UAC=U Are Compromised/Vista Hacked at Black Hat

Discussion in 'Windows Vista General Discussion' started by Chad Harris, Aug 5, 2006.

  1. Chad Harris

    Chad Harris Guest

    Vista Hacked at Black Hat

    LAS VEGAS--While Microsoft talked up Windows Vista security at Black Hat, a
    researcher in another room demonstrated how to hack the operating system.
    Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, showed
    that it is possible to bypass security measures in Vista that should prevent
    unsigned code from running.
    And in a second part of her talk, Rutkowska explained how it is possible to
    use virtualization technology to make malicious code undetectable, in the
    same way a rootkit does. She code-named this malicious software Blue Pill.

    "Microsoft is investigating solutions for the final release of Windows Vista
    to help protect against the attacks demonstrated," a representative for the
    software maker said. "In addition, we are working with our hardware partners
    to investigate ways to help prevent the virtualization attack used by the
    Blue Pill."

    At Black Hat, Microsoft gave out copies of an early Vista release for
    attendees to test. The software maker is still soliciting feedback on the
    successor to Windows XP, which is slated to be broadly available in January.

    Rutkowska's presentation filled a large ballroom at Caesars Palace to
    capacity, even though it was during the last time slot on the final day of
    the annual Black Hat security confab here. She used an early test version of
    Vista for her research work.

    As one of the security measures in Vista, Microsoft is adding a mechanism to
    block unsigned driver software to run on the 64-bit version of the operating
    system. However, Rutkowska found a way to bypass the shield and get her code
    to run. Malicious drivers could pose a serious threat because they run at a
    low level in the operating system, security experts have said.

    "The fact that this mechanism was bypassed does not mean that Vista is
    completely insecure. It's just not as secure as advertised," Rutkowska said.
    "It's very difficult to implement a 100 percent-efficient kernel

    To stage the attack, however, Vista needs to be running in administrator
    mode, Rutkowska acknowledged. That means her attack would be foiled by
    Microsoft's User Account Control, a Vista feature that runs a PC with fewer
    user privileges. UAC is a key Microsoft effort to prevent malicious code
    from being able to do as much damage as on a PC running in administrator
    mode, a typical setting on Windows XP.

    "I just hit accept," Rutkowska replied to a question from the audience about
    how she bypassed UAC. Because of the many security pop-ups in Windows, many
    users will do the same without realizing what they are allowing, she said.

    Microsoft has touted Vista as its most secure version of Windows yet. It is
    the first operating system client to go through the company's Security
    Development Lifecycle, a process to vet code and stamp out flaws before a
    product ships.

    "Windows Vista has many layers of defense, including the firewall, running
    as a standard user, Internet Explorer Protected Mode, /NX support, and ASLR,
    which help prevent arbitrary code from running with administrative
    privileges," the Microsoft representative noted.

    After the presentation on bypassing the driver shield, Rutkowska presented a
    way to create the stealthy malicious software she code-named Blue Pill. The
    technique uses Pacifica, a Secure Virtual Machine, from chipmaker Advanced
    Micro Devices, to go undetected.

    Blue Pill could serve as a backdoor for attackers, Rutkowska said. While it
    was developed on Vista and AMD's technology, it should also work on other
    operating systems and hardware platforms. "Some people suggested that my
    work is sponsored by Intel, as I focused on AMD virtualization technology
    only," she said, adding that is untrue.

    Chad Harris, Aug 5, 2006
    1. Advertisements

  2. I have been following this story for some time. Basically, if you read more
    about it, the "hack" is on any system running an AMD 64-bit cpu utilizing
    their Pacifica virtualization. That includes Linux, among others. Also, if
    you read through her blog, among other things, "Blue Pill" can easily be
    used on an Intel chip, as well. The best news I have read was this:

    "To stage the attack, however, Vista needs to be running in administrator
    mode, Rutkowska acknowledged. That means her attack would be foiled by
    Microsoft's User Account Control, a Vista feature that runs a PC with fewer
    user privileges. UAC is a key Microsoft effort to prevent malicious code
    from being able to do as much damage as on a PC running in administrator
    mode, a typical setting on Windows XP."

    My guess is that if Vista is run as it was intended, this will not even be
    an issue. But for all those who "know better" well, I hope you do.

    Her Blog:

    Mark D. VandenBeg, Aug 5, 2006
    1. Advertisements

  3. Chad Harris

    Chad Harris Guest

    There will be many more hacks as time goes on into Vista, and IE7 is showing
    the usual number of vulnerablities despite its security hype.

    Right now, there is every indication from what I'm seeing, Marc on forums
    that mainstream users are finding ways to ditch UAC, considering it just
    too much hassle.

    Chad Harris, Aug 5, 2006
  4. And although guilty countless times in the past, MSFT will be wrongly
    accused of things in the future because users turn-off the security measures
    as a matter of "convenience." Fate, it seems, has a sense of irony...
    Mark D. VandenBeg, Aug 5, 2006
  5. Chad Harris

    Chad Harris Guest

    Posted 11:50PM

    They won't be wrongly accused of trying to censor me every post I've made
    tonight except for one fix it post. The flack that plays hall monitor
    sporadically on this group (probably an orange badge from Convergys or Volt
    has tried to censor every comment I've made).

    MSFT is so paranoid it wants to control every message to be pro MSFT; no
    criticism tolerated is censoring my responses as it often tries to do.
    This means they're really touch about the faltering Vista that MVPs are
    coming out of the woodwork to tell them to hold up and to stop slapping crap
    into builds.

