Sounds like a case of 'already behind the airtight hatch'. If you have administrative privileges to install an OS upgrade then you have administrative privileges to disable filesystem encryption.
On the other hand, if MS pushes the update to the PC and it self-launches or can be initiated by a non-administrator, then it seems like there is a real security problem here.
In the video they demonstrated that they're NOT local admin. The machine was set to automatically install updates, all they had to do was hit the "restart" button to start the automatic installation.
They were then able to use a key combination to give them SYSTEM level access from a normal user account. This is absolutely an elevation exploit, and the fact it bypasses Bitlocker during in-place upgrade is a little disturbing.
This bug likely isn't impactful for home users, but for enterprise-style systems (in particular in education) it has a big impact. Now every regular user can trivially become a local admin user. Problematic.
Arent these kinds of updates pushed out my Central IT? Just because they can push it out, there are still a lot of employees watching the update run that probably don't have admin access.
Another common Raymond Chen reminder: "Local Administrator != Domain Administrator". If a user gains administrative privileges on their own machine as part of a corporate network, that just means they can bork their own machine and IT will have to come and take it for repair (and they'll likely be disciplined for doing stupid things against IT policy.) If becoming a local administrator on your own machine allows you more privileges on the network, there's something wrong with the network's security architecture. (After all, in a regular, healthy corporate network, Bring-Your-Own-Machine scenarios—where everyone is their own local administrator—are common without posing any threat.)
I want to block my young teen-aged son from hacking into his time-locked win 7 (soon win 10). He already searched the web and found some kind of system restore scheme to reset his password. Next step was to encrypt the hard drive to block rebooting without password.
Maybe with a home system, but in business most users don't have local admin rights but the systems are set to allow them to initiate updates, or updates happen the next time the computer boots up from patch tuesday. If an end-user catches an image-based update being deployed, she can just press that hotkey combo and get local admin rights. Scary stuff here for sysadmins until this is patched or some work-around can be implemented.
WindowsPE is a whole separate Windows distro and has all its failings and security issues. MS doesn't seem to have hardened it correctly for its update system. This is also why organizations are usually 2-3 years behind Windows versions. Its just too risky to trust MS to get things done on an acceptable level without nearly 3 years of bug squashing and security auditing per Windows version.
I've kept my employer on 7 until next year for reasons like these. Considering all the update and security issues with Win10, we might even put this off until 2018.
I think the point is that bitlocker means that a locked machine shouldn't be accessible to anyone even at the keyboard who doesn't know the password. If that machine happens to be executing an upgrade, even a scheduled upgrade, this is a bitlocker security bypass.
It's not earth shattering - somebody could steal a encrypted laptop that's already running and keep it running until an upgrade comes and then bypass bitlocker. Aren't there other ways of bypassing it with a running machine?
There is such a presumption, but it's a bit of a mental shortcut, sort of like "water is incompressible". In some scenarios it's still useful to know how obvious the methods are if an attacker is supervised, how much unsupervised time they might need to successfully own the machine, and whether they would need to break any tamper-evident seals that could be checked afterward.
So, you leave your machine with BitLocker unlocked and unattended and people can gain admin privileges? I don't see how anyone would expect their data to be secured by disk encryption of the machine isn't powered down.
Let's say you are a desktop admin updating 500 Windows 10 machines. Maybe some of these machines are terminals for customers. This bug is a significant attack vector to gain admin on those machines being updated.
Only operating system left that gives semblance of privacy and security.
You mean the operating system where with the default display server any application can read keystrokes, read mouse events, and make screen grabs of any other application? The operating system where no apps are sandboxed by default? The operating system where once you find a local root exploit, which are not rare, you can embed a root kit deep in the operating system?
Sorry for the harsh comment, but Linux is hardly the pinnacle of security. (Perhaps with rare exceptions like Qubes or RHEL with SELinux on servers.)
> can read keystrokes, read mouse events, and make screen grabs of any other applic
As compared to Windows in which an app can't do that?
> The operating system where no apps are sandboxed by default?
