Tuesday, February 13, 2007

Hacker, Microsoft duke it out over Vista design flaw | Zero Day | ZDNet.com Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.   Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges. "[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog. That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator." This, in Rutkowska's mind, is a "very severe hole in the design of UAC." "After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can't under Vista, which is a bit disturbing," she added. A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack. 11:11:29 PM

Slashdot | "Very Severe Hole" In Vista UAC Design  Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use." 11:01:17 PM

Valentine Spam, Valentine Virus. Valentine Spam, Valentine Virus. "As Valentine's Day approaches this year we are already seeing a proliferation of computer threats." [GT: Security and Privacy] 8:56:23 PM

Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Corp. today issued a dozen software updates to plug at least 20 security holes in its Windows operating system and other software, including fixes for a number of vulnerabilities in Office that hackers are currently exploiting to hijack vulnerable PCs. Windows users can download the free updates by visiting Microsoft Update or by enabling automatic updates. The company labeled half of the vulnerabilities "critical," its most severe rating. Critical security holes are those that bad guys could exploit to seize control over vulnerable machines without any action on the part of the user, or those that could be exploited just by convincing a user to click on a link in an e-mail, or visit a particular Web page. Today's patch bundle addresses a total of eight separate vulnerabilities in different versions of Office, Word, Excel and PowerPoint, six of which are already being exploited by hackers, according to Microsoft. As usual, those most in danger are Office 2000 users. These users cannot download the updates through the usual Windows/Microsoft update site. Instead, Office 2000 users must scan their machine at Microsoft's Office Update site and apply any outstanding fixes listed there. Regardless of which version of Office you are using (or whether you are running Office at all), be extremely careful about opening attachments in e-mails that you were not expecting -- even if they appear to come from someone you know. Microsoft also issued updates to correct four flaws in most versions of its Internet Explorer Web browser, all of which earned a "critical" rating. Worse yet, instructions detailing how to exploit two of these IE flaws have already been posted online (one set of instructions dates back to Oct. 2006). Another patch fixes a critical flaw in the way that Microsoft's security software scans portable document format files (.PDF -- Adobe Acrobat documents, for example) for malicious software. According to Microsoft, this bug affects Windows Live OneCare, Microsoft Antigen, Windows Defender, Windows Defender in Windows Vista, Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint. Interestingly, Microsoft said it also is investigating new public reports of a potential vulnerability in both Windows Mobile Internet Explorer and Windows Mobile Pictures and Video -- applications built into most Microsoft Smartphone and PocketPC mobile phones. There were other patches released today. Home users should not delay in applying these updates: Last month, hackers infiltrated the official Web site of Dolphins Stadium -- the site of Superbowl XLI -- and seeded it with a Trojan horse program that installed a password stealing program on Windows machines if users browsed to the site without having applied a patch that Microsoft issued just two weeks prior. [Security Fix] 7:24:06 PM

Mobile Attacks Jumped Fivefold in 2006, Study Says. Mobile Attacks Jumped Fivefold in 2006, Study Says. The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee study reports. [PC World: Latest Technology News] 7:14:44 PM

Microsoft Fixes Critical Flaw in Security Products. Microsoft Fixes Critical Flaw in Security Products. Software patches include critical fixes for bugs in Microsoft Office and the scanning engine used by the company's security products. [PC World: Latest Technology News] 7:09:20 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 3:45:10 AM.