Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 beta UAC completely vulnerable to malware


  • Please log in to reply
26 replies to this topic

#1 GTK48

GTK48

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:10:08 AM

Posted 31 January 2009 - 01:31 PM

Source

Chicago (IL) - An almost unbelievable flaw in Windows 7 beta and Microsoft's User Account Control (UAC) feature - the one designed to keep all of the annoying messages seen in Vista away from its users - allows its protection to be defeated by any malware which happens to infect the system. The malware needs only to send a series of false keystrokes from a Visual Basic script to activate the UAC dialog, move the slider bar to the disable position, and then save the changes. After that, the program can access protected functions or even reboot the system, thereby gaining full total system access on restart.


This type of security breach has been in use for as long as there have been PCs. In the old DOS days, a terminate and stay resident (TSR) program could invoke the system BIOS functions, wait for the password screen to appear then start issuing interrupt 16h instructions (which send fake keystrokes). Doing so would mimic the effect of a user pressing keys on a keyboard, and old DOS programs like Sidekick used to do this as part of their feature in order to provide DOS with copy-and-paste-like functionality, as well as pop-up abilities like a calendar, calculator, etc. Sidekick would intercept and send its keystrokes in this way.

Over the years, similar techniques were employed to bypass security in later operating systems. Such programs could repeatedly try various password combinations, for example, at very high speed one right after the other. Early on system designers began to realize this weakness and developed the "three strikes and you're locked out" policy. But today in Microsoft's upcoming flagship operating system to be released later this year, Windows 7, such antiquated attempts aren't even necessary.

Windows uses a message-based communication system internally. When a user presses a keystroke on the keyboard, the keyboard controller identifies which key was pressed (or released) and sends a signal to the motherboard, which then issues a hardware interrupt signal to the CPU. The CPU stops what it's doing (processing a spreadsheet, drawing some graphics in a game, whatever it is), and then retrieves the keystroke - sending it to the appropriate software algorithm (an internal keyboard handler). Such a handler allows keys to be remapped, intercepted, and all kinds of other things which allow for abilities macros, etc. But ultimately, the keystroke message, such as "KEY 'X' IS DOWN WHILE THE RIGHT-SHIFT KEY IS PRESSED," are sent to the appropriate program (or, more precisely, the appropriate "window" in Windows).

This newly discovered "flaw" is actually not a flaw at all (see below). It employs something similar by using the "SendKeys" function in Visual Basic which mimics the process explained above in today's Windows operating systems. When a window receives a keystroke sent by SendKeys, the program assumes it came through legitimate channels and is really a valid key. There is no testing which takes place to find out if it was programmatically inserted into the queue, or if it was the result of a real keypress.

As a result, using only keystroke commands issued by a malware program, in Windows 7 beta it can activate the UAC, move the slider bar to the "disable messages" position, close the dialog and then proceed through the system doing whatever it wants to in the background without the user ever knowing that their system's been compromised - because they don't see any popups as their UAC setting should've indicated.

The discoverer wrote some simple code (which can be downloaded from his page) and also notes that this is apparently a Microsoft-purposed design feature of Windows 7, as related inquires appearing on Microsoft's beta page are all marked "closed."

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:08 AM

Posted 31 January 2009 - 01:52 PM

This'll get us into a long discussion on UAC and what it's for.
IMO, UAC is there as an irritant - it's supposed to p*** you off.

Back in Windows XP it was commonly accepted that the most secure way to operate a system was with a limited user account. But no one wanted the hassle - so everyone used administrator accounts. Rather than accept the principle of least privilege, software authors wrote stuff that needed administrator privileges to run.

Because of this, I assume that Microsoft devised UAC as a way to force the issue in Vista. In other words, if a software author wanted to avoid upsetting their customers, then they had to write software using the principle of least privilege (which would avoid the UAC prompts that are upsetting customers).

So far this is working out pretty well with Vista - and the few holdouts are (IMO again) falling by the wayside.

So, I wonder if this is a flaw or not? Also, from my limited experience, UAC in 7 will demand a reboot if you set it to the lowest level. Dunno if you'll get the UAC is disabled message when you reboot (haven't tried it).
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 31 January 2009 - 01:57 PM

Check out this Windows 7 Antivirus Review

This may help many with vulnerabilities in Windows 7.

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA

Posted 31 January 2009 - 02:11 PM

I stopped using Avira as it seemed to be 32 bit only (and I'm running x64 Win7)
I've stuck with Avast Free as it is 64 bit aware.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 31 January 2009 - 02:15 PM

I will try to get him to launch some 64 bit results. He only did 32 bit testing. I'm sending a PM right now.

#6 GTK48

GTK48
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:10:08 AM

Posted 31 January 2009 - 02:29 PM

I am using a BETA of Kaspersky Internet Suite 8.0 . It works great. I was looking for a firewall to use with Avast and I found this. I removed Avast but KIS works!

