Comments on: Windows 7 auto-elevation mistake lets malware elevate freely, easily

By: Pearl Tech » Blog Archive

Pearl Tech » Blog Archive — Wed, 31 Dec 1969 18:00:00 +0000

[...] in the week, independent researchers Rafael Rivera and Long Zheng described an exploit that could turn off the UAC prompt, which typically notifies [...]

By: Why upgrade to Vista when Windows 7 will be here soon? | OS Attack

Why upgrade to Vista when Windows 7 will be here soon? | OS Attack — Wed, 31 Dec 1969 18:00:00 +0000

[...] change with UAC in Windows 7 that essentially makes it less secure than Windows Vista. Rafael of Within Windows then posted about applications that have been White Listed and are automatically elevated to the [...]

By: бaкинeц

бaкинeц — Wed, 31 Dec 1969 18:00:00 +0000

Глубокоуважаемые, а нельзя оставлять комментарии по теме, а не разную глупость типа Автор молодец и т.д.

By: Tutto quello che c’è da sapere su Windows 7 « Guiodic Blog

Tutto quello che c’è da sapere su Windows 7 « Guiodic Blog — Wed, 31 Dec 1969 18:00:00 +0000

[...] In realtà non c’è bisogno che il programma venga direttamente infettato. E’ possibile realizzare semplicemente un malware che esegue uno di questi programmi e assume i privilegi di amministratore [...]

By: Software Source Update » Blog Archive » Windows 7 silently elevates malware access

Wed, 31 Dec 1969 18:00:00 +0000

[...] Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install [...]

By: George

George — Wed, 31 Dec 1969 18:00:00 +0000

This is one of the strangest proof of concept flaws I’ve ever seen. I totally understand how injecting a dll into a white listed app could exploit this. Would it not be better for the functions requiring admin privilledges to check if the invoker is white listed and if not, then prompt? That seems like an easier option.

By: List of Windows 7 (beta build 7000) auto-elevated binaries - 【windows7 Home】

List of Windows 7 (beta build 7000) auto-elevated binaries - 【windows7 Home】 — Wed, 31 Dec 1969 18:00:00 +0000

[...] my last post regarding Windows 7’s new “auto-elevate” flag (and potential issues with such a system), I mentioned compiling a list of all the flagged [...]

By: blogger » Blog Archive » Microsoft changes Windows 7 UAC due to new exploit code

Wed, 31 Dec 1969 18:00:00 +0000

[...] will … automatically elevate the process to High Mandatory Level, executing your payload wearing an administrative hat," Rivera said in a post to his blog early this [...]

By: Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy | Window7s

Wed, 31 Dec 1969 18:00:00 +0000

[...] Without going into too much detail, as you already may know from the previous postings, Windows 7 has the ability automatically elevates Microsoft-signed applications and code which specifies “auto elevation” to mitigate the number of UAC prompts. Rafael Rivera has more details how this works. [...]

By: Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy « Window7s

Wed, 31 Dec 1969 18:00:00 +0000

By: Mac OS X Dialog Box Spoofing—Believe Me, I’m System Preferences

Mac OS X Dialog Box Spoofing—Believe Me, I’m System Preferences — Wed, 31 Dec 1969 18:00:00 +0000

[...] While analyzing the recent OSX.Iservice.B threat I noticed some interesting API calls that were dealing directly with the Mac OS X authorization mechanism. There are plenty of interesting analyses and discussion about Windows UAC, both regarding Vista (Ollie’s post) or the recent Windows 7 UAC. [...]

By: Microsoft responds to UAC criticism in Windows 7 and fixes design flaws | IT Knowledge Hub

Wed, 31 Dec 1969 18:00:00 +0000

[...] in Windows 7 RC, you will always be prompted when the UAC level is changed to prevent any malicious scripts from silently changing your UAC level and taking over your computer. For everybody using Windows 7 [...]

