Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday October 30 2016, @04:58PM   Printer-friendly
from the don't-run-unknown-code! dept.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?

New code injection attack works on all Windows versions - Help Net Security

Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Sunday October 30 2016, @05:04PM

    by Anonymous Coward on Sunday October 30 2016, @05:04PM (#420555)

    This is just a local way to get from one process to another, without even gaining privilege. It's no worse than having a debug capability.

    • (Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @05:13PM

      by Anonymous Coward on Sunday October 30 2016, @05:13PM (#420560)

      ...and a quite convoluted way of doing this.

      Normally you use CreateRemoteThread paired with WriteProcessMemory or VirtualAllocEx to write your code directly into another process.

      • (Score: 2) by Username on Sunday October 30 2016, @10:11PM

        by Username (4557) on Sunday October 30 2016, @10:11PM (#420669)

        Well, it is an easy and interesting way to get chrome to run code. I didn’t know people actually used atom, or actually thought about using atom other than for setting windows global hotkeys.

    • (Score: 1, Funny) by Anonymous Coward on Sunday October 30 2016, @05:25PM

      by Anonymous Coward on Sunday October 30 2016, @05:25PM (#420567)

      But...but... it's called ATOMbombing... it must be a big deal! Years of being subjected to marketing and advertising has taught me that marketeers never lie and only tell me things that are true and of interest to me. Why would they lie to me about this being a big deal? </sarcasm>

    • (Score: 5, Interesting) by Anonymous Coward on Sunday October 30 2016, @06:18PM

      by Anonymous Coward on Sunday October 30 2016, @06:18PM (#420584)

      Don't you know debuggers are illegal?

      Dan would later learn that there was a time when anyone could have debugging tools. There were even free debugging tools available on CD or downloadable over the net. But ordinary users started using them to bypass copyright monitors, and eventually a judge ruled that this had become their principal use in actual practice. This meant they were illegal; the debuggers' developers were sent to prison.

      Programmers still needed debugging tools, of course, but debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers. The debugger Dan used in software class was kept behind a special firewall so that it could be used only for class exercises.

      It was also possible to bypass the copyright monitors by installing a modified system kernel. Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

      • (Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @08:29PM

        by Anonymous Coward on Sunday October 30 2016, @08:29PM (#420627)

        source?

        • (Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @08:48PM

          by Anonymous Coward on Sunday October 30 2016, @08:48PM (#420634)

          I think it is Stallman's "The Right to Read", certainly reads like Stallman's writing.

        • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @10:06PM

          by Anonymous Coward on Sunday October 30 2016, @10:06PM (#420666)

          Right to read [gnu.org]
          Richard Stallman, February 1997 issue of Communications of the ACM (Volume 40, Number 2)

      • (Score: 3, Informative) by NCommander on Monday October 31 2016, @05:12AM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday October 31 2016, @05:12AM (#420792) Homepage Journal

        While I personally disagree with rms on many points, I do think the worlds he outlined in Right to Read and such are disturbingly plausible in many ways. I just wish the FSF would stop shooting itself in the foot in many ways; the GPLv3 as a license is a disaster.

        (specifically, I don't mind the concepts desired in the GPLv3 itself, however, its very difficult to read even being versed in software licensing and an above average legal understanding. The FSF could have gotten exactly the same effect with much clearer language. A layman can read the GPLv2 and completely understand it, not true of the GPLv3. For patent clauses, compare Apache 2.0 to GPLv3 and tell me which one actually is understandable on the first go, Furthermore, getting around the TiVozation requirements within the GPLv3 is relatively straightforward; virtualization can easily allow you to comply with the GPLv3 while running around the intent of the license.).

        --
        Still always moving
  • (Score: 2, Disagree) by takyon on Sunday October 30 2016, @05:07PM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Sunday October 30 2016, @05:07PM (#420558) Journal

    The rise of catastrophic and hyped exploits targeting hundreds of millions of smartphones, PCs, and servers is exactly what the industry needed. Planned obsolescence is now forced obsolescence. Can't patch it? Good! Throw that two year old Android phone and Windows 7 box in the trash and get new ones. The world is too addicted to computers to cast them aside. Windows 11 adoption trending upward.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 3, Insightful) by Ethanol-fueled on Sunday October 30 2016, @05:23PM

      by Ethanol-fueled (2792) on Sunday October 30 2016, @05:23PM (#420566) Homepage

      ..from my cold, dead hands. Especially after corporations begin explicitly forcing obsolescence and making you "lease" your gadget under threat of disabling it.

