Windows Vista vulnerable to long-time attack method

By Dennis Fisher, Executive Editor 12 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The attack is based on an obscure feature in many versions of Windows, including XP and 2000, called StickyKeys. The feature helps disabled users by keeping a key, such as a control or shift key, active until the user presses another key. Windows does not verify the integrity of the file that's used to launch StickyKeys before allowing it to run, creating a problem, McAfee said.

StickyKeys: StickyKeys: Turning off accessibility keyboard shortcuts: One "hidden" feature in Windows is a series of keyboard commands that turn on accessibility functions for the disabled.

This leaves open all kinds of intriguing possibilities for attackers, the most obvious one being the ability to replace the StickyKeys launch file with another file. As McAfee AVERT Labs researcher Vinoo Thomas points out in a blog post on the vulnerability, "cmd.exe" would be a useful choice.

"After replacement, one could invoke this command prompt at the login prompt without the need to authenticate," Thomas said in his blog entry. "Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system."

An attacker can also use the StickyKeys vector to bypass the normal login procedure for terminal servers and remote desktops, Thomas said.

There are a few factors that can mitigate an attacker's ability to use this method, however, especially in Vista. As part of its focus on finding ways to prevent malware from being installed without users' knowledge, Microsoft Corp. has included in Vista a feature called Windows Resource Protection, which helps prevent users or attackers from making changes to certain files, registry keys and folders. This should make it much more difficult for a cracker to replace the StickyKeys file, but Thomas shows a simple method for bypassing the trusted installer protection.

"To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using [two] commands," Thomas writes. "One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today."

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary