Linked by Thom Holwerda on Sat 31st Dec 2005 16:55 UTC
Windows Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared. One security company said the possibilities were endless on how the flaw could be exploited. 'This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers,' said Luis Corrons of Panda Software.
Thread beginning with comment 80826
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Perfect example!
by makfu on Mon 2nd Jan 2006 08:50 UTC in reply to "RE: Perfect example!"
makfu
Member since:
2005-12-18


Since the notion of "users", "accounts" and "priveleges" was totally absent in the design of Windows circa 1995, and since modern versions of this OS are backwards compatible with that API - then necessarily the notion of "users", "accounts" and "priveleges" is a bolt-on afterthought.

You have absolutely NO idea what you are talking about. The DACL model used in NT has been there since day one (1993). Win32 originated on NT, not Windows 95 (it was bolted on to the DOS/VMM386 kernel, NOT the other way around). The rest of your post is just so much FUD.

You need to understand that there are people who have CONSIDERABLY more knowledge regarding systems internals than you do. If you want to have a critical discussion about Windows, that's fine. However, it would be wise in the future to actually KNOW what you are talking about before shooting your mouth off.

Oh, and yes, if I either remove the ACE or set an explicit deny entry on the ACL on ANY object referenced by the Security Reference Monitor you will not be able to access that object. Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem (obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL). If you wish to view the pervasiveness of this functionality use process explorer from www.sysinternals.com .

Reply Parent Score: 2

RE[3]: Perfect example!
by hal2k1 on Mon 2nd Jan 2006 09:17 in reply to "RE[2]: Perfect example!"
hal2k1 Member since:
2005-11-11

"obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL"

... where a legacy filesystem is defined as? anything other than NTFS perhaps? meaning floppy disks, USB sticks, CDROMs and data DVD's perchance? meaning that Sony can install a rootkit because it came to the system via CDROM, possibly?

There are hundreds of exploits of Windows supposed security that have nothing at all to do with buffer overflows. They are just plain and simple holes in the system - the system whose API was designed circa 1995 (not Windows NT - the API is still Win'95 design).

Reply Parent Score: 1

RE[3]: Perfect example!
by Ookaze on Mon 2nd Jan 2006 10:12 in reply to "RE[2]: Perfect example!"
Ookaze Member since:
2005-11-14

You have absolutely NO idea what you are talking about. The DACL model used in NT has been there since day one (1993)

You should stop talking out of your a**. Security of NT and all of its derivatives (yes 2003 too) is abysmal.
This flaw is one more proof, but won't stop those in denial from thinking otherwise.

The rest of your post is just so much FUD

It's not. You are the clueless one.

However, it would be wise in the future to actually KNOW what you are talking about before shooting your mouth off

Look who's talking there.

Oh, and yes, if I either remove the ACE or set an explicit deny entry on the ACL on ANY object referenced by the Security Reference Monitor you will not be able to access that object

Didn't you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong. All of these won't work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, ...) in case you didn't know.

Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem

Wrong. That's one big flaw of NT BTW.

obviously if you are using a legacy filesystem with no defined NT SDDL ACL, the object will be instantiated by the system with a blank ACL

It's not obvious at all to me. Especially since in Linux, this is configurable on an object by object basis, by device, by default, ...
So these kind of hacks are not possible by default on a Linux system, so no, it's not obvious to me.

Reply Parent Score: 1

RE[4]: Perfect example!
by ivans on Mon 2nd Jan 2006 12:29 in reply to "RE[3]: Perfect example!"
ivans Member since:
2005-12-03

Didn't you know ? GPO is flawed too, and GPO use these ACE/ACL. Stop the BS please.
The Sony rootkit and WMF flaw are proof you are all wrong.


Actually they prove that you are the one who's wrong and doesn't know absolutelly anything about malware, windows security model and security vulnerabilites in general.

Shellcode exploiting this WMF flaw will run AS USER, ie: if you visit the web page logged in as LUA (non-admin), the shellode, trojan downloader the shellcode is dropping and spyware the trojan downloader is downloading and executing will run AS USER.

There is NO WAY to escalate privileges with this WMF bug.

As for the sony DRM rootkit - it's rootkit component is aries.sys driver, it's basically copy/pasted from sample source from rootkit.com. Now, if you knew anything on windows drivers, you would know that there is NO WAY to install them unless you're running as Admin, regardless of filesystem you're trying to run the driver from.

All of these won't work on non NTFS anyway. You are surrounded by non NTFS systems/appliances (USB key, CDROM, ...) in case you didn't know.

When you see spyware, worms and viruses spreading via USB and CDROM, let me know.

Everything in NT is an object managed by the Object Manager executive subsystem and every object has a security descriptor with an ACL enforced by the Security Reference Monitor executive subsystem

Wrong. That's one big flaw of NT BTW.


No it isn't, IMHO NT Object Manager is the supreme example of it's great design. Imagine: everything is an object (file, device, thread, semaphore, mutex, process, driver..), and every object type has a set of private routines (OPEN/QUERY/CLOSE/DELETE/SECURITY) that are routed onto object-specific functions.

When you open a file in Windows Explorer, open a mutex or semaphore inside your C code, try to terminate process in Task Manager...the object type specific SECURITY method is invoked an your access token is validated against the ACL of object you are trying to open/delete/enumerate/execute..

Now show me how to set an ACL on a socket or POSIX semaphore/thread/mutex in linux without installing some obscure kernel patches? No way dude.

Thanks to NT Object Manager i can atomically wait on an array of DIFFERENT object handles with WaitForMultipleObjects(), there is no way to do anything similar in pthreads.

Especially since in Linux, this is configurable on an object by object basis, by device, by default, ...

In NT-based Windows you can confiugure ACL on object-by-object basis too, you could do it actually since 1993.

Go download sysinternals Process Explorer, WinObjEx tools and play as much as you like.

So these kind of hacks are not possible by default on a Linux system, so no, it's not obvious to me.

Oh please, there are hundreds of linux rootkit easyly found on Internet, actually the very first rootkit was made for UNIX (SunOS) in 1994. And regarding WMF exploit, it's a classical buffer overflow and linux is by no means immune to them. It's the result of IA-32 stack implementation that (up until recently) didn't support non-executable stack.

Edited 2006-01-02 12:31

Reply Parent Score: 1