
Bypassing Windows 10's Protections Using a Single Bit - 2510c39011c5
http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit/
======
Animats
When your OS kernel handles scroll bars, you're doing something wrong.

NT 3.5 had the GUI entirely outside the kernel. For compatibility with Windows
95, much of the Windows 95 GUI code was moved into the kernel. 20 years later,
that decision is still causing bugs.

~~~
userbinator
Windows started out as being for a single-user personal computer, and such a
use-case is going to emphasise different features than something more
security-oriented for large multi-user systems. The NT family was widely known
for being more sluggish and resource-consuming than 9x, even in regular usage
- I dualbooted with 98SE and XP for a _long_ time, and the difference in
responsiveness was very noticeable.

Also, it could be argued that vulnerabilities like these which are only
locally exploitable are not all that scary, as a _personal_ computer should be
by definition one that obeys its user no matter what. It's a bug, but not a
"someone can take over your computer without you doing anything". Maybe it's
because I grew up with personal computers that practically invited you to do
whatever you want with them and had absolutely no "protection" whatsoever
(early 8-bit machines, then DOS on a PC) that I find it hard to get scared or
excited by local-only exploits like these.

~~~
na85
What happens when a user pirates a game or installs a codec that turns out to
be malware?

It's the internet age, now. Local-only really isn't any more.

~~~
TeMPOraL
Well, when I grew up, you know what happened? The user realized he was an
idiot, fixed the problem himself and was more careful next time.

Part of the reason it's so easy to infect technically illiterate crowd
nowadays is that they didn't develop an immunity system - something us who
grew up with computers take almost for granted. It doesn't really take that
much to become almost completely immune to malware - 90% of it is simple to
spot (don't download things from CNET or any other site that has lots of ads,
and especially those that try to trick you into clicking them; don't open
.exe's you didn't explicitly requested; know what's an .exe; don't open
attachments you didn't expect; etc.) - but somehow the society at large
doesn't bother. And yet they expect someone else to fix it for them. As the
saying goes, "Any fool can use a computer. Many do.".

I understand how we got there. I don't like it, but well, Moloch does what he
wants. The thing to remember is, the increased sterility of the ecosystem and
all those things done "for Security!" come at the cost of the ability of
general-purpose computation. Future systems will tend to be dumbed down to the
point they're not general-purpose computers anymore.

I wish, I hope, they'll let us keep PCs as specialized machines, like lathes
and mills.

~~~
graycat
_Open_ an attachment? Help! What the heck is meant by that?

For all these years, I never clearly understood just what was meant by _open_
an attachment. I don't have a clear description, definition, or explanation.
Help! [No joke]

Background.

In about 1995, I was using some OS/2 e-mail program that wanted to put an icon
somewhere for each e-mail message, screamed bloody murder at all those absurd
icons until my throat was sore, got out the e-mail RFCs, and in about an hour
used the TCP/IP interface of the scripting language Rexx to write my own POP3
e-mail software. Did all the e-mail reading and writing in just my favorite
text editor, KEdit. The pair worked great -- used them for years.

Then, sure, just as in the e-mail RFCs, especially about _multi-media internet
mail extensions_ (MIME) or some such, there were _attachments_. So, again in
Rexx, I wrote the basic base 64 en/decode software to handle attachments.

So, of course, I could receive a _virus_ via e-mail totally safely -- to me,
an _attachment_ was just some simple ASCII characters to be interpreted as the
base 64 encoding of something, maybe a JPG file. No harm in receiving the
ASCII characters -- they look like just gibberish of simple typing by a very
busy kitty cat walking on a keyboard, no harm in that -- or the base 64 code
or translating that base 64 code to bytes and storing the bytes in a disk
file. A file is just a sequence of bytes, any bytes at all -- harmless.
Simple. Save.

So, if an attachment claimed that it was a JPG, then I might give the
corresponding file from translation from base 64 to some graphic software to
display the JPG. If in fact the attachment was an EXE to do harm to my
computer data, etc., then I would trust the graphics program to notice that
the attachment was not a JPG -- should be easy enough for the graphics program
to tell.

Then I moved to Windows XP and then SP3 and Outlook 2003, and I'm still there
and see little or no reason to change but just want to get on with my real
work where XP SP3 is fine.

So, Outlook has _attachments_. Still, I never knew just what the heck was
meant by _open_ an attachment. So, if an attachment, say, in some MIME e-mail
header line or some such, claims that it is a JPG file, then maybe give the
attachment, translated from base 64, to some graphics program and trust that
the graphics program will (1) display a real JPG without harm or (2) give an
error message at anything else. Similarly for PNG, GIF, BMP, HTML, CSS, JS,
etc.

