophisticated code
execution attack.
11:11:29 PM 
|
|
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls
(UAC) feature. The issue is that Vista automatically assumes that all
setup programs (application installers) should be run with
administrator privileges -- and gives the user no option to let them
run without elevated privileges. This means that a freeware Tetris
installer would be allowed to load kernel drivers. Microsoft's Mark
Russinovich acknowledges the risk factor but says it was a 'design
choice' to balance security with ease of use."
11:01:17 PM
|
|
Web Censorship Proposed For Norway. Aqwis writes "A Norwegian Web filtering system (link in Norwegian), comparable to the Great Firewall of China, has been proposed to the Norwegian legislature. It would, if enacted, block all Web sites and servers that contain hate material (racial hate, pro-Nazi sites, hate towards the government, etc.), most kinds of pornography (not only child pornography), foreign gambling sites, and sites that share copyrighted or other material that it is not legal to share (such as most BitTorrent sites and services such as LimeWire). Reactions have been mixed; however they are mostly negative." [Slashdot: Your Rights Online]
8:08:57 PM
|
|
RIAA Admits ISPs Have Misidentified "John Does". NewYorkCountryLawyer writes "The RIAA has sent out a letter to the ISPs telling them to stop making mistakes in identifying subscribers,
and offering a 'Pre-Doe settlement option' -- with a discount of '$1000
or more' -- to their subscribers, if and only if the ISP agrees to
preserve its logs for 180 days. Other interesting points in the letter
(PDF): the RIAA will be launching a web site for 'early settlements,'
www.p2plawsuits.com; the letter asks the ISPs to notify the RIAA if
they have previously 'misidentified a subscriber account in response to
a subpoena' or become aware of 'technical information... that causes
you to question the information that you provided in response to our
clients' subpoena'; it notes that ISPs have identified 'John Does' who
were not even subscribers of the ISP at the time of the infringement;
and it requests that ISPs furnish their underlying log files, not just
names and addresses, when responding to RIAA subpoenas." [Slashdot: Your Rights Online]
7:33:16 PM
|
|
Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Corp. today issued a dozen software updates to plug at least 20 security holes in its Windows operating system and other software, including fixes for a number of vulnerabilities in Office that hackers are currently exploiting to hijack vulnerable PCs. Windows users can download the free updates by visiting Microsoft Update or by enabling automatic updates.
The company labeled half of the vulnerabilities "critical," its most severe rating. Critical security holes are those that bad guys could exploit to seize control over vulnerable machines without any action on the part of the user, or those that could be exploited just by convincing a user to click on a link in an e-mail, or visit a particular Web page.
Today's patch bundle addresses a total of eight separate vulnerabilities in different versions of Office, Word, Excel and PowerPoint, six of which are already being exploited by hackers, according to Microsoft. As usual, those most in danger are Office 2000 users. These users cannot download the updates through the usual Windows/Microsoft update site. Instead, Office 2000 users must scan their machine at Microsoft's Office Update site and apply any outstanding fixes listed there.
Regardless of which version of Office you are using (or whether you are running Office at all), be extremely careful about opening attachments in e-mails that you were not expecting -- even if they appear to come from someone you know.
Microsoft also issued updates to correct four flaws in most versions of its Internet Explorer Web browser, all of which earned a "critical" rating. Worse yet, instructions detailing how to exploit two of these IE flaws have already been posted online (one set of instructions dates back to Oct. 2006).
Another patch fixes a critical flaw in the way that Microsoft's security software scans portable document format files (.PDF -- Adobe Acrobat documents, for example) for malicious software. According to Microsoft, this bug affects Windows Live OneCare, Microsoft Antigen, Windows Defender, Windows Defender in Windows Vista, Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint.
Interestingly, Microsoft said it also is investigating new public reports of a potential vulnerability in both Windows Mobile Internet Explorer and Windows Mobile Pictures and Video -- applications built into most Microsoft Smartphone and PocketPC mobile phones.
There were other patches released today. Home users should not delay in applying these updates: Last month, hackers infiltrated the official Web site of Dolphins Stadium -- the site of Superbowl XLI -- and seeded it with a Trojan horse program that installed a password stealing program on Windows machines if users browsed to the site without having applied a patch that Microsoft issued just two weeks prior. [Security Fix]
7:24:06 PM
|
|
Bill Proposes Mandatory Data Retention for ISPs. A senior Congressman has introduced legislation that would require Internet Service Providers to retain records on all their subscribers. H.R. 837, introduced by Rep. Lamar Smith (R-TX), would grant the Attorney General broad authority to require ISPs to collect and retain unspecified information identifying their subscribers and their Internet activity. The measure would also require websites to label sexually explicit content and would impose liability on any ISP that engaged in any conduct that facilitated access to child pornography. [Center for Democracy and Technology]
7:20:48 PM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/4/07; 2:35:11 AM.
|
|
|