By: Microsoft responds to UAC criticism in Windows 7 and fixes design flaws | Windows 7 Center

Wed, 31 Dec 1969 18:00:00 +0000

By: 4sysops - Windows 7 UAC vulnerabilities

4sysops - Windows 7 UAC vulnerabilities — Wed, 31 Dec 1969 18:00:00 +0000

[...] Rafael Rivera again wrote a proof-of-concept. He uses a proxy application, which he called Catapult.exe, that launches Cake.dll. With the default UAC setting, Windows will run Cake.dll with admin privileges without issuing a prompt. You can verify that if you set the UAC setting to “Always notify me”. If you start Catapult.exe with this configuration, you will get a UAC prompt. [...]

By: Il web cambia la decisione di Microsoft sull’UAC di Windows 7 | Windows 7 Blog

Wed, 31 Dec 1969 18:00:00 +0000

[...] sul lavoro di Rafael Rivera Long Zheng ha dimostrato che la combinazione di elevation automatica di software [...]

By: Latest Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy | Gadget on Gatzet Info

Wed, 31 Dec 1969 18:00:00 +0000

By: Xtreem0

Xtreem0 — Wed, 31 Dec 1969 18:00:00 +0000

http://blogs.zdnet.com/microsoft/?p=1914 there is an update where apparently they say they have fixed it. Mined you we may not see the fix untill final releace

By: UAC in Windows 7 is like a screen door on a submarine | OS Attack

UAC in Windows 7 is like a screen door on a submarine | OS Attack — Wed, 31 Dec 1969 18:00:00 +0000

[...] posting their original findings Rafael Ravera has posted a follow up on his site showing how malware could use rundll32.exe or any other [...]

By: Boycott Novell » Turkey, France, United Stated Under Attack by Microsoft Windows Insecurities

Wed, 31 Dec 1969 18:00:00 +0000

[...] status (beta) that wrongly indicates maturity, the operating system is not secure and it keeps looking worse as people study it more closely. As you probably know by now, Windows 7 introduces some new in-between modes for User Account [...]

By: » Microsoft: UAC security setting not changing (for now) | All about Microsoft | ZDNet.com

Wed, 31 Dec 1969 18:00:00 +0000

[...] the entire UAC security-setting controversy, I’ll just point to a few posts about it from Within Windows, Istartedsomething, and yours truly. [...]

By: Nicky

Nicky — Wed, 31 Dec 1969 18:00:00 +0000

Although I’m currently at work and havent yet tried hack created by the author, I will try it when I get home and post my results.

By: Nicky

Nicky — Wed, 31 Dec 1969 18:00:00 +0000

If explorer will allow anyone to take advantage of elevated privilages, then what is the solution, to what I see as the most ridiculous security flaw ever? I was under the impression that Windows 7 was supposed to be supiriour to Vista in every sense. I have been running build 7000 for about a week and I’m very happy with it so far but if I have to get annoying confirm boxes every 30 seconds just to have a secure OS then I’ll probably start looking elsewhere for a new OS.

By: asf

asf — Wed, 31 Dec 1969 18:00:00 +0000

@Dan: I was not sure if cmd.exe could be auto elevated. The point still stands, if explorer gives you full control, you can replace a dll that implements some shell extension with your own evil dll

By: Win 7 fan

Win 7 fan — Wed, 31 Dec 1969 18:00:00 +0000

It does not work 4 me. I am running win 7 built 7000

By: Leo Davidson

Leo Davidson — Wed, 31 Dec 1969 18:00:00 +0000

@Dan: I know Exploder doesn’t run elevated. It doesn’t have to. It, or anything running inside of it, can *silently* elevate other code.

That’s the whole problem. (And it’s not just limited to Explorer.exe; I’m just using that as a well-known example other than RunDll32.exe.)

In the past elevated processes could create other elevated processes. That isn’t an issue because there’s nothing you can’t do in the original process that you can do in the ones it can spawn. If you’ve taken control of an elevated process you don’t need to spawn another one; you can do whatever you want in the process you already have.

Now, by default in Win7 beta, there are non-elevated processes like Explorer.exe which can create elevated processes without prompting. And since Explorer.exe (etc.) are non-elevated, *all* *other* non-elevated processes can take control of them and in turn elevate anything they want without prompting.

In other words, a non-elevated process which is not whitelisted for silent elevation can elevate things silently with very little effort. That’s the problem!

It’s getting frustrating explaining this again and again. :(