For an EXE, of course, certainly, no way would Windows let the thing try to
execute as software, right? I mean, not a chance, true? Or, the old, rock
solid, first rule of computer security was to never, but never permit data
from an untrusted source to execute as software, right? Handle such data just
as bytes, sure, okay, safe, etc., but just no way ever let it execute as
software, and that should be okay, right?

So, what does _open_ do that is not safe?

No joke: In all these years, I've heard about e-mail and _open_ an attachment
and still have no clear description, definition, or explanation that would say
just what _open_ does or why it's dangerous.

As far as I can tell, the people, maybe who wrote Outlook 2003, who talked
about doing an _open_ on an e-mail attachment never really made at all clear
just what the heck they were talking about.

Since many people still are afraid of _open_ , where I see little chance of
harm, maybe others would like some clarity, too.

Help! [no joke].

~~~
72deluxe
As you correctly state, the attachment is just a bunch of base64 encoded text
with a file type specifier in MIME. "Opening" an attachment involves bundling
it off to the shell for the shell to handle that file type.

So, JPEGs get handled by the JPEG shell handler. DOCs get handled by the DOC
shell handler.

And unfortunately EXEs get handled by the EXE shell handler. This breaks the
rule that you stated, that you should never ever permit data from an untrusted
source to execute. This is where the problem lies!

As far as "open" means, it is a piece of terminology to explain the concept of
saving data to a temporary store and then passing that file reference to the
shell, which typically for most programs gets passed as a parameter to that
file-type-handling program. Explorer > Tools > Folder Options will list file
types in there and you can see how different types are handled, and the
parameters passed to programs.

Of course, the base64 encoding, temporary file saving, shell passing is a bit
more complex to explain to someone than using the expression "open", hence why
people just say "open the attachment".

It's a terminology thing.

~~~
graycat
Yes, at least in the media, there is a lot of confusion about how e-mail and
'open' work. E.g., for

[https://news.ycombinator.com/item?id=9050436](https://news.ycombinator.com/item?id=9050436)

about

[http://www.nytimes.com/2015/02/15/world/bank-hackers-
steal-m...](http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-
millions-via-malware.html)

in that NYT piece on hacking banks in Russia there is:

"In many ways, this hack began like any other. The cybercriminals sent their
victims infected emails — a news clip or message that appeared to come from a
colleague — as bait. When the bank employees clicked on the email, they
inadvertently downloaded malicious code. That allowed the hackers to crawl
across a bank’s network until they found employees who administered the cash
transfer systems or remotely connected A.T.M.s."

So, to get _infected_ all they had to do was just click "on the email"? Not
even click on an attachment! That must be some strange, dangerous e-mail
software!

------
sandworm
It's a flaw. A bad one. But things like this get patched every day. Only an
idiot would believe there aren't plenty of other undiscovered security flaws
in windows, or any other OS. What matters is whether this flaw was ever
exploited, whether it was ever spotted in the wild, before it was patched.

I am more than happy to criticize microsoft. I truly hate windows and
everything it represents. But the system seems to have worked here. The bug
was reported and patched before it became a widespread issue. I'll save my
venom for those all-to-common days where Microsoft fails to address a problem
in a timely manner. (or also Apple, plenty of venom for them too.)

~~~
sillysaurus3
_I am more than happy to criticize microsoft. I truly hate windows and
everything it represents._

Why's that?

I'm hoping for an in-depth substantive analysis of the factors leading you to
come to such a conclusion, but I don't want to take up a bunch of your time or
make it seem like I'm asking you to justify anything.

~~~
sandworm
Windows is a proprietary ecosystem where choices are made for the benefit of
microsoft's shareholders and nobody else. It is full of compromise. From DRM
to hamstrung "student" versions, Windows is not your friend. Microsoft's
business practices, specifically the way they market windows on oem machines,
are also downright deceptive. I never use windows at home but, because I buy
laptops, I actually own many windows licenses. Those "sales" are part of
Microsoft's bottom line and are pitched to shareholders as if I am actually
using microsoft products.

I have never met anyone who truly likes windows. They tolerate it. They are
used to it. But they never say "Yes, I am happy with this new version. The
upgrade sure made my life easier!" I'd rather have my wisdom teeth re-
installed and re-pulled than be part of another office transitioning from one
version of windows to another.

I gave up on windows when, after buying a little netbook, I decided to give it
a chance. I plugged in an MS-brand optical mouse and was told that windows
needed to connect to the internet to download the driver to run the mouse.
That was windows's last breath on any of my personal machines.

And death to docx.

~~~
aceperry
"I have never met anyone who truly likes windows"

Interestingly, I've seen a small group of Windows fanbois arise within the
last couple of years. Very much like the Apple fanbois; just as irrational and
quick to take offense at any criticism of MS and Windows.

But I agree with you that most people I know also tolerate windows. Some are
even happy with it because they can do things with a computer that has
windows.

That was until Windows 8 came out. I was surprised by the amount of hate
windows 8 received, and it was well deserved IMHO. But then I was also
surprised by the few people who didn't hate Windows 8, some even liked it. The
fanbois.

~~~
scholia
It's not fanbois, it's actual real-life users who love it. (Not all of them,
but a high proportion, in my experience.)

Windows 8.1 is terrific on tablets and devices with touch screens. My wife
loves it. I think most if not all the hate came from stuck-in-the-mud XP
users, and from Windows 7 users with non-touch screens. Which is fair enough.

Those are, of course, the vast majority of Windows users, so -- even though
most of them have never used it seriously -- they drown out the real Windows
8/8.1 users.

~~~
aceperry
In my experience, most users don't have surface or windows tablets. And they
came from XP or 7. As far as I can tell, they use windows 8 as seriously as
when they used xp and 7.

You can dismiss the vast majority of people who have that experience, but that
would be ignoring the reality for most people. Fortunately for Microsoft, MS
has decided to listen to the huge amount of complaints and get rid of the
problematic interface.

I've always wondered what the win8/8.1 supporters would have MS do about the
situation. Tell the vast majority of "unserious" users to suck it up, shut up,
and use Win8? No change is necessary, you just have to get serious about using
it? I'm asking because I don't understand the point of view of win8
supporters.

BTW, I really do think that there are MS fanbois out there. Not trying to be
insulting or anything, just something that seems to be a new trend. Peace.

~~~
scholia
I'm not dismissing their experience (if any), just pointing out that it's not
the whole story. I like Windows 8/8.1 a lot, but I'm still using Windows 7 on
my desktop....

My point is that there is no discontinuity between lots of people loving
Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it --
or, more often, hating the idea of it -- on non-touch machines.

So, the solution is to retain the best parts of Windows 8 on touch-based
devices while making it more usable on non-touch devices. Which is what
Microsoft is doing.

Either way, you'll note that Windows 7 Pro is still available from Microsoft
as a current product, and that it will be supported until 2020.

~~~
aceperry
"I'm not dismissing their experience (if any)"

Does that mean if someone doesn't like Win8, they don't have any experience?
Or they're not serious? Sounds like an insulting dig at people you don't agree
with.

"My point is that there is no discontinuity between lots of people loving
Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it --
or, more often, hating the idea of it -- on non-touch machines."

??? Not sure what you're trying to say here.

"Windows 7 Pro is still available from Microsoft as a current product"

Good news if you don't want Win8 on your laptop/desktop. I guess you'll have
peace when Windows 10 comes out, and you don't have to hear any negative
comments about Windows 8.

~~~
scholia
> Sounds like an insulting dig at people you don't agree with.

Yes, I shouldn't insult people just because they're ignorant and can't be
bothered to learn how to use Windows 8, which in my experience, is
predominantly the case.

It's certainly _usable_ on desktops etc without touch screens, but it's
suboptimal on those systems, which is why I don't load it on them. That
doesn't mean I can't use it and appreciate its qualities on touch-screen PCs.

------
mdriley
This doesn't "bypass all Windows security measures". As of Windows 8,
processes can disable win32k syscalls using SetProcessMitigationPolicy with
ProcessSystemCallDisablePolicy.

[https://msdn.microsoft.com/en-
us/library/windows/desktop/hh7...](https://msdn.microsoft.com/en-
us/library/windows/desktop/hh769088%28v=vs.85%29.aspx)

~~~
XbcL4QZQ
Is ProcessSystemCallDisablePolicy somehow similar to seccomp on Linux? I
understand that seccomp allows to selectively allow/disallow individual system
calls while this disallows all win32k calls. But I don't know how similar
these features are in the security impact.

Apparently, chromium - which uses seccomp on linux - uses
ProcessSystemCallDisablePolicy on windows:
[https://src.chromium.org/chrome/branches/1312/src/sandbox/wi...](https://src.chromium.org/chrome/branches/1312/src/sandbox/win/src/process_mitigations.cc)

~~~
mdriley
They're comparable features. In both cases, a simple but hardened filter is
placed in front of some part of the kernel attack surface. Vulnerable
processes (e.g. renderers) opt in to these protections so that, in the event
of compromise, they're less likely to be vectors for a successful escalation
of privilege attack against the kernel syscall interface.

------
laurent123456
How do they find exploits like this? Do they check every single kernel
functions for unchecked pointers? Do they have some automated way to discover
this?

~~~
gldalmaso
On figure 4 the legend says that static code analysis made it possible to
discover the chain of calls.

~~~
pbhjpbhj
How many billions are MS making from Windows? Why aren't they doing that
static analysis??

~~~
ToastyMallows
Maybe they are and this was already documented internally, but potentially
marked as a low threat, but now that it was found outside of Microsoft it's a
bigger problem? I'm just spitballing here, one would have to assume that
Microsoft is doing static code analysis.

~~~
pbhjpbhj
OK, but it wasn't found before the current OS cycle presumably because one
would imagine they'd fix it ... ha-ha!

So it either wasn't found or they found it and continued to bake it in to the
OS nonetheless. Which is better?

------
peterkelly
> This particular vulnerability appears in the _GUI component of Microsoft
> Windows Kernel_

There's your problem right there.

~~~
72deluxe
Are you saying that Microsoft are incapable of releasing a decent product or a
stable API? If so, you'd be wrong on the second count, and I'd say the first
too but then argument would ensure.

The Windows API and all related systems are stable and mature.

And I'm saying this as an OSX user.

~~~
peterkelly
> Are you saying that Microsoft are incapable of releasing a decent product or
> a stable API?

No, I'm saying that implementing scrollbar handling in the kernel is a bad
idea. It's not something which requires privileged system access, and thus
should be done in user mode where bugs like this won't lead to privilege
escalation.

~~~
72deluxe
But everything in the OS will use a scrollbar, so put it in the kernel, right?
:-) Only kidding.

I think OSX got around this problem by removing scrollbars haha only kidding

You make an excellent point, sorry to misunderstand your original post.

------
MichaelGG
How many of those new protections listed (DEP, ASLR, page 0 mapping) are still
useful with a system like Rust? Cause it seems like a hell of a lot of effort
is going into hardening the environment cause the code is just that leaky, but
I'm probably misunderstanding something.

~~~
nly
Theoretically if you had a kernel written in Rust, I suppose you could
implement the system call interface such that all pointers passed to the
kernel from user space would be considered "borrowed" under the Rust type
system, and then have all your "return to user space" mechanisms recognised by
the compiler as terminating their lifetime.

I'm not sure if that's enough though, considering that, in general, the kernel
can't assume anything passed to it by reference via a system call isn't
mutated by another userland thread. Furthermore, even if everything were
written in Rust, the kernel can't just _trust_ that a userland process was
actually compiled in a way that faithfully employed Rusts compile-time safety
guarantees... so I think any notion of shared garbage collection is tricky
without a program loader that did code verification.

Microsoft have done some work in this area with their Singularity and Midori
projects[0]. Singularity in particular eliminates hardware isolation between
processes.

I think the simple answer here is that the kernel should be _copying_ anything
passed to it by reference if it intends to do anything beyond a single atomic
read operation. This is why, on Linux for instance, send() can't return to
user space until the data has been copied in to kernel controlled memory, and
why we have nice things like splice() and sendfile() to deal with the
performance hit of doing so for common cases.

[0]
[https://en.wikipedia.org/wiki/Midori_%28operating_system%29](https://en.wikipedia.org/wiki/Midori_%28operating_system%29)

~~~
TheLoneWolfling
Removing hardware isolation in general is not a good idea. There are enough
hardware errors to cause problems. You don't want a bitflip to cause
everything on your server to become corrupted. (Bitflips can be reduced by
using ECC ram. But still, the principle remains.) (Worse: you don't want
someone to be able to take over your entire physical server from one of the
virtual servers)

One option would be for the kernel to temporarily mark the page(s) referenced
as read-only, and do copy-on-write where necessary. This would prevent the
(presumably) common case of not having the page modified by another thread
while the kernel processes the data to not incur the delay of copying the
data. Might only be worth it for larger amounts of data, though.

------
72deluxe
The dead code comment at the end was informative. Does anyone else use code
analysis of C/C++ to find dead stores etc.?

I have used flawfinder, cppcheck and Xcode (clang's) analysis which has helped
me find issues.

------
TheCraiggers
> _After some hard word, however, we managed to produce a fully working
> exploit which we’ll describe._

Wait, now I'm confused... was it a single bit, or an entire word that triggers
this bug? ;)

------
zaroth
I'm sorry, wait... they hacked it through the scroll-bars? You can't make this
shit up.

------
thclark
Remove those unnecessary lines of code and you will be surprised how the
security holes close by themselves.