    At 9:24PM 8/24/06 I posted a response on the thread "vista push back
    article" and the flack they assign to community who lacks the ability to
    give any support help on the group and won't get off its ass to fix the
    duplicate message post bug for months from the web site for this group tried
    to cross of my message. It will never work. They will always get posted.

    Yo MSFT--you can't censor people. You can't intimidate them. You sure as
    hell can't control people who don't work for you. You can't keep people
    from talking to each other either. I know Bill Gates ate with the Chinese
    Communist Barbarian who kills people and jails them for what they believe;
    but hopefully it wasn't catching.
    Ask NBC where there reporter is right now. You and Yahoo function in China
    to report MSN searches to their government, at great risk to the searcher
    and Rob Scoble had the courage to blog on this while he was your best known
    blogger, before he got smart enough to leave you, but I'm not in China.

    I'll be critical of MSFT anytime I think it's merited. Your sales are
    going to drop dramatically if Vista is issued with current the current
    levels of incapacity or those you shipped to TAP Wednesday. I talked to a
    TAP tester today that said the same things I've been saying.

    The 2 posts that were censored tonight were:
    Re: Is RC1 out? 5487 Released to TAP Testers vista_5487.0.060726-1810

    The link from (which the OP gave)
    led to a date for RC1 "of August 2, 2006 +/-" in the sidebar (right), which
    has now been removed from the page. The reference to RC1 led me to the blog
    I quoted from in my first reply.

    Colin Barnhorst

    Response posted at 8:20PM

    The date for 5487 may have been removed from the Wikipedia page--(MSFT gets
    a real tight sphincter on that information being released). I guess
    because they know they have never been as secretive as Jobs and Apple, and
    have Mac Jobs envy and maybe another type of envy that has become a
    household word.

    Since they are becoming less and less transparent and more secretive and
    disseminating information about a year later than they should on Vista,
    maybe MSFT has little elves from Nancy Anderson's office (Deputy General
    Counsel) forcing people to take references down--the way they made Chris
    Perillo take his torrent page down when all he was doing was facilitating
    download speed with Beta 2.

    What hasn't happened is that the TAP testers who installed 5487 on their
    boxes on August 2 have not removed it, nor have they opted out of this phase
    of the TAP program. The one I was with today hasn't--he's having a good time

    Why are they busting their ass to keep when these builds drop a secret?
    They never succeed and frankly, who gives a shit whether people know which
    acronym has the build. Why the house mommy warning people "boy if you let
    the unwashed pheasants know all you Beta babies who are whining are getting
    another build tonite, I'll whack you off the Beta and you'll never ever see
    the light of a Beta.?" The same people that post are also invited to Redmond
    to interview all the time.

    One more sign of the times: hypocrisy breeding hypocrisy like bunnies in


    II on the thread "vista push back article" to Colin's post

    "You may want to pull back just a bit on your view of the current status of
    Vista. In a private conversation I was in today I learned that the
    outstanding active bugs are currently in the hundreds, not the thousands,
    and that the next build released to testers will show a lot more improvement
    over 5472 than most folks here seem to expect. In particular, a lot of the
    bugs being reported in 5472 had already been fixed at the time 5472 released
    but had not passed QA for a CTP release (testing was still in progress) but
    have now been checked into later builds. According to my source, MS is
    seriously on track for RC1 this quarter and rtm in November with a product
    that will pass QA properly"

    I responded:

    Re: I wouldn't believe anything from MSFT Vista on the current status of

    In particular, a lot of the bugs being reported in 5472 had already been
    fixed at the time 5472 released but had not passed QA for a CTP release
    (testing was still in progress) but have now been checked into later

    They always dish that line of crap as a mantra. That's why they won't list
    the bugs fixed as public. They want to throw out meaningless numbers of
    bugs fixed which mean nothing.

    I wouldn't believe anything they say on Beta chats particularly about bugs
    or the stuatus of the Beta. There has been much said that is not true all
    last year and this year. The bug count is like Jimmy Buffet's
    Margueriteville. It's whatever they want to make up that it is.

    That BS is yet another reason why they don't want to make bug fixes and
    categories public on Connect.

    It's all part of a propaganda machine.What they said wouldn't reassure
    anyone. They are in trouble with Vista and they know it. The faster they
    have the guts to admit it and quit slapping it together and fully start
    fixing problems the better. They are also sacrificing the quality of
    functionality in too many areas.

    Vista got quite a build up during the foreplay before the Beta started; and
    it ain't all that and may never be. It reminds me of the bullshit about
    Iraq and freedom that has turned into a systemic board certified death
    bathmoney hemorrhage fiasco.

    Be sure and ask them why if Device Manager has been around since Windows
    95, and it purports to diagnose the health of drivers ***it's totally
    worthless for doing that and the Device Team wouldn't get off it's ass to
    fix it in Vista even though that's one of the major purposes for Device
    Manager. They say it may be fixed in Blackcomb/Vienna/whatever the hell.

    And it doesn't really matter what the number of bugs are, it's the quality
    and the magnitude of them and their position in the operating system. The
    head fake they persistently do on the number of bugs (it should have gotten
    through their skulls is not near as significant as what the problems
    actually are).

    Whatever your source told you, if they shove it out by the purported shedule
    they will shove out considerable crap. There are teams there going nuts
    over the concessions they are making. It's a huge metaphor for "settleling"
    and if they value a quality OS they will hold Vista up for at least three to
    five months.

    Chad Harris, Aug 5, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.