As compared to Windows or Mac where apps are sandboxed by default?
> The operating system where once you find a local root exploit, which are not rare, you can embed a root kit deep in the operating system?
As a desktop user, not sure how this applies. Windows has rootkits as does Mac.
However, every time I boot my computer my computer doesn't call home. I am also not worried about government agencies having unfettered access to my machine as a default setting. With Windows I don't know that. When I install Mac I give them my e-mail address and thereby my identity just to install the operating system. They also have my credit card number. When a Mac calls home they have my IP. So anything I do online can be traced by to my identity as a default setting through Apple... a company not located in my country.
As I said a semblance of security and privacy. Better than no semblance which at this point is the case with Windows and Mac. I know it's not real security, but best that no money can buy at this time.
I also have Windows. It's for playing old games... Surprising they still work after 15 years.
> As compared to Windows in which an app can't do that (read keystrokes of other apps)
Yes, Apps can't do that.
> As compared to Windows or Mac where apps are sandboxed by default?
Yes, apps from both the windows and mac App Stores are sandboxed.
I'm not sure what your point is. I'm not saying Windows is perfect at all, but the GUI security is better. If nothing else, consider the classic ctrl+alt+delete, which no app can catch. On Linux there is no way to be sure the 'login' you are seeing isn't a program someone has installed to capture logins. On Windows I know the login is genuine if I press ctrl+alt+delete.
The parent comment is (slightly obtusely) talking about "UWP Apps", which are installed from the store and have mobile-style "sandboxing". Normal Win32 applications can of course use SetWindowsHookEx() and the DirectDraw screen functions to take over your screen.
So, in contrast to default Linux distributions, a root kit cannot replace system files (a common trick that root kits apply is to replace system files to preserve itself during reboots and to hide the root kit, e.g. by hiding it from 'ps' output).
Moreover, macOS only loads signed kernel extensions, so it is not possible for a root kit to inject itself as a loadable kernel module. I think the same is true for Windows, but I am not familiar enough with Windows.
I am also not worried about government agencies having unfettered access to my machine as a default setting.
You are throwing two things one one heap now: (1) having a backdoor and (2) sending out usage data.
If you believe that there is a difference between Linux, macOS, or Windows when it comes to (1), this is utterly naive. Linux distributions have a large number of package maintainers and upstream projects. You cannot be certain that none of these ten thousands of people is compromised and inserts a subtle backdoor. And even if you are certain about this, it's likely that government actors have a collection of exploitable remote and local exploits.
When it comes to sending out data, such as usage data, use an app firewall. E.g. with a program like Little Snitch, it is easy to configure which program can contact what server in the outside world.
Ps. Linux has the potential to be very secure. A lot of the technology is there (e.g. Wayland and SELinux). The problem is that the Linux community is too conservative and/or believes in the myth that Linux is already secure.
I think that you are underestimating the use of the Mac App store. Many applications are only available in the app store, just to give some examples of popular Mac Apps: Pixelmator, Affinity Designer, OneDrive, Pages, Numbers, Keynote, iMovie, Garage Band, Tweetbot, and Airmail. Then there are many Apps that can be purchased both through the Mac App Store or from the vendor, such as Omni{Graffle,Focus,Outliner}, Fantastical, 1Password, Photoshop Elements.
The majority of apps that I install come from the App Store.
Moreover, some vendors also sandbox non-app store apps. E.g. Chrome tabs, Photos, or Safari tabs.
That's the same thing. There is no OS I'm aware of that has separate versions for "laptops" and "desktops"; a laptop IS a "desktop" these days, as opposed to a "mobile device" running a mobile OS (Android/iOS).
In all seriousness, why is Fedora the mosts worthy Linux out of them all, in terms of privacy and security? I thought those two were kind of an inherent staple of all Linux distros? In the past I've used Debian Stable with AwesomeWM (the inspiration for Mjolnir) and it felt pretty secure?
I've only been following Fedora development from a distance, and haven't had time to look at Fedora 25 yet. From memory, there's a bunch of things:
* Fedora and Ubuntu are more aggressive about compiling security features into the packaged binaries, whilst Debian considers package build flags to be the decision of individual maintainers, so coverage is more piece-meal.
