|
|
Symantec proves Vista's UAC is flawed
Author: Brett ThomasPublished: 23rd February 2007
"It's broken - and here's how you can use it!" - Symantec has resorted to a pretty low blow.
In the world of hacking, there are two clear delineations - black hat and white hat. These two groups both pride themselves on learning and defeating system security, the only difference is what is then done with it. White hats will often email the sysadmins, explaining their points of entry and how to best correct it. Black hats will take the understanding and find out how many other things can be exploited with it. Neither is really big on broadcasting the flaws - that "honour" is apparently reserved for corporations like Symantec.
Security researcher and blogger Ollie Whitehouse has published a blog post on Symantec's site entitled "An Example of Why UAC Prompts in Vista Can’t Always Be Trusted." In it, Ollie kindly explains how Vista's UAC functions, neatly illustrating the process and even including a flowchart. However, he doesn't stop there. As the article continues, he explains a point-for-point method (including coding) for calling rogue DLL files whilst using an unrelated legacy process.
Ollie mentions in his blog that he did indeed consult Microsoft before his posting. Redmond's response was simply that the UAC is not bulletproof, that it is meant to make you aware of what is going on in your computer and it's not to prevent you from ever taking a higher-level action. Apparently, there was comment on why it takes only one system process prompt required to run harmful executables, but three and a government security clearance to delete a year-old Word document.
All jokes aside, the post does fall slightly afoul of Symantec's supposed core purpose of providing security. Such a detailed and illustrated approach to cracking Vista's UAC may have been informative, but did it really need to be written? Would a security post saying that it is possible to exploit this and for general users to beware of UAC system process prompts have been any less sufficient?
Let us know your thoughts on Symantec's post in our forums.
Recent articles on bit-tech.net
Comments (27)
Stats: 0.177 seconds
"Scaring users and helping hackers, Symantec the lack of common sense company!"
I love this one!
I mean, their trying to say your safer with UAC on, but UAC is flawed, because most users don't understand whats going on, so they probably likely to click yes, in any situation
When you start saying, well you can trust x colour, then their not even going to bother reading what it is
I'm not sure how easy it is to fake a signed file, but if you can do this the security just falls over anyway
UAC is stupid anyway because it comes up with messages so often that people are just going to click yes because their fed up with reading it (like the T&C's/EULA that you agree to when you install any software)
Personally, i'm glad Symantec released this information, if they didn't show you how easy this is to do, then you wouldn't see the problem with UAC, or even what to look for
I see most people just disabling UAC anyway because its an irritant
sure, symantec found a flaw, they are a security company... sure, M$ doesnt seems to want to do anything about it, i mean, hey, what else is new...
but to clearly explain it in details for the whole world to see, i have 2 things that made me believe that that is a low blow....
- like brett said, symantec, as a security provider, should rather lean towards a white hat hacker; finding out what the problem is, then notify the developer to take actions to fix it. Not rubbing it on their face, "look, u dont give access to us to get into Vista, i'll prove it to u that its flawed! in ur face, M$!!!"
- great, now instead of a few selected talented group of people, anybody with an internet can hack into Vista with a few click of mouse.... Thanks, Symantec, i feel more secure now.........
sorry, randosome, i think symantec is NOT making ANY good point here.
i mean, come on, to explain how EASY it can be done, u dont need to go as detailed as that. probably symantec, or rather, olie whitehouse *intended* to make a good point, but he failed miserably in doing so because of his methods. period.
just my 2c of course.
I think that this comment is BS and unresearched. While Symantec was dumb in showing just how this bug works and how you can exploit it, there are plenty of black hats and white hats that are more than willing to detail exploits and bugs.
The Month of Apple Bugs: http://projects.info-pull.com/moab/
The Month of Kernel Bugs: http://projects.info-pull.com/mokb/
The Month of Browser Bugs: http://browserfun.blogspot.com/
There are companies that sell this exploit notifications: info:http://www.frsirt.com/english/services/
Heres one that gives them away: http://insecure.org/sploits.html
Here is an expolit tool: http://www.metasploit.com/
Mmmm Symantec, huge multinational multi million $ supposedly responsible company, can any of the people you list here say the same?
