
Windows hole discovered after 17 years - dragonquest
http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-908917.html
======
tptacek
This is Tavis's "thing" (one of them, at least); he's better known for fuzzing
the device virtualization code in VMware and Xen and finding hypervisor
escapes. I'm not even a little surprised that he found privilege escalation in
VDM.

It's a cool bug, but it's a bit strange to see it get written up like this,
because it doesn't matter a whole lot. On most Windows machines, if you have a
normal user account, you have everything you need; in corporate environments,
if you have one admin password you probably have all of them; in servers, the
user account you bust is probably a local admin.

~~~
tptacek
Also: very worth reading Tavis' advisory:

[http://archives.neohapsis.com/archives/fulldisclosure/2010-0...](http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html)

This is an awesome bug; he had to use CreateRemoteThread to jump into a
process with special permissions, then exploit the difference in the way
segment selectors are handled from normal 32 bit code and simulated real mode,
and finally write code that would make the iret instruction fail to get a trap
frame to play with.

------
Mark_B
"Discovered" or "finally made public" after 17 years. Security holes are in a
lot of things, but I can't believe that this wasn't found sooner by people who
would use it for nefarious purposes and kept under wraps.

------
DocSavage
It's also interesting that the exploit was found by a Google employee who was
designated #1 in the top 15 Most Influential People in Security.
[http://www.eweek.com/c/a/Security/The-15-Most-Influential-
Pe...](http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-
Security-Today/1/)

With the resources both Google and Microsoft have at their disposal, I wonder
if it's worth having a few employees discovering security flaws in your
opponent's platform.

~~~
pbhjpbhj
Knowing about opponents security flaws is an awesomely powerful
publicity/propaganda tool. MS release something on how IE8 is just as secure
as Chrome (browser) and Google counter-release how it's got a hole the size of
the Great Rift that's been inherited right back from IE6...

~~~
tptacek
No, I really doubt Google would do that. For one thing, it's not done. For
another, Google would lose that fight, badly; they are severely outgunned on
this front.

~~~
pbhjpbhj
Why is it not done to call out opponents when they make huge claims that are
patently not true? Haven't Mac used this in their "I'm a Mac" advertising
campaign (albeit hiding behind "PC" rather than saying "Windows PC").

Google would lose because they make big claims about security and their
opponents know about lots of security flaws??

~~~
tptacek
What's not done is for software vendors to drag out specific vulnerabilities
--- I would say "particularly vulnerabilities they themselves uncovered", but
that's never happened --- and use them to market competing software.

Why? Because Google and Microsoft have a lot more to fear from 4 person
companies spending 90% of their time researching vulnerabilities than they do
from each other, and waving flaws around as if they were some kind of point
score concedes a huge marketing point.

Google would lose because Microsoft outspends Google _significantly_ on
vulnerability research. This particular arms race is never going to happen,
but if it did, Microsoft would win it.

~~~
rbanffy
"but if it did, Microsoft would win it."

There is a difference. It's much easier to upgrade Google's applications than
Microsoft's. When Google patches Gmail, it takes a couple minutes for me to
enjoy my corrected version. When Microsoft issues a correction, it could take
weeks until it hits the Windows Update servers and that could easily turn into
months before many businesses incorporate it into their update sets.

It's not only the size of the attack surface, but the time it remains open.
There is also a huge factor in public perception - people perceive their
computers as imperfect mostly because they are astonishingly unreliable. If
Google can make people happier with their computers and web applications than
they are with Windows and desktop apps, Microsoft will have a huge problem
that may not be solvable by throwing money and people at it.

~~~
tptacek
What does any of this have to do with the discussion? Google is not going to
start using individual security findings as marketing collateral.

~~~
rbanffy
but if it did, the outcome would not be as certain as you stated.

~~~
tptacek
You sound awfully sure of yourself. You must know a lot of things about
product security that I don't. Would love to hear them sometime.

~~~
rbanffy
It's not about security. It's about perception. If something makes people more
comfortable with web applications than with desktop applications (and a
"Windows is inherently insecure and broken" perception would do a lot for
that) Microsoft will have a problem they probably will not be able to deal
with in time.

Remember Google has deep pockets and less legacy to protect. They can move
fast.

Microsoft has a very complicated entanglement of obligations and expectations
they will have a hard time compromising. The perception of a rule-changing
development is incredibly dangerous for them, and giving mixed messages about
which way their corporate clients should go with their IT infrastructure won't
help either.

Why do you think Microsoft would end up in advantage after such a
confrontation?

------
ars
I wonder if this affects OS/2 as well.

~~~
ars
I emailed him (Tavis Ormandy) and asked. If I get a reply I'll post it here.

------
TallGuyShort
Their update states that their is no Group Policy Manager outside of Windows
2003 - however the "God Mode" hack for Windows 7 supplies this option without
the need for messing with registry keys. Just create a folder on the desktop
with the name "GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" and the Group
Policy Manager can be access under "Administrative Tools".

------
nanijoe
What else did they find? That DOS has problems with memory management?

Advances in technology are bound to expose flaws in older products, so what's
the news here?

~~~
ams6110
I don't think this is a bad observation. My slant on it is, if you are
maintaining backwards compatibility to a point in time where these things just
didn't matter, because only one person used the machine, there were no
multiple user accounts, and the machine was not on a network... it's
unsurprising that such an environment would be rife with security holes. Not
saying it'a acceptable, just that it's not surprising.

Edit: and it appears there's an effective way to mitigate this, disable the
16-bit support in group policy.

~~~
tptacek
In that sense Unix retains compatibility with the '70s.

Operating systems are rife with security flaws. Uniformly.

~~~
rbanffy
Maybe, but the kind of backwards compatibility Windows offers is very unique.
It's like being able to run Apple III software natively on a modern Macintosh.
;-)

I think IBM can provide a mainframe fresh off the assembly line that can run
70's software.

Most amazingly, many do.