* Fedora ships SELinux enabled. I believe that current versions of Android is the only popular non-Red Hat Linux-based system that does that. The common compliant about RH's SELinux implementation is that it is so restrictive about system integrity that it blocks actual system administrators from doing routine tasks unless they remember to change the appropriate SELinux policy settings first.
* Fedora 25 now uses a Wayland implementation for managing graphics by default, rather than X, so that the security issues of X don't apply.
* Fedora 24+ includes Flatpak, so that there is a system for sandboxed applications. Fedora 25 provides the UI integration for non-technical users to run Flatpak packages (once developers build them).
* The RPM/DNF package management system is more stringent about checking downloaded packages than APT.
I meant the hat not the distro. I use Ubuntu, I am happy with it. Before that used Debian and Slackware. Was happy with those too. Used it for 15 years. Can't complain. I don't feel my computing has been hurt by using Linux. And over time it seems as it's the only sane choice.
I misread your post too, but now it's clear on a reread that you meant the hat!
I am also a proud and happy Linux user going on about 10 years now, and what's great is that I know all the knowledge I've acquired will still be relevant many decades into the future -- not sure the same can be said of Windows or MacOS.
If you're going to recommend a Linux for security, I would have assumed it'd be Tails. For maximum greybeard, I'd go with Gentoo. But this is hacker news, I don't think your average user here is just hearing about Linux from this thread.
Insiders see this style of Upgrade on a regular basis (with each new major Insider Build). Microsoft just made a big blog post about a new system for this style of Upgrade (the "Universal Patch Platform") and has asked Insiders to keep an eye out on it. A White Hat attempting responsible disclosure could at least check on Insider Builds and attempt to provide feedback on the new platform through official channels.
All this and the comments assume Windows will let you upgrade at all. Google "windows 10 upgrade something happened" and then try to find the fix for that amazing piece of error reporting.
In my case it was either that the language pack was wrong: Eng UK not Eng US, neither of which actually have language pack installed...
or it was the Win toobar/menubar being docked to the left of the screen and not the bottom. One of these stopped the upgrade completely, repeatedly. The greatest security risk had to be getting stuck on an old version of Windows with no good info on how to fix a 2 year old bug in the upgrade process.
> Combined with other significant security advances, such as Credential Guard, Windows Hello and others, we’ve made Windows 10 Anniversary Update the most secure Windows ever.
The Windows 10 Calculator is a Store app, and Server 2016 LTSB doesn't include Store apps. Therefore, Server 2016 LTSB doesn't have Calculator.
While I guess they could bundle the Windows 7/8 Calculator with Server 2016, that would make server and desktop Windows different (for a feature that both include).
While I guess they could bundle the Windows 7/8 Calculator with Server 2016, that would make server and desktop Windows different (for a feature that both include).
To make another guess, a lot of Server/LTSB users might actually like an even older Calculator:
They don't even include the Edge browser on Windows 10 LTSB. That's ... strange. Edge has been out for like 18 months on Windows 10. They really seem to have taken out the whole UWP platform on LTSB, so we once again see that the whole "one Windows to rule them all" spiel is nothing but a nice marketing story Microsoft likes to tell its fans, but not as real as they might like it to be. Unfortunately this just means Internet Explorer will have to be supported that much longer by developers.
I don't know whether this works in newer versions of Windows, but it was extremely simple to elevate your priveleges on almost any Windows 7 machine. I've done this dozens of times.
I haven't used Windows for years now, so the details are a bit fuzzy, but it essentially worked like this:
Start the machine. During boot(when you see the orb splashscreen), turn off power or hold down the power button for a few seconds.
The next time you boot up the machine, windows will say it failed to boot and offer to go into startup repair. Do that, wait for some time, and click through until eventually you see a bug report that you can open up in notepad.
Once you are in notepad, open up the "open file" dialog. From there, navigate to "C:\Windows\System32" and replace "sethc.exe" with "cmd.exe". Now, reboot normally.
