[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY404-EAS56952048FFEFE1D2326935F23F0@phx.gbl>
Date: Thu, 22 May 2014 11:13:23 -0400
From: Michael Cramer <mike.cramer@...look.com>
To: "rai@...nmailbox.org" <rai@...nmailbox.org>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
Stefan Kanthak <stefan.kanthak@...go.de>,
Tavis Ormandy <taviso-1TlbntoI6+xF6kxbq+BtvQ@...lic.gmane.org>
Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes
rogue binary C:\Program.exe
Can someone reference something more than a report on Windows Vista?
UAC combined with standard user privilege combines the integrity system applied via UAC and standard reduced security permissions.
UAC when the user has an Administrator token is a different beast and there are some known bypasses. However, requiring admin approval mode for all applications and all users, including local administrators, will go far.
Integrity levels are applied via icacls just as security permissions.
Sent from my iPhone
> On May 22, 2014, at 4:59, rai@...nmailbox.org wrote:
>
>> On 2014-05-21 16:26, Stefan Kanthak wrote:
>> 3. You think Windows' "user account control" is a security boundary.
>> UAC is but NOT a security boundary:
>> <http://technet.microsoft.com/magazine/2007.06.uac.aspx>
>
>> Microsoft tries to sell "defense in depth" to their customers since they
>> started their "trustworthy computing" about 13 years ago. But they still
>> create administrator accounts during Windows setup, CreateProcess() still
>> has the idiosyncrazy to execute C:\Program.exe, and the WHQL certification
>> still let drivers pass which execute C:\Program.exe during installation and
>> operation.
>
> Microsoft has been clear on this point, even from Vista as an old Symantec report notes:
>
> "This message has been echoed by others at Microsoft in response to vulnerabilities being discovered in
> UAC. Microsoft’s message is that UAC vulnerabilities are not considered security issues, as UAC does
> not provide a security boundary."
>
> and they
>
> "observed that the User Account Control can be easily disabled manually... via the Local Security Policy tool included in Windows Vista."
>
> http://maker.fea.st/Symantec_Security_Implications_of_Windows_Vista.pdf
>
> (pg. 10 - more Microsoft references there)
>
> --
> rai
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists