Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.
Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.
The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.
While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:
C:\Windows\System32\fodhelper.exe
If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.
Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").
Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.
The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."
(Score: 2) by Nerdfest on Friday May 26 2017, @12:45AM (10 children)
Exploits like this would still work.
(Score: 4, Insightful) by JoeMerchant on Friday May 26 2017, @01:15AM (9 children)
No, because there would be no "elevated privileges," no special programs that can run themselves without a user manually giving them privileges. If you need admin, call somebody from IT who has admin and have them physically present while they are performing the admin level work.
The problem with security is convenience - same in computers as in the real world. We like our houses with "un-secure" features like affordable less-than-bank-vault doors and walls, windows, direct ventilation without filtration and harmful agent detection screens. We generally get by with very insecure homes and vehicles based on the rule of law and punishment for those who violate trust.
🌻🌻 [google.com]
(Score: 2) by Nerdfest on Friday May 26 2017, @02:28AM (8 children)
You mentioned nothing about eliminating special privileged processes in your previous post, only user security.
(Score: 2) by JoeMerchant on Friday May 26 2017, @03:27AM (7 children)
Why in the hell would you have special privileged processes in a system that is so inconvenient to use? What's the point? Make the user responsible for everything, then security is no longer the system's problem.
I actually have a lawnmower like this, it has a cell-phone app the controls the mower by BLE and if you "manual drive" the mower, you have to keep constant contact on the mowing button to keep the blades going - inconvenient as hell, makes the operator "responsible" for the blades spinning, no "latched" cutting mode in the interface.
🌻🌻 [google.com]
(Score: 2) by Nerdfest on Friday May 26 2017, @03:31AM
I'm not saying they're not a bad idea, I'm saying you didn't mention them at all. "Informative" my ass.
(Score: 2) by Immerman on Friday May 26 2017, @03:48AM (5 children)
Unfortunately "making the user responsible" is actually really lousy security practice - even today, users are already usually the weakest point in the security. Putting the responsibility on their shoulders isn't an improvement, it's an abdication of the responsibility of making a decent product.
A mower kill switch is a completely different beast - genuine security, though it does sound like your mower has a poor interface. Typically you have a mechanical trigger switch instead - easy to hold down while grasping the handles, but also easy to release if something does go wrong (and by the law of large numbers, something WILL go wrong for someone. Probably a lot of someones) . I can't even imagine the horrors that would result from a latchable smartphone interface. Run over your foot. snag a shoelace that gets dragged in, etc. and you want that blade to stop as fast as possible, every millisecond counts. And in pain or panic, unlatching a smartphone interface is not going to be remotely as fast and intuitive as letting off the trigger.
(Score: 2) by FatPhil on Friday May 26 2017, @10:24AM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by kazzie on Friday May 26 2017, @10:37AM
For that reason, modern UK trains require the driver to periodically release and re-engage the deadman's switch.
(Score: 2) by JoeMerchant on Friday May 26 2017, @11:56AM (1 child)
Push mowers in the US have had "lawyer levers" on them for over a decade now, release the handle and a cable actuated brake stops the spinning blades quickly.
Bag of shopping does not defeat the lawyer lever, but wire hanger of clothes, wrapped around the handle, makes a convenient and switchable defeat mechanism.
🌻🌻 [google.com]
(Score: 2) by FatPhil on Friday May 26 2017, @01:12PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by JoeMerchant on Friday May 26 2017, @11:52AM
I'm not saying it's practical, or even desirable. I am saying: it's easy to make a system secure, it's hard to herd cats, and it's even harder to cater to user's desires without destroying security.
Go to "root cause" of most insecure practices and you'll find "convenience" or "ease of use" in the rationale for why it was done in the first place. Occasionally you'll find lazy programmers (or "ease of implementation") and those are relatively easy to fix, but the features for users' convenience are not easy to fix at all.
🌻🌻 [google.com]