Once you reach the login screen, spam left shift until you get a command prompt with admin privileges. Now, you can create new users, change the password and privileges of existing users, or even start up explorer.exe and use the computer normally as admin, bypassing the login screen entirely.
This works because "sethc.exe" is the executable responsible for Sticky Keys, which is activated by pressing shift repeatedly. Instead of sethc.exe, now cmd.exe would be run instead.
You're kidding, right? You can drop in any executable in place of sticky keys? And it runs with Administrator privileges? How does Microsoft own the enterprise and government spaces with glaring lack of basic security like this? :/
You have to get used to the fact that any physical contact with an unencrypted hard disk, whether it's locked in a computer or not, means that this person now has r/w access to all that data.
The grandparent technique does not rely on physical access to the raw hardware - only mouse, keyboard, and power switch (intended human interface endpoints). The computer case could be behind a concrete bunker with the only communication being cables for the mouse, keyboard, power switch, and video out, and no ports, and this would work.
The Windows security model is intended to protect administrator-account access given these parameters.
.. and so far it has AFAIK never succeeded to protect from all these attacks. That's what I meant with 'locked inside a computer'. It also doesn't matter because in the real world you don't have that bunker in between.
you'd either have it in a bunker with a remote terminal, or you'd get in the bunker after security clearance. making up weird scenario to prove a point is a fool errand, security needs compromise and threat modeling, it's not a blanket meant to protect for every type of attack ever.
I think we should continue to resist accepting this as normal, especially when it's not true for iPhones. We should get used to at-rest encryption. (It seems that part of the current exploit under discussion bypasses Bitlocker?)
As a kid I did this with magnify.exe to get around account time restrictions (hi, Dad). Enabling magnifier from the accessibility dialog on the login screen would pop open a command prompt running under the SYSTEM account. Punching in "explorer.exe" would get you a desktop.
I can't remember where I saw it, but here's how you teach your kids to start scripting:
Step 1: put a note on the fridge saying "The new WiFi password is one of the 10 random keys in the text file on this USB drive [taped to note]".
Step 2: wait a few days, repeat Step 1 with 10 replaced by 10 000 and also leave them an intro to Python (or $favorite_lang) book. Bonus points if you make the USB drive boot Linux straight to a Python REPL.
I had to learn lock-picking first to have access to the mighty computer room, first. After a while I discovered that I could kick the door open easily. Then they realized the door was wobbly and replaced the entire frame. That's how I learned brute-forcing was not a viable long-term strategy.
Yes, I was doing it for years since Win98. There even was Linux distro dedicated for it called logmein that has something like 35MB. I still have .img of it, if you would like to test it. The distro was no longer supported since Vista, but still worked on win7.
You can also drop (almost) any executable in place of explorer.exe, it's the basis of Windows Server "Core".
It has both good and bad sides, and the same (basic) thing is exploitable on linux. You can replace `cat` with another executable and change the PATH so that the new `cat` comes first.
/tmp/cat
PATH=/tmp:$PATH
edit: I'm aware that this does not give root privilege (though it could, through some SUID hack or cowroot or anything really), but it is the same basic "flaw". (again, though it isn't really a flaw)
I think the Linux equivalent would be more like interrupting the boot process at the GRUB menu, then adding "init=/bin/sh" onto the kernel command line, so Linux boots into a root shell.
Not really. In any Linux system I've seen,if you can change PATH you can already execute your /tmp/cat directly. And generally PATH and LD_LIBRARY_PATH are not passed through suid or sudo.
Oh, so essentially the same bug that existed since windows 98? Where you could, on the login screen, click the little question mark, which would open windows help, then you could click on "open file", navigate to C:\windows and just double click on explorer.exe, which would log you in without a password?
Windows 98 was not intended to offer meaningful local security. The password prompt was used to collect the username/password to use to connect to network resources. (And also, perhaps confusingly, the password prompt was overloaded to select the local user profile, if such feature was enabled - but entering a new username would create a new account, so being a barrier to using the computer was never the point.)
Windows 98 wasn't a true multi-user operating system anyway, security was a simulation. Only the NT line was multiuser at the time (and later XP through 10).
The Windows 98 issue was a bug. The example given involving Windows 7 and renaming executables is NOT a bug. If you give someone unrestricted access to the hardware, they have unrestricted access to the hardware. Working as intended.
You want someone not to be able to mess with a Windows installation? Activate Bitlocker.
That's why this Windows 10 issue IS a bug. Because it bypasses Bitlocker and allows a normal user to escalate to local admin. The Windows 7 issue is NOT a bug because it allows no such escalation (since no security was ever stopping local HDD access anyway).
TL;DR When you do an in-place upgrade it does so in the SYSTEM authority. If you hit Shift+F10 during part of this process you get a Command Prompt running as SYSTEM. Then you can do some file system and registry changes to replace an accessibility feature exe with cmd and again run it under the SYSTEM authority pre-login and add your account to the Administrators group.
That's not the bad part. The bad part is that this process suspends the disk encryption. Without disk encryption having physical access to the machine would be enough to elevate priviledges anyway.
I knew I wasn't dreaming when my Bitlocked Win10 machine did the Anniversary Update and rebooted to the update screen without entering my Bitlocker password. Scary.
But that must have been Windows PE doing the update.
I'm disable windows update and windows background intelligent service . The most reason was windows keep re downloading broken update and cost a lot my broadband bandwidth. To secure my laptop, i only remove csript.exe and wscript.exe.
You are no longer running Windows, you are running alien3d's-special-snowflake-version. Please don't be surprised when many third party programs/games no longer run, because, some of my software certainly won't.
We are dealing with this right now with our software. Our end users on Windows 7 who haven't kept their machine up to date can't install the VC++ 2015 redistributable which is required to run our software. It's a Microsoft problem but it's still frustrating having to do basic tech support for them just because they won't let Windows do the updates that it is insistently but politely asking them to let it do. Not a problem with our Windows 10 end users, of course.
These days I don't blame them. I'm guilty of it myself. After Microsoft repeatedly dropped in the Windows 10 "updates" (including nag) under new names it got to be enough of a hassle to avoid them that I've basically stopped updating. Finding the latest update names to ignore, then actually finding them in the update listing is enough of a pain to get me to continually put it off.
>These days I don't blame them. I'm guilty of it myself. After Microsoft repeatedly dropped in the Windows 10 "updates" (including nag) under new names it got to be enough of a hassle to avoid them that I've basically stopped updating.
My PC is next to my bed. I love being woken up at 3 in the morning by Windows attempting and failing to install updates.
It's got to the point where I turn it off at the power supply to stop it.
I tired of the 'whack-a-mole' game and just stopped installing post-March 2015 updates on my Win 7 install. It may be vulnerable(what isn't?), but 3rd party sandboxing, firewall and noscript mitigate the immediate, automated threats well enough(last succeasful exploit on my machines outside of a purposely infected VM: ~2009). When MS can no longer harvest my activities(or I can deny them control) I will revisit my security policies. Until then, I will continue to disable updates, harden my firewall and deny any contributions to MS* 's data grab.
* et al. Sadly, "everybody's doing it" these days.
In my case it's because it get's stuck on and upgrade that won't install. The error messages are completely unhelpful, googling them doesn't help either.
With all due respect, if your software has an OS-level dependency that is less than 2 years old, you're too cutting edge and it's your fault.
You should not require an unpackaged dependency from 2015. This is a problem with your developers trying to use the latest and greatest technologies, with no respect for reality. It is neither your users', nor Microsoft's fault, that your users don't have bleeding edge 2015 upgrades.
It’s completely normal in my experience for programs developed on windows to have to install the appropriate Microsoft C++ or C runtime that the binary was linked against. Ever installed a game from Steam? Half of them will insist on downloading & installing the Microsoft VC++ runtime before they’ll do anything at all.
On the other hand, if MS pushes the update to the PC and it self-launches or can be initiated by a non-administrator, then it seems like there is a real security problem here.