      And then there's the issue of both software and hardware "bugs" mandated or placed by government plants -- for example, Lenovo's beaconing. [freebeacon.com]

      All of you old 386 hoarders will be vindicated.

      • (Score: 2, Informative) by Anonymous Coward on Sunday October 30 2016, @11:13PM

        by Anonymous Coward on Sunday October 30 2016, @11:13PM (#420697)

        As a result of exactly this. The only exceptions (of which I am well aware of threats of) are Video cards, Hard Disks, and USB devices.

        Basically everything else is still based off hardware designs from the early PCIe era, or revisions thereof.

        The scary part to me is that NOBODY seems intent on servicing the niche of security conscious/authoritarian concerned citizens, of which there are certainly enough to fund at least hardware a generation or two old (performance-wise) that was made with open specs, unsigned (or user signed) firmware, etc. TPM/TXT/Management engines aren't in and of themselves a bad idea. The bad idea comes from permanently inserting an irreplacable signing key inside of them, and disallowing the end-user/owner of the hardware from disabling/replacing that key with their own to ensure the security of their system to THEIR level of confidence, not the vendor's.

  • (Score: 1, Insightful) by Anonymous Coward on Sunday October 30 2016, @05:23PM

    by Anonymous Coward on Sunday October 30 2016, @05:23PM (#420565)

    Time to run Windows only in VMs?

    How is this a solution if the Windows gets owned anyway. If you rely on that windows (which I assume you do since you go to the pain of running it - in a VM or not), you are now running an pwned windows regardless of it being in a VM or not.
    This whole 'run it in a VM' is a non-answer because you still end up with a compromised environment.

    • (Score: 2, Informative) by Francis on Sunday October 30 2016, @05:35PM

      by Francis (5544) on Sunday October 30 2016, @05:35PM (#420569)

      It depends how you're running it. If you're only using a couple programs in there like I do, then there's not much damage they can do without breaking out of the VM. Most crackers aren't going to bother with that unless they're targeting me specifically. They'll get whatever they can out of the computer and if it doesn't give them much, they'll probably move on to the next computer.

      • (Score: 2) by Nerdfest on Sunday October 30 2016, @05:40PM

        by Nerdfest (80) on Sunday October 30 2016, @05:40PM (#420573)

        When I had a Windows VM, I generally reverted it back to a snapshot anyway, except for the times I ran it just to install updates. (As a side note, I'm amazed at how long it takes to install Windows updates, even without the repeated reboots that are sometimes required. Do they throttle their downloads to a trickle or something?)

        • (Score: 4, Interesting) by Anonymous Coward on Sunday October 30 2016, @05:49PM

          by Anonymous Coward on Sunday October 30 2016, @05:49PM (#420576)

          Nope, they reparse a gigantic dependancy tree, spinlock, make repeated expensive calls to unchangeable metadata and do other anti-patterns.

        • (Score: 2) by Webweasel on Monday October 31 2016, @03:52PM

          by Webweasel (567) on Monday October 31 2016, @03:52PM (#420905) Homepage Journal

          There was quite a serious bug a year or two ago with windows updates on some servers.

          It would take around 7-8 hours to just load the list of updates, with one of the services (csrss.exe) pegged at 50% cpu.

          At the time, I was not happy about staying up till 5am trying to patch servers, but the overtime bill made up for it.

          --
          Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
      • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @05:40PM

        by Anonymous Coward on Sunday October 30 2016, @05:40PM (#420574)

        But those programs are usually things you use for work (why else do people use windows? It's because there's a thing they need for work that doesn't run on Wine) which means their value as a target (to you, that is, if you lose it) is high. So it's not so much about what any attacker gets out of it, it's what you lose if you suddenly get ransomwared...

        • (Score: 1) by Francis on Sunday October 30 2016, @05:53PM

          by Francis (5544) on Sunday October 30 2016, @05:53PM (#420579)

          There's a small number of programs I run that depend upon hardware drivers that don't exist outside of Windows and OSX.

          The DVD software I use to play my foreign language DVDs only exists on Windows, the scanners I use for scanning books and receipts only have drivers for OSX and Windows. And then there's some games, but those tend to either work with Wine or not at all, so I don't generally bother with those.

          But, for most folks, I don't think that having a Windows VM is really that useful. If you're just wanting a bit of extra security, a Linux VM does that just as well.

          • (Score: 1, Redundant) by aristarchus on Sunday October 30 2016, @07:54PM

            by aristarchus (2645) on Sunday October 30 2016, @07:54PM (#420617) Journal

            There are many things Francis does not know, but this:

            The DVD software I use to play my foreign language DVDs only exists on Windows, the scanners I use for scanning books and receipts only have drivers for OSX and Windows.

            is a major lacunae! Only on Windows? Ha! Scanners? Ha! What happened, did Francis take the Hairyfeet challenge and beg the question?

            • (Score: 2, Interesting) by Francis on Sunday October 30 2016, @08:55PM

              by Francis (5544) on Sunday October 30 2016, @08:55PM (#420636)

              OK, so now I know that the guy that's been trying to troll me is actually retarded.

              You're laughing at me, but you're not actually addressing the point at all. The scanner I use is a batch feeding model that is IRS approved for storage of tax documents, so I can throw the originals away after I have them backed up. I'm not going to throw out the scanner because it doesn't work in Linux when I have a perfectly good Windows install in a VM.

              And I haven't come across Linux software that gets around the hardware limitation on region coding.

              Now, if you'd like to pay for me to replace my scanner and pay for somebody to handle my books for me, then go ahead, but you can go fuck yourself if you can't be bothered to give a reasonable alternative. My flatbed scanner works quite well under Linux and pretty much everything else, but it doesn't really deal well with OCR and isn't IRS approved.

              • (Score: 3, Informative) by Bot on Sunday October 30 2016, @09:20PM

                by Bot (3902) on Sunday October 30 2016, @09:20PM (#420645) Journal

                DVD region coding? libdvdcss or something, decrypts DVDs. Of course it is illegal for anything else than reading your own DVD, and in some nazi places it is probably illegal for that, too.

                --
                Account abandoned.
                • (Score: 2, Troll) by Francis on Sunday October 30 2016, @09:29PM

                  by Francis (5544) on Sunday October 30 2016, @09:29PM (#420653)

                  IIRC, that one doesn't work. Or at least it didn't work for me last time I tried it. The optical drive is where that conversion takes place and it requires the drivers to cooperate and I couldn't get it to actually read the disc.

                  It might come down to which specific OS you're running it on, but I don't recall having had any luck with that in the past. The Windows only software is the only one I've found that worked for me.

                  • (Score: 2) by dry on Monday October 31 2016, @02:20AM

                    by dry (223) on Monday October 31 2016, @02:20AM (#420741) Journal

                    I had a DVD drive that didn't work with libdvdcss, replaced it and no more worries about region coding.

                    • (Score: 2) by Scruffy Beard 2 on Monday October 31 2016, @02:35AM

                      by Scruffy Beard 2 (6030) on Monday October 31 2016, @02:35AM (#420747)

                      To be clear: were you playing back DVDs from more than one region?

                      DVD drives are supposed to brick themselves if you change the region too often.

                      • (Score: 0) by Anonymous Coward on Monday October 31 2016, @03:38AM

                        by Anonymous Coward on Monday October 31 2016, @03:38AM (#420761)

                        Depends on the drive and firmware. There are two different levels of RPC. Level 1 understands codes and the copy protection and, in a bit of oversimplification, reports them to the OS to take care of. That means that you can ignore the regions at will with a proper driver in the OS. Level 2 enforces regions at a hardware level and usually, but not always, has a limit to the number of changes. However, a reflash can often reset the counter or downgrade a level 2 to level 1 or to "auto-reset" at a power cycle.

                        You can also get unlocked drives, or region killers or region faking, or other circumvention software and hardware to play anything. The cat is long out of the bag.

                      • (Score: 1) by Francis on Monday October 31 2016, @03:57AM

                        by Francis (5544) on Monday October 31 2016, @03:57AM (#420768)

                        Right, that's my personal problem. I like to watch DVDs in English, Mandarin and German and that typically requires something like 3 different drives because they don't generally sell German or Mandarin language DVDs in the US, so I usually have to import them as the discs aren't usually even available for sale in the US region.

                        Sometimes, you can get hacked firmware for the drive that ignores the region coding, but the region coding is relatively low level and requires interaction between the driver and the firmware to do. Linux apparently allows libdvdcss to do this and in my experience FreeBSD does not. Windows will, but you have to have special virtualization in order to do it.

                    • (Score: 1) by Francis on Monday October 31 2016, @03:51AM

                      by Francis (5544) on Monday October 31 2016, @03:51AM (#420765)

                      It works on Linux apparently, but not on FreeBSD. But, it doesn't make much sense to dual-boot to Linux versus just running Windows in a VM.

                • (Score: 2) by Scruffy Beard 2 on Monday October 31 2016, @02:32AM

                  by Scruffy Beard 2 (6030) on Monday October 31 2016, @02:32AM (#420746)

                  After Dcss was realeased, region-coding was moved onto drive firmware [doom9.org] within a year.

                  It is cute that you think you own your computer!

                  • (Score: 0, Disagree) by Anonymous Coward on Monday October 31 2016, @09:09AM

                    by Anonymous Coward on Monday October 31 2016, @09:09AM (#420815)

                    After Dcss was realeased, region-coding was moved onto drive firmware within a year.

                    "How dare you pay for your foreign DVDs, go download them from The Pirate Bay, or we brick your DVD drive".

              • (Score: 3, Troll) by aristarchus on Sunday October 30 2016, @09:27PM

                by aristarchus (2645) on Sunday October 30 2016, @09:27PM (#420649) Journal

                You are not going to know this, or even believe it, but there is standard software called SANE that runs scanners, fairly standardized, nothing like twenty years ago when it was all proprietary. And of course you realize, just mentioning the IRS has scam all over it. What model, precisely, is it that you can't get to work under linux? And what kernels and modules did you try to use? The fact you could not figure out DVD region encoding without windowes does not bode well, my dear unerudite Francis.

                • (Score: 1) by Francis on Sunday October 30 2016, @09:42PM

                  by Francis (5544) on Sunday October 30 2016, @09:42PM (#420656)

                  Sigh, more name calling and no actual useful information.

                  First off, I'm familiar with SANE, I've used it in the past and it works fine for basic flatbed functionality. It does not handle document feeders, OCR, organization and it does not result in a copy that's accepted by the IRS during audits. Plus, there are better options anyways. It's something that kind of works for simple things, but not if you've got more complicated things you want to do.

                  As far as DVD region encoding goes, why should I waste time looking for a solution when I have one that works? I have the software it works reliably on my computer, why on earth should I waste time looking for another solution that may or may not work when I've got one that does?

                  I'm a bit surprised that you're willing to post this bullshit under your name.

                  • (Score: 2, Troll) by aristarchus on Sunday October 30 2016, @09:52PM

                    by aristarchus (2645) on Sunday October 30 2016, @09:52PM (#420662) Journal

                    I'm a bit surprised that you're willing to post this bullshit under your name.

                    Feeling is mutual. Aren't you just the slightest bit embarrassed to admit such ignorance on a moderately techie site?

                    I have the software it works reliably on my computer, why on earth should I waste time looking for another solution that may or may not work when I've got one that does?

                    So, how much does Micro$erft pay you, or are you truely so unaware of what software is, how operating systems work, and how in the current instance, if you have read the Fine Article, Windows is totally hosed. Works reliably? Are we supposed to take this as a joke?

