Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.
Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.
The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.
While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:
C:\Windows\System32\fodhelper.exe
If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.
Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").
Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.
The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."
(Score: 2, Disagree) by Snotnose on Thursday May 25 2017, @11:35PM (30 children)
I know it's fun to bash Microsoft but this shows security is hard. Windows takes the heat because it has the most market penetration. Linux security would also suck if it had anywhere near 50% saturation. I have to wonder about the Linux servers, are they pretty secure, does nobody care, or don't they hold any information hackers care about?
When the dust settled America realized it was saved by a porn star.
(Score: 2) by ikanreed on Thursday May 25 2017, @11:43PM
Then there was that time that any user with steam installed could have any browser page redirect automatically run arbitrary code because the steam:// url scheme was completely stupid to embed at the system level.
I don't actually know if they fixed that one yet or not.
(Score: 1, Informative) by Anonymous Coward on Thursday May 25 2017, @11:45PM (2 children)
Security *is* hard. No doubt about that!
But Linux does cover more than 50% of all computing devices (think phones, servers and your hipster friends running Ubuntu) and easily surpasses Windows' install-base. I think its market penetration is pretty in-everyones-face and I would say an even more lucrative target than your average Win10 user's machine since servers are more powerful which is useful if you want to hijack compute time. Servers also hold (and have access to) a lot more interesting data on a lot more users and more business-critical data that the company would likely be willing to pay for if it ever gets crypto-ransommed.
So don't be too quick with the whole "it's because Microsoft Windows is so widely used and Linux isn't"
(Score: 2) by butthurt on Friday May 26 2017, @12:32AM (1 child)
-- https://news.netcraft.com/archives/category/web-server-survey/ [netcraft.com]
(Score: 3, Informative) by Anonymous Coward on Friday May 26 2017, @02:30AM
One wonders: Of those, in how many cases was the visit by Netcraft the only traffic those servers got that month?
http://www.google.com/search?tbs=li:1&q=parked.domain [google.com]
I remember when M$ paid GoDaddy to switched all of their zero-traffic domains from Linux to Windoze in order to queer the numbers.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by Jeremiah Cornelius on Friday May 26 2017, @12:05AM
I'm sure there are a half-dozen such examples waiting to be discovered, using systemd. Probably not even needing a setuid root binary, the rough equivalent of MS's signed binary.
You're betting on the pantomime horse...
(Score: 2, Informative) by JoeMerchant on Friday May 26 2017, @12:08AM (11 children)
Security is simple - users are hard. They demand "friendly, convenient" software. That's where the problems come in.
If we all had to sign in with a 27 character minimum passphrase, biometric scan and physical security token every 5 minutes or less, with auto-logout every time the camera detects that you have looked away from the screen for more than 2 blinks, security would be simple.
🌻🌻 [google.com]
(Score: 2) by Nerdfest on Friday May 26 2017, @12:45AM (10 children)
Exploits like this would still work.
(Score: 4, Insightful) by JoeMerchant on Friday May 26 2017, @01:15AM (9 children)
No, because there would be no "elevated privileges," no special programs that can run themselves without a user manually giving them privileges. If you need admin, call somebody from IT who has admin and have them physically present while they are performing the admin level work.
The problem with security is convenience - same in computers as in the real world. We like our houses with "un-secure" features like affordable less-than-bank-vault doors and walls, windows, direct ventilation without filtration and harmful agent detection screens. We generally get by with very insecure homes and vehicles based on the rule of law and punishment for those who violate trust.
🌻🌻 [google.com]
(Score: 2) by Nerdfest on Friday May 26 2017, @02:28AM (8 children)
You mentioned nothing about eliminating special privileged processes in your previous post, only user security.
(Score: 2) by JoeMerchant on Friday May 26 2017, @03:27AM (7 children)
Why in the hell would you have special privileged processes in a system that is so inconvenient to use? What's the point? Make the user responsible for everything, then security is no longer the system's problem.
I actually have a lawnmower like this, it has a cell-phone app the controls the mower by BLE and if you "manual drive" the mower, you have to keep constant contact on the mowing button to keep the blades going - inconvenient as hell, makes the operator "responsible" for the blades spinning, no "latched" cutting mode in the interface.
🌻🌻 [google.com]
(Score: 2) by Nerdfest on Friday May 26 2017, @03:31AM
I'm not saying they're not a bad idea, I'm saying you didn't mention them at all. "Informative" my ass.
(Score: 2) by Immerman on Friday May 26 2017, @03:48AM (5 children)
Unfortunately "making the user responsible" is actually really lousy security practice - even today, users are already usually the weakest point in the security. Putting the responsibility on their shoulders isn't an improvement, it's an abdication of the responsibility of making a decent product.
A mower kill switch is a completely different beast - genuine security, though it does sound like your mower has a poor interface. Typically you have a mechanical trigger switch instead - easy to hold down while grasping the handles, but also easy to release if something does go wrong (and by the law of large numbers, something WILL go wrong for someone. Probably a lot of someones) . I can't even imagine the horrors that would result from a latchable smartphone interface. Run over your foot. snag a shoelace that gets dragged in, etc. and you want that blade to stop as fast as possible, every millisecond counts. And in pain or panic, unlatching a smartphone interface is not going to be remotely as fast and intuitive as letting off the trigger.
(Score: 2) by FatPhil on Friday May 26 2017, @10:24AM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by kazzie on Friday May 26 2017, @10:37AM
For that reason, modern UK trains require the driver to periodically release and re-engage the deadman's switch.
