Widely touted by Microsoft executives as the most secure version of Windows ever, Vista has received significant security press in the past six months. Not all of it has been good, as researchers are uncovering flaws in Vista on a regular basis. So, is Vista truly a new peak in operating system security? Let's examine some of these flaws and consider their implications.
In December 2006, proof-of-concept code started floating around the Internet that could enable an attacker to escalate privileges from a limited user account to full-blown system-level access by undermining a critical system process called csrss.exe.
With earlier versions of Windows, many organizations gave all users local administrator privileges on their systems so they could add printers or install software. However, letting users surf the Internet or read email with admin privileges is dangerous, so Microsoft designed Vista to have better separation of privileges. Despite Microsoft's best efforts, privilege-escalation attacks like this one dodge the increased security. Additional local privilege-escalation vulnerabilities were disclosed in February 2007, indicating Vista is likely a fertile hunting ground for this kind of flaw.
Flaw or feature?
Also in February, security researcher Joanna Rutkowska revealed another Vista security dilemma. One of Vista's main security controls is called User Account Control, (UAC). UAC issues dialog boxes asking the user for permission to do things, such as installing a program. The user can either choose to grant such privileges, or not install the program.
In detailing the UAC flaw, Rutkowska observed that all application installation programs require administrator privileges to run, so installing even the simplest program (Rutkowska used the example of a Tetris game) requires great privileges. She criticized Microsoft in her blog, since this requirement flies in the face of Vista's purported separation of privileges.
But Mark Russinovich, creator of the Sysinternals suite of tools that was purchased by Microsoft last summer, countered by saying, "Potential avenues of attack, regardless of ease or scope, are not security bugs." His argument is that, because this issue was part of the Vista design, with its UAC and programs running at different integrity levels (ILs), it shouldn't be considered a security flaw.
"Why did Windows Vista go to the trouble of introducing elevations and ILs?" he wrote. "To get us to a world where everyone runs as standard user by default and all software is written with that assumption."
That's a good thing -- except where local privilege-escalation flaws undermine it -- but it really doesn't respond to Rutkowska's concerns about requiring every installer to have admin rights. Security flaws could be implementation bugs (such as the multitude of buffer overflow vulnerabilities we see on a regular basis) or design decisions that go awry and don't address the real-world threats they must face.
No signature required
Last year, Rutkowska also demonstrated an ingenious method for getting around Vista's requirement for signed device drivers. To stem the tide of kernel-mode rootkits that control an OS from its heart, Microsoft required that all device drivers be digitally signed before the kernel would load them.
However, Rutkowska wrote a program that simply starts allocating a lot of memory, putting the squeeze on the memory available to other programs and ultimately causing the kernel itself to run low on memory. When memory is scarce, programs start paging out pieces of their code that they aren't currently running, putting them in a pagefile on the hard drive. Rutkowska's memory hog would ultimately force the Vista kernel to start paging out its own device drivers and other code. Then, her code would alter the parts of the kernel that were paged out and free up memory, causing the kernel to page her altered kernel elements back in. Voila: an altered kernel that bypasses signature requirements.
Giving security the boot
Other security researchers have demonstrated Vista kernel attacks via the boot sector. When your system starts up, a small program in your BIOS locates your boot device -- the hard drive, a CD, a USB device, etc. Code from the boot sector runs the OS booting components, which, in turn, load the kernel.
In March 2007, Nitin and Vipin Kumar released a tool called Vbootkit that undermines this process. With a bootable CD or USB device, an attacker can load Vbootkit before the kernel even comes into play. Vbootkit can alter the kernel from within as it loads, making it do all manner of evil things, such as escalating the privileges of processes controlled by the attacker.
The current incarnation of Vbootkit requires physical access to insert a CD or USB token, and doesn't remain after the computer is shut down. In the future, however, similar techniques could be used to alter a hard drive's boot sector or even to flash to a system's BIOS. That would require no physical access and stay on the system through a reboot -- even after a hard drive reformat! And, because Vbootkit is first, kernel driver code signing requirements don't apply to it.
Clouds on the horizon
The folks in Redmond built an amazing array of security features into Vista, including UAC, improved privilege separation, and the code-signing protections around the kernel. However, the nearly monthly release of major Vista security issues is cause for concern. Several high-level factors can undermine Microsoft's best efforts:
- The threat landscape has shifted in recent years. Criminal attackers are making big money; they
have a research and development budget, allowing them to create ever-more devious attacks. To keep
up with the bad guys, legitimate security researchers are looking at the operating system with
increased scrutiny, devising attacks more subtle and elaborate than ever.
- Attacks like Vbootkit show that Microsoft cannot control everything. Even the Vista operating
system is dependent on various hardware devices to boot, and these devices could come under the
control of an attacker.
- Complexity is the enemy of security, and, boy, is Vista complex. Even if Vista represents a major triumph in lowering the number of vulnerabilities per line of code in an operating system, the massive bloat of the software itself means that there likely are still a huge number of undiscovered flaws. Attackers will have a good time over the next several years picking apart mistakes.
Given these factors, expect more major Vista security issues. It's probably the most secure Windows ever, but that doesn't seem to be enough to deal with the threats we face today and in the future.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in May 2007