                    I was just trying to help liberate you from bondage, Francis, but you know, the first step is realizing you are enslaved. It is something you should know.

                    • (Score: 0, Flamebait) by Francis on Monday October 31 2016, @04:03AM

                      by Francis (5544) on Monday October 31 2016, @04:03AM (#420771)

                      No, you're being an asshole. People like you are why I use FreeBSD rather than Linux as my primary install. I just want a system that works reliably without the zealotry.

                      I did the research on this stuff at the time that I decided what software I was going to use and I don't see any reason why I should stop using what works for me. Nothing you've recommended does what my current set up does on my machine. I don't see any purpose in setting aside the stuff I bought back when I was dual-booting between Windows and FreeBSD just because I've got my Windows install loaded into a VM.

                      Nothing you've suggested is anywhere near as functional as what I'm currently using.

                      Also, I think it's cute that you think I care what you think of me. All you've done in this thread is make an ass of yourself.

                      • (Score: 2, Informative) by aristarchus on Monday October 31 2016, @06:09AM

                        by aristarchus (2645) on Monday October 31 2016, @06:09AM (#420797) Journal

                        Nothing you've recommended does what my current set up does on my machine. I don't see any purpose in setting aside the stuff I bought back when I was dual-booting between Windows and FreeBSD just because I've got my Windows install loaded into a VM.

                        Nothing you've suggested is anywhere near as functional as what I'm currently using.

                        Francis, my poor Francis! You have admitted to running Windows because you did not know what else to do. I never suggested any solutions, since you did not provide enough details to see what your problem was, other than that you were running Windows. And it is funny how, when ever I try to assist you, as opposed to anyone else on SoylentNews, I get modded down. Hmm. Well, that is it. It is war, Francis! I will follow you, and every post you make I will mod down mercilessly! I will taunt you as an AC, and I will imitate your username on other fora accross the internet until you realize the errors of your ways and apologize for posting totally ignorant things here on SoylentNews. Deal?

                        • (Score: 1, Informative) by Anonymous Coward on Monday October 31 2016, @02:46PM

                          by Anonymous Coward on Monday October 31 2016, @02:46PM (#420878)

                          It's not just Francis. I mod you down too, especially because of pointless dickwaving posts like this.

                          • (Score: 3, Funny) by aristarchus on Monday October 31 2016, @04:16PM

                            by aristarchus (2645) on Monday October 31 2016, @04:16PM (#420916) Journal

                            Francis! Posting as AC and calling yourself "not just Francis" does not mean you are not just Francis! You're not fooling anyone, you know!

                            • (Score: 0) by Anonymous Coward on Monday October 31 2016, @05:38PM

                              by Anonymous Coward on Monday October 31 2016, @05:38PM (#420944)

                              Just keep telling yourself that.

                              • (Score: 0) by Anonymous Coward on Monday October 31 2016, @06:33PM

                                by Anonymous Coward on Monday October 31 2016, @06:33PM (#420961)

                                Aristarchus is right! You can't just hide behind AC, Francis! Maybe if you knew how scanner drivers and DVD drives worked, you might have a chance to pull it off, but this is just too obvious.

                      • (Score: 0) by Anonymous Coward on Tuesday November 01 2016, @03:00AM

                        by Anonymous Coward on Tuesday November 01 2016, @03:00AM (#421109)

                        that's b/c you're a hooker.

                        • (Score: 0) by Anonymous Coward on Tuesday November 01 2016, @09:07AM

                          by Anonymous Coward on Tuesday November 01 2016, @09:07AM (#421176)

                          that's b/c you're hooked.

                          FTFY! Trolling, trolling, over the deep blue sea! I just wonder, if you know it's me?

                  • (Score: 3, Informative) by frojack on Sunday October 30 2016, @10:07PM

                    by frojack (1554) on Sunday October 30 2016, @10:07PM (#420667) Journal

                    It does not handle document feeders, OCR, organization and it does not result in a copy that's accepted by the IRS during audits.

                    It does handle document feeders. (I use this all the time)
                    It does handle OCR, I use this also.
                    It does handle organizations, I don't use this a lot but I do use it occasionally
                    And it can result in a perfect PDF copy as well as the original images available if you want them.

                    The fact that nobody uses it that way for all those things is beside the point. Its also not the only scanner software available for linux.

                    But the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support. New scanners from large companies now tend to release drivers for opensource concurrently with Windows. Especially the network attached scanners.

                    And the IRS requirements are not particularly onerous. The IRS has allowed taxpayers to use electronic receipts as documentary evidence since 1997.

                    --
                    No, you are mistaken. I've always had this sig.
                    • (Score: 2, Redundant) by aristarchus on Sunday October 30 2016, @10:17PM

                      by aristarchus (2645) on Sunday October 30 2016, @10:17PM (#420672) Journal

                      Truly, this frojack knows a few things.

                    • (Score: 1, Informative) by Anonymous Coward on Monday October 31 2016, @02:11AM

                      by Anonymous Coward on Monday October 31 2016, @02:11AM (#420739)

                      ISTM that Francis is working on decade-old datapoints.

                      Had he sought out local Linux people, I'll bet his "Nuh-uh"s would have already been turned to "Oh, wow"s.

                      In his area, perhaps there is a Linux Users Group. [google.com]

                      If not that, maybe an individual.
                      I've suggested before getting up with a Linux guy for hands-on help. [soylentnews.org]

                      the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support

                      If device drivers truly don't exist for his hardware, there are HUNDREDS of guys waiting in line to make more stuff Linux-compatible.
                      Why Linux Has The Best Hardware Support Of Any OS (The Linux Driver Project) [googleusercontent.com] (orig) [lwn.net]
                      (The significant text is found at "300".)

                      If the Linux Driver Project guys can get their hands on it, a piece of the gear should have Linux support in no time.
                      If the particular item isn't especially popular but the user can find a cluster of other folks who are interested in using it under Linux, that should help convince the LDP guys to support it.
                      Putting a bounty on the driver might be further stimulus.

                      ...and, before anyone mentions games, we're still talking about being forced to use company-provided stuff in a work environment. Right?

                      -- OriginalOwner_ [soylentnews.org]

                    • (Score: 0, Troll) by Francis on Monday October 31 2016, @04:06AM

                      by Francis (5544) on Monday October 31 2016, @04:06AM (#420772)

                      I've tried opensource OCR and I've yet to find one that works well. Certainly not well enough for me to ditch my current system for.

                      IIRC, the best software I came across was Tesseract, but that didn't work very well for the things I was scanning. It's probably better now than then, but I don't see much point in dumping software and hardware I already have just to use open source. I've ditched most of the software I used to use for equivalents and that's worked fine, but as long as I can run the few remaining pieces of software in a VM, I don't see much purpose to ditching it for the sake of ditching it.

                      And even if I do ditch it, then I have to go back to retaining all my receipts and similar in order to do my taxes, which greatly reduces the point of using my neat receipts in the first place.

              • (Score: 3, Funny) by tangomargarine on Monday October 31 2016, @02:41PM

                by tangomargarine (667) on Monday October 31 2016, @02:41PM (#420875)

                He's not retarded, it's just that 75% of his posts are trollish non-answers as demonstrated, role-playing an ancient Greek philosopher.

                I don't really get it either.

                --
                "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
                • (Score: 2, Funny) by aristarchus on Monday October 31 2016, @04:29PM

                  by aristarchus (2645) on Monday October 31 2016, @04:29PM (#420919) Journal

                  That's OK, tango, you are not meant to get it. Some things may be beyond your comprehension. You should get used to it.

    • (Score: 4, Informative) by SomeGuy on Sunday October 30 2016, @05:36PM

      by SomeGuy (5632) on Sunday October 30 2016, @05:36PM (#420570)

      This whole 'run it in a VM' is a non-answer because you still end up with a compromised environment.

      That normally gets rolled back to a pre-compromised state when you are done using it.

      • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @05:38PM

        by Anonymous Coward on Sunday October 30 2016, @05:38PM (#420572)

        Show me someone who actually does this. Show me an actual real person who does this.
        No-one I know does this because "I just bookmarked a page in stupid Edge and I don't want to lose it"

        • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @06:52PM

          by Anonymous Coward on Sunday October 30 2016, @06:52PM (#420597)

          I do it. My parents do it, too. Thanks to Patch Tuesday, it doesn't really matter what day you run you machine as most software gets patched on the same day. In fact, it is really easy to do nowadays due to bookmark and favorite sync services.

        • (Score: 2) by tangomargarine on Monday October 31 2016, @02:39PM

          by tangomargarine (667) on Monday October 31 2016, @02:39PM (#420871)

          With Firefox it would be trivial to export your bookmarks to an HTML file, store it on a VM network drive, and read it back in after reverting in that situation.

          "Because nobody takes security sufficiently seriously neither should you" is a rather odd argument to use.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 3, Insightful) by len_harms on Sunday October 30 2016, @06:51PM

      by len_harms (1904) on Sunday October 30 2016, @06:51PM (#420595) Journal

      VM becomes useful because of the idea of rollback and snapshots. Basically cleanup and restore is a snap.

      However, if you are dependent on the data residing inside that VM like you point out VM does not do much for you.

      Just depends on your use case.

      • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @08:31PM

        by Anonymous Coward on Sunday October 30 2016, @08:31PM (#420628)

        One thing you can do to mitigate that is to use a network operating system or the built-in software that lets you mount a local folder in the virtual machine.

  • (Score: 2) by archfeld on Sunday October 30 2016, @07:08PM

    by archfeld (4650) <treboreel@live.com> on Sunday October 30 2016, @07:08PM (#420602) Journal

    So as I read, 'the malicious program writes malicious code'... Where does the end user get the malicious program from ? Is it compromised when coming from the publisher, or does someone have to download something stupid from a compromised site ?

    This seems another case of over hype, any computer is vulnerable if I can get access to the physical machine or console.

    --
    For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
    • (Score: 3, Informative) by frojack on Sunday October 30 2016, @08:33PM

      by frojack (1554) on Sunday October 30 2016, @08:33PM (#420630) Journal

      So as I read, 'the malicious program writes malicious code'... Where does the end user get the malicious program from ? Is it compromised when coming from the publisher, or does someone have to download something stupid from a compromised site ?

      True, even having a fist full of malicious code that you can't instantiate any other way, you still can't stuff it in an atom without some pre-existing atom stuffing code already on the target machine. And if you can sneak THAT onto the target, you could sneak an exploit far easier than using this routine. To that extent this story is hype.

      The risk here is that someone will write and atom stuffer and plant it in some useful program (or java jar) and then sit back and exploit it weeks or months later.

      Atoms are usually used by software to record that some other condition exists, so it can be tested later, by other processes.

      One of the most common is for one instance of a program to set a flag to let another instance know that it has already been started, thereby preventing duplicate processes, or limiting concurrent connections, etc.

      The problem is that Microsoft lets you store quite a bit of stuff in an atom and has no rules about cleanup, or usage. They were meant to be simple flags or a word or a few bytes of data.

      Atom Basics [microsoft.com]
      These (exist in one form or another) in EVERY Operating system, because they are a very useful tool. When you run into the need for one of these you quickly find out that nothing else will quite do the job you need done.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @11:54PM

        by Anonymous Coward on Sunday October 30 2016, @11:54PM (#420711)

        You can't plant the atom in a different program or anything of the sort, as atoms are run-time structures (essentially, an interned string). It basically makes string comparisons (possibly across multiple processes) fast by converting it to a number.

        In the described case, you can use it to pass data across processes by passing the number around instead of the actual data. But that means you already have code on the retrieving side, so it's only useful for covert data transfer (but you still need to be able to transfer an integer instead of the whole original string).

        The "already started" case I've seen would instead hold a mutex [microsoft.com] instead, with an explicit name [microsoft.com]. Also a global runtime-only object, but one that goes away when your process exits (which means starting a new instance after your last instance quits will do the correct thing).

    • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @08:38PM

      by Anonymous Coward on Sunday October 30 2016, @08:38PM (#420632)

      It is total overhype. The "exploit" is basically "if I run an application it can make API calls". I bet this "exploit" was submitted to M$ who shot it down and the "researchers" got butthurt so they decided to spam about it everywhere.

      • (Score: 1, Funny) by Anonymous Coward on Sunday October 30 2016, @10:42PM

        by Anonymous Coward on Sunday October 30 2016, @10:42PM (#420685)

        I should submit a research paper to window companies that if I throw a brick at a glass window it might break the window.

  • (Score: 4, Informative) by len_harms on Sunday October 30 2016, @07:41PM

    by len_harms (1904) on Sunday October 30 2016, @07:41PM (#420613) Journal

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx [microsoft.com]
    https://msdn.microsoft.com/en-us/library/windows/desktop/ff468795(v=vs.85).aspx [microsoft.com]

    Been awhile since I had messed with them so I had to go refresh myself on what they were. It is a leftover from DDE and windows 3.x. Not sure how much people use it anymore . There are much better interprocess calls to use.

    Basically ATOMs are a storage of either strings (binary data) or integers for IPC. He is using the ATOM table to basically hold the exploit code. Much like using a file system. He is just using a little known about feature of windows to store data.

    The supposition that MS and virus scanners can not scan the ATOM tables is silly. They control the API and the kernel has total control of the system. MS could easily add a 'get atom table' function with a call back into the viruscanner when someone calls add or just add a hook like all the other functions virus scanners keep an eye on. https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx [microsoft.com]

    It is an interesting place to store data, that is for sure. I can think of 2 or 3 other places like that in windows you could squirrel away data. Even apple had a similar exploit recently they just fixed where data could be manipulated by a global structure.

    • (Score: 0) by Anonymous Coward on Sunday October 30 2016, @07:54PM

      by Anonymous Coward on Sunday October 30 2016, @07:54PM (#420618)

      HIPS kernel drivers can just hook the API globally, Microsoft doesn't even need to offer this functionality because it's already present.

      • (Score: 0) by Anonymous Coward on Monday October 31 2016, @12:10AM

        by Anonymous Coward on Monday October 31 2016, @12:10AM (#420718)

        True. However I think MS tends to discourage that way as it is easy to create BSOD with it. As you are running at the kernel level and if you bug out you can take out the whole thing. It would be better to get MS to add to their existing API to hook it. https://msdn.microsoft.com/en-us/library/windows/hardware/dn613955(v=vs.85).aspx [microsoft.com]

  • (Score: 0) by Anonymous Coward on Monday October 31 2016, @02:08AM

    by Anonymous Coward on Monday October 31 2016, @02:08AM (#420738)

    Most Windows core server APIs have a LPSECURITY_ATTRIBUTES, which takes an optional security descriptor as an argument. The presence of this argument means that the kernel will check authorization when the call is made; if that fails, the error E_ACCESSDENIED is returned.

    These researchers noticed that GlobalAddAtom is not checked for authorization, which makes sense because the global atom table is a "community" resource available to all apps on the system. They also noticed that QueueUserAPC (the other key part of their exploit) has this funky writeup in Microsoft's doc:

    QueueUserAPC function

    Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread.
    ...
    Remarks

    The APC support provided in the operating system allows an application to queue an APC object to a thread. To ensure successful execution of functions used by the APC, APCs should be queued only to threads in the caller's process.

    Note Queuing APCs to threads outside the caller's process is not recommended for a number of reasons. DLL rebasing can cause the addresses of functions used by the APC to be incorrect when the functions are executed outside the caller's process. Similarly, if a 64-bit process queues an APC to a 32-bit process or vice versa, addresses will be incorrect and the application will crash. Other factors can prevent successful function execution, even if the address is known.

    Each thread has its own APC queue. The queuing of an APC is a request for the thread to call the APC function. The operating system issues a software interrupt to direct the thread to call the APC function.

    Describing something as being "not recommended", of course, is like putting a flimsy lock on a bike. It's an invitation for a break-in.

    So could be that Microsoft's drive through the '90s to "making it easier" for developers to insert crazy hooks into the system, is once again coming back to bite them.