(Score: 2) by JoeMerchant on Friday May 26 2017, @11:56AM (1 child)
Push mowers in the US have had "lawyer levers" on them for over a decade now, release the handle and a cable actuated brake stops the spinning blades quickly.
Bag of shopping does not defeat the lawyer lever, but wire hanger of clothes, wrapped around the handle, makes a convenient and switchable defeat mechanism.
🌻🌻 [google.com]
(Score: 2) by FatPhil on Friday May 26 2017, @01:12PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by JoeMerchant on Friday May 26 2017, @11:52AM
I'm not saying it's practical, or even desirable. I am saying: it's easy to make a system secure, it's hard to herd cats, and it's even harder to cater to user's desires without destroying security.
Go to "root cause" of most insecure practices and you'll find "convenience" or "ease of use" in the rationale for why it was done in the first place. Occasionally you'll find lazy programmers (or "ease of implementation") and those are relatively easy to fix, but the features for users' convenience are not easy to fix at all.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday May 26 2017, @12:28AM
"I know it's fun to bash Microsoft."
There, I FTFY. That's all you need to say.
(Score: 1, Insightful) by Anonymous Coward on Friday May 26 2017, @02:37AM (7 children)
Linux servers, are they pretty secure, does nobody care, or don't they hold any information hackers care about
Google has zero servers running Windoze.
Google has over a million running Linux.
I challenge you to point to a single instance of pwnership in that domain.
...meanwhile, UAC is NOT security.
It's just another case of M$ blaming the user.
Having to click yet another time for "Yes, this is really what I want to do" is simply another MICROS~1 annoyance.
Anyone who hasn't yet disabled this stupid shit just clicks away the "security" without even thinking about it.
-- OriginalOwner_ [soylentnews.org]
(Score: -1, Flamebait) by Anonymous Coward on Friday May 26 2017, @02:56AM (5 children)
https://www.theregister.co.uk/2017/04/27/hajime_iot_botnet/ [theregister.co.uk]
Yep linux is totally secure.
You can do better than that.
(Score: 1, Interesting) by Anonymous Coward on Friday May 26 2017, @04:57AM (3 children)
How did I know that John Leyden was the author before I even clicked the link?
If you're depending on that douche for tech news, you are truly desperate for sources.
Moving on: If you go to dodgy places to get software, you deserve what you get.
This was NOT an infection.
This was a self-inflicted wound.
This is like stabbing yourself and claiming that you were attacked.
Next time:
Don't PURPOSELY get your software from crap places.
Don't PURPOSELY install crap software.
Don't PURPOSELY give crap software executable permissions.
Don't PURPOSELY run crap software.
IOW, don't do FOUR STUPID THINGS then blame your operating system for not preventing you from doing stupid things.
Linux users (which excludes John Leyden) know all of this; they will just open their package managers and get vetted stuff from trusted sources--a thing that Windoze still lacks, and always will.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday May 26 2017, @06:11AM (2 children)
Have you looked on a forum for a popular distro lately?
(Score: 0) by Anonymous Coward on Friday May 26 2017, @08:30AM (1 child)
Do you have a point?
...besides the one on the top of your head?
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday May 26 2017, @08:33AM
You seem to be missing it, actually.
(Score: 3, Insightful) by FatPhil on Friday May 26 2017, @10:32AM
When idiots build something insecure around MS Windows, it's the idiots' fault.
When idiots build something insecure around Linux, it's the idiots' fault.
When engineers build something secure around MS Windows, and it's still insecure, then it's Microsoft's fault, but also the engineers' fault for chosing MS Windows.
When engineers build something secure around Linux, then everyone's happy.
MS Windows and Linux cannot be compared as equals. (They may of course be compared in order to contrast them.)
Idiots and engineers likewise cannot be compared as equals. (Ditto)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday May 26 2017, @02:17PM
Well, UAC has always struck me as adding yourself to the wheel group and setting up sudoers so %wheel can run any command without a password but with the added annoyance of a system modal dialog that interrupts everything you're doing.
I set up sudoers like that before on my personal machines, but it is really, really stupid honestly. I don't think anything's bad come of it for me (yet), but it kind of defeats the purpose. I'd never do that on a production server, and I don't even do it on my personal machines any more.
(Score: 0) by Anonymous Coward on Friday May 26 2017, @03:01AM (1 child)
It's easier to do security on Linux because you can throw away backwards compatibility for a complete rewrite.
Doing both ... that's why Red Hat makes so much money. They keep their systems very secure while still supporting them for something like 15 years.
The OpenBSD way is to break everything every other release or so to try new security techniques. It's very very secure, but no proprietary software will ever exist for it because of the constant breakage.
(Score: 0) by Anonymous Coward on Friday May 26 2017, @05:07AM
No software that denies users their freedoms? Sounds like a feature to me.
(Score: 0) by Anonymous Coward on Friday May 26 2017, @03:32AM
No. NOT true. False! Micro$erf fud. The rest of your point is valid. Except ask yourself? Why does the NSA have all these Windows vulns stockpiled?
(Score: 0) by Anonymous Coward on Friday May 26 2017, @08:06AM
This is the exhaustive list of trusted binaries in my default Ubuntu setup:
Linux is more secure because it has a smaller attack surface. The less places to poke security holes, the less security holes there will be. This is a simple mathematical inevitability.