Vista Forums - View Single Post

**dmex** · 11-26-2008

Quote: Originally Posted by Adamd

I have a question.

Has Microsoft really cut down on the amount of crap Vista can get over XP?

Like the Spyware and Viruses or just got around it by adding in protection?

ASLR (Address space layout randomization) , UAC, Windows Firewall Outbound Protection, Windows Defender, and a few hundred other hidden changes basically stops most spyware and adware from infecting a Vista system

You can see from the kernel vulnerability above that you need UAC disabled or the application elevated to admin (if UAC enabled) to use this hack...

I will try explain why UAC prevents this flaw...They added Integrity Level tags to each programming object, FileSystem Object and API, For an application to use these objects they must specify their access and their Integrity Level when you launch the application...(1) or (2) or (3) but cant be more than one at runtime..

Here is a basic example and Principals of how UAC works and protects users: (the best I can explain them anyway)

Trusted Installer or Kernel Access aka XP Computability mode = 0
System & Admin accounts = 1
User = 2
Guest = 3

Guest(3) and User(2) can not talk to System or Admin(1) Protected Objects, FileSystem Objects or APIs without UAC permission(1)...

System and Admin Accounts(1) can talk to User(2) and Guest(3) Objects since its elevated...

System and Admin Accounts(1) after logging on by default use User Access(2) until the application or function is elevated by UAC(1)...unless UAC is disabled then it uses TrustedInstaller & Kernel Access aka XP Compat mode(0)....

Guest(3) and User Accounts(2) by default use their Access level until elevated by UAC(1)

TrustedInstaller & KernelAccess aka XP Compat mode(0) protects all System Files and System Objects and Elevation API`s from Admins with UAC Enabled(2) also Users (2) and Guests(3) Untill that application is elevated(1)

This flaw needs direct access to the Networking Stack(0) to call an invalid network subnet mask(1) so having UAC enabled and running as Admin means your running as User(2) until that process or exploit is elevated(1)

No Applications need (0) Level Access so Microsoft was able to use UAC to set SystemFiles with Access(1), The System and Admin groups as (2) by default and give you the choice of elevating an application(1) if they did require access.

The highest Access is reserved for TrustedInstaller & KernelAccess aka XP Compat mode(0)...
It only gives Read Access to System & Admin (1), Read Access to Users(2) and Read Access to Guests(3) until ownership of that XP Compat mode(0) is taken by System & Admin (1) and if that admin chooses it can then be given to Users (2) or Guests (3)

Internet Explorer Runs as (1) but firefox runs as (2) so a Firefox flaw can be exploited to exploit this flaw(0) and gain admin (1), the same is said for Flash because it runs with (2)...

Many other System objects run with (2) by default When UAC is enabled but if its disabled then they run with the Highst Access of (0)

I may have explained this way more complicated than it has to be but it works really well and its as easy as specifying the access level you require at runtime (by default (2) unless elevation required(1) but can not be done automatically without the users Permission, It cant be done Remotely because all System Components run with (2) access unless you have UAC disabled then everything runs with (0)

You just see an "annoying" prompt however its making sure you have access to that object, that object was not requested remotely and makes sure it wasn't an automated prompt

It also doesnt mean Microsoft dont fix these flaws because they still represent a Security Flaw and problem under specific circumstances, It means using UAC gives them a few weeks to design and test a reliable solution that solves the problem once and for all without breaking anything and rushing out an untested and problematic patch that can cause more problems...While leaving you protected (unless you always click Continue on UAC prompts without checking the cause and completely defeat the purpose of UAC)

Antivirus software is reactive to threats so the programmer can just keep changing his applications signature everytime it starts detecting it while continuing to exploit the flaw, UAC was mainly designed to "fill the gap" and harden the system from remote and local user exploits

These technologys and over a hundred more built into every API and System Object give Vista the smallest Attack Surface of any Windows OS ever made and secure the system damm well, I was talking with another moderator here JohnGalt about this when he mentioned some "Hack the Workstation" competition in the US last year when Apple`s OSX 10.5 Security was bypassed in two minutes using two linux of AppleScript to gain a root shell(been vunruble to this since 2000 and stil is vunerable to this day) Vista had taken two days to bypass thawting nearly all exploits and Linux on the same day but a few hours later thawting nearly all exploits...