In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?
(please note, this is my interpretation of what they are up to, not my view of how it should be)
In no way was trying to say that Symantec was doing the right thing is publishing the details of the UAC flaw. I too think that they are doing it to cause FUD and to show that Vista is still security flawed.
*btw I prefer the older defenition of hacker which didn't even have to involve computers :|
That definition has not changed. It's a common misconception.
Hacker = Someone who makes something do what it was not designed to
Cracker = Complete waste of life.
@cthippo,
*In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?*
to cause a few more users who are not their customers to get screwed is, in my honest oppinion, is not a "sound" strategy. but yes, it is a business strategy.
@Kenl,
the general conception and description of white and black hat hackers given by mr. brett thomas is, or perhaps, was, the original definition and "purpose". yes, there are many who does not follow this *standard*, and nobody blames them... but u should know that there many MORE who do follow this definition. Therefore, calling it BS is abit too harsh, dont u think?
I'm hopefully heading to Ajax next summer.
if i try to run shite code on my vista box, it warns me, and asks me if i wish to run it (so i give it my admin details and it happily runs)
on my linux box, if i want to run shite code, i type sudo ./thing/i/want/to/run -- no warnings etc, and it runs with full root.
both will have the same daming effect -- box broken. Both require me to log in as an admin - so how is the UAC BROKEN! its not like it does it for you, you can never protect a user from their own stupidity, that is why help desks exist :)
No one will buy there **oh so mighty** Symantec software that deeply slow down your computer.
and then you run it and part of the software was actually not trusted and your box breaks
Remember that damned annoying security hole in which your ocmputer would just shut off every time you logged on the internet? (I forgot the name of it, but a msg comes up and your computer just shuts down in a 1 minute countdown)
Symantec also showed how easy it was to exploit this, something Microsft would never ever announce themselves, instead they hide and wait for someone else to do it, therefore I think Symanetic has done the right thing this time.
I'm responsible and smart.
Most services in XP can be setup to do something when terminated, nothing, restart the process, run a program, restart the computer
Sadly RPC is set to restart the computer, when really you just need to restart the service, and people exploited this by killing the RPC service - in fact the bug is still there generally, just something needs to kill the RPC service, which most virus scanners and such block these days
SP2 fixed that with enabling the firewall be default, and not to slag you off, but if you had updated your PC about.. oh, a MONTH BEFORE slamer // blaster hit the internet you would have been UNEFFECTED! yes that is right, the patch was out BEFORE the worms. So dont go blaming MS for that, blame the fact you did not update.
oh and also "Shutdown -a" from the run bar would have stopped your pc from rebooting.
if a trusted application in windows tries to run and has been edited by maliciouse software, yes the UAC is flawed, however, it is JUST AS EASY to do this on linux as well, to hook an app that needs root/sudo to run and inject your code into it, as such, neither of them is secure, but at least MS is trying to remove some of the user stupidity. However, once again, if you use a computer safely and properly you would never get a virus, if you enable the firewall that comes default on from SP2 onwards, you will never get a worm (so far, no holes have been found in the firewall to disable it remotly once it is on - other than already having access to the PC)
so in short, MS is doing all it can to protect the user from them selves, and if they are moronic enough to run anything and everything then they deserve to have a broken computer, and at least, windows is, and nearly always has been, harder to break than linux.
well mostly you have to let somthing on your PC to defeat windows firewall, but that can happen easilly enough, and if it does your PC is part of a botnet, windows firewall is yet again false security
Yeah how ridiculous is that. Yeah, yeah I know software needs to be contantly updated and adjusted to prevent the inevitable millions of holes in the software coding to be exploited. But to let something as serious as that crop up unnoticed on thousands or even millions of computers world wide is just ridiculous - just take a look at the price of the most expensive Vista edition aswell, it's just...rip.
I'm not upgrading, not for a long while anyway. Of course Microsoft will have that covered with a typical press conference with the follow words - "due to the age of the XP O/S and the introduction of the new O/S Vista we have discontinued support for Windows XP, we apologise for any inconvenience caused". I can just ****ing TELL. >:(