#7 ordski

ordski

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 02 February 2009 - 09:55 AM

Hi. The ESET NOD beta 4 works fine with win7 - but is about a 6 week trial version. It is free.

I found Kapersky tech 8 irritating and intrusive - the sounds are annoying and not easily turned off, the updates went on forever (which may well be a bug).

I'e used NOD and Comodo with XP and Vista, worked great, never a problem, not intrusive.

#8 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 02 February 2009 - 12:45 PM

HMOS 64-bit results will be out next month.

#9 pcaddict44

pcaddict44

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Pennsylvania
  • Local time:10:08 AM

Posted 12 February 2009 - 10:57 PM

Hello all. A 'newbie' here although not new to PC's having built my first one (Processor Technology SOL-20) which came out about the same time as the "IMSI 8080" hit the streets via Popular Electronics. From the 8080A to the Quad-CoreQ9550...we've come a long way! :huh:

So now, down to business. I've been "Beta Testing" Win/7 on a few machines on my net - but mostly on my Laptop Dell Inspiron 9300 since, if it gets messed up, it's easy to restore, etc. The biggest gripes I had was with the lack of "Approved" Firewall/AntiVirus Suites. MicroSoft recommended Kaspersky, AVG and Norton Antivirus (I think that was the 3rd one). Since I'm using Outpost Internet Security/Pro across my network, I was loath to install yet another brand of protection software. And wouldn't you know it, Outpost caused BSOD's when installed <sigh>. So, reluctantly I went with AVG in the 'trial version' since their specific Win/7 compatible version isn't free <natch>.

Another gripe: Compatibility. Since all of us (fondly?) remember all the wonderful issues we experienced when VISTA was unleashed on us, one would have thought (foolishly I guess) that Win/7 would capitalize on all the VISTA 'fixes' and be even more compatible with various applications, right? BWAHAHAHAHA!!
Wrong. :huh: Because of issues with many of my already-installed applications, I took Win/7 down on all but the laptop and am struggling along with it. For now.

I guess Win/7 will be in 'beta' for another decade or so? :thumbup2:

-greg

#10 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:08 AM

Posted 13 February 2009 - 03:46 PM

Beta is beta - that means that it's not going to work smoothly for everyone. I fought with my Lenovo tablet for several days to install the Win7 beta - but finally all my apps and drivers are working. OTOH, I installed it on my brand new system and it identified everything and installed all of my drivers for me.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#11 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2009 - 02:54 AM

I agree, beta is beta. I am using Avira Antivir beta. So far so good except this is the second beta release for the newest version, and the mailguard keeps shutting itself off. Friends over at Avira forums are still investigating the matter.

:huh:

#12 Kevin G

Kevin G

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 26 February 2009 - 10:15 AM

I manage a PC repair shop and at the risk of sounding ignorant and having done something really foolish I would have to report that I have been using AVG free with Windows 7 beta on both of my PCs, including my data rescue computer at work. I have had no problems with the free version, all componants report that they are running normally.
If anyone has had problems with the free version i would be interested to hear what they were.

#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:08 AM

Posted 26 February 2009 - 10:28 AM

I gave up on AVG because of the concerns over false-postives that I'd read about, and also because of the emphasis placed on the "suite" installation when trying to install just the antivirus.

I use Avast on my 64 bit home system and am trying out Avira on my 32 bit laptop. My main complaint about the Avira is the nag screen - but it's a minor irritant.

Keeping Windows updated and the antivirus updated is probably the most important preventative measure that you can take. Beyond that it's "safe surfing" that'll keep the infections from coming in.

Finally, using AVG Free on a commercial system is probably a violation of the terms of the EULA. I'd suggest using a product that's approved for use on a commercial system.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 Kevin G

Kevin G

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 26 February 2009 - 11:17 AM

Have to agree that safe surfing is the key to keeping my pc usable and enjoyable. I can't remember the last time I actually had an infection on my computer. (not that AV 2009 hasn't tried).
To it's credit AVG was one of the first AVs that detected AV2009 trying to get in, macafee still doesn't block the initial attempt.
These fake antivirus programs are extremely under rated by the av companies, to simply call them "adware" seems irresponsible. Considering the way they decimate a pc and ruin the users experience you would think they might receive a bit more attention. i have taken to calling the entire bunch of these fake AV/AS programs "The Plague". ....as in "Oh Oh.....you've got The Plague" ..... I've had 5 customers who have paid for the plague and I would say 15 to 20 percent of our shops income since July has been Plague related (great for my boss, just keeps me busy).
Oh, I have tried several supposedly good programs to get rid of "the knack", can't get rid of it, something about "open files"....

#15 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 26 February 2009 - 02:37 PM

Wait, I thought this was about Windows 7 Beta. I just mentioned I was experimenting with a beta product and totally agree.

Anyway, yes these antivirus products are good, and they all have advantages and disadvantages. So this would be a good discussion to possibly start in a new topic, maybe in the chat room. Anybody up for it?

We should all discuss it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users