That was last year, the improvements since then have made it hader to explot anything since a few more flaws where found and patched but its hundreds less then XP or other WIndows OS releases at the same time period after being RTM

I think they did the impossible with UAC and brought Linux security to Windows..In the future they will eventually prevent Spyware/Malware or trojens from taking over your system but this will take time untill developers stop using unsecure code and start using tags on their Objects to prevent exploits

Microsoft must have seen Chopper Reid down here in Australia and got anoyed with Linux being more secure so they decided to "Harden the **** up"

11-26-2008	#9 (permalink)
dmex Windows Vista™ Ultimate 2,631 posts	Re: Kernel vulnerability found in Vista Quote: Originally Posted by Adamd I have a question. Has Microsoft really cut down on the amount of crap Vista can get over XP? Like the Spyware and Viruses or just got around it by adding in protection? ASLR (Address space layout randomization) , UAC, Windows Firewall Outbound Protection, Windows Defender, and a few hundred other hidden changes basically stops most spyware and adware from infecting a Vista system You can see from the kernel vulnerability above that you need UAC disabled or the application elevated to admin (if UAC enabled) to use this hack... I will try explain why UAC prevents this flaw...They added Integrity Level tags to each programming object, FileSystem Object and API, For an application to use these objects they must specify their access and their Integrity Level when you launch the application...(1) or (2) or (3) but cant be more than one at runtime.. Here is a basic example and Principals of how UAC works and protects users: (the best I can explain them anyway) Trusted Installer or Kernel Access aka XP Computability mode = 0 System & Admin accounts = 1 User = 2 Guest = 3 Guest(3) and User(2) can not talk to System or Admin(1) Protected Objects, FileSystem Objects or APIs without UAC permission(1)... System and Admin Accounts(1) can talk to User(2) and Guest(3) Objects since its elevated... System and Admin Accounts(1) after logging on by default use User Access(2) until the application or function is elevated by UAC(1)...unless UAC is disabled then it uses TrustedInstaller & Kernel Access aka XP Compat mode(0).... Guest(3) and User Accounts(2) by default use their Access level until elevated by UAC(1) TrustedInstaller & KernelAccess aka XP Compat mode(0) protects all System Files and System Objects and Elevation API`s from Admins with UAC Enabled(2) also Users (2) and Guests(3) Untill that application is elevated(1) This flaw needs direct access to the Networking Stack(0) to call an invalid network subnet mask(1) so having UAC enabled and running as Admin means your running as User(2) until that process or exploit is elevated(1) No Applications need (0) Level Access so Microsoft was able to use UAC to set SystemFiles with Access(1), The System and Admin groups as (2) by default and give you the choice of elevating an application(1) if they did require access. The highest Access is reserved for TrustedInstaller & KernelAccess aka XP Compat mode(0)... It only gives Read Access to System & Admin (1), Read Access to Users(2) and Read Access to Guests(3) until ownership of that XP Compat mode(0) is taken by System & Admin (1) and if that admin chooses it can then be given to Users (2) or Guests (3) Internet Explorer Runs as (1) but firefox runs as (2) so a Firefox flaw can be exploited to exploit this flaw(0) and gain admin (1), the same is said for Flash because it runs with (2)... Many other System objects run with (2) by default When UAC is enabled but if its disabled then they run with the Highst Access of (0) I may have explained this way more complicated than it has to be but it works really well and its as easy as specifying the access level you require at runtime (by default (2) unless elevation required(1) but can not be done automatically without the users Permission, It cant be done Remotely because all System Components run with (2) access unless you have UAC disabled then everything runs with (0) You just see an "annoying" prompt however its making sure you have access to that object, that object was not requested remotely and makes sure it wasn't an automated prompt It also doesnt mean Microsoft dont fix these flaws because they still represent a Security Flaw and problem under specific circumstances, It means using UAC gives them a few weeks to design and test a reliable solution that solves the problem once and for all without breaking anything and rushing out an untested and problematic patch that can cause more problems...While leaving you protected (unless you always click Continue on UAC prompts without checking the cause and completely defeat the purpose of UAC) Antivirus software is reactive to threats so the programmer can just keep changing his applications signature everytime it starts detecting it while continuing to exploit the flaw, UAC was mainly designed to "fill the gap" and harden the system from remote and local user exploits These technologys and over a hundred more built into every API and System Object give Vista the smallest Attack Surface of any Windows OS ever made and secure the system damm well, I was talking with another moderator here JohnGalt about this when he mentioned some "Hack the Workstation" competition in the US last year when Apple`s OSX 10.5 Security was bypassed in two minutes using two linux of AppleScript to gain a root shell(been vunruble to this since 2000 and stil is vunerable to this day) Vista had taken two days to bypass thawting nearly all exploits and Linux on the same day but a few hours later thawting nearly all exploits... That was last year, the improvements since then have made it hader to explot anything since a few more flaws where found and patched but its hundreds less then XP or other WIndows OS releases at the same time period after being RTM I think they did the impossible with UAC and brought Linux security to Windows..In the future they will eventually prevent Spyware/Malware or trojens from taking over your system but this will take time untill developers stop using unsecure code and start using tags on their Objects to prevent exploits Microsoft must have seen Chopper Reid down here in Australia and got anoyed with Linux being more secure so they decided to "Harden the **** up"
My System Specs