Hacker News new | past | comments | ask | show | jobs | submit login
Bypassing Windows 10's Protections Using a Single Bit (breakingmalware.com)
358 points by 2510c39011c5 on Feb 11, 2015 | hide | past | favorite | 130 comments

When your OS kernel handles scroll bars, you're doing something wrong.

NT 3.5 had the GUI entirely outside the kernel. For compatibility with Windows 95, much of the Windows 95 GUI code was moved into the kernel. 20 years later, that decision is still causing bugs.

Windows started out as being for a single-user personal computer, and such a use-case is going to emphasise different features than something more security-oriented for large multi-user systems. The NT family was widely known for being more sluggish and resource-consuming than 9x, even in regular usage - I dualbooted with 98SE and XP for a long time, and the difference in responsiveness was very noticeable.

Also, it could be argued that vulnerabilities like these which are only locally exploitable are not all that scary, as a personal computer should be by definition one that obeys its user no matter what. It's a bug, but not a "someone can take over your computer without you doing anything". Maybe it's because I grew up with personal computers that practically invited you to do whatever you want with them and had absolutely no "protection" whatsoever (early 8-bit machines, then DOS on a PC) that I find it hard to get scared or excited by local-only exploits like these.

>Maybe it's because I grew up with personal computers ... (early 8-bit machines, then DOS on a PC) that I find it hard to get scared or excited by local-only exploits like these.

In the 8-bit world, if you don't have a hard drive, and your only "network" is trading floppies with your friends, and "Elk Cloner"[1] is the nastiest virus you have to worry about, then there isn't much reason to be scared.

Nowadays, though...if you consider inserting an infected USB stick to be a local-only attack vector, then Stuxnet was local-only.

[1] http://en.wikipedia.org/wiki/Elk_Cloner

But in general if the bad people have physical access to the machine it's game over and it doesn't matter what OS you're using.

There's different degrees of physical access; it's a different thing if you can reboot the machine or freely mess with its peripherals, or just plug in a usb stick for half a second.

Given that even linux these days will automatically use a keyboard connected to USB, it isn't a very different thing.

Only if you have usb-hid enabled (which, admittedly is default on general distros, but not on purpose-specific distros).

Not my experience at all. The day I randomly installed win2k beta (distributed with some magazine) I never looked back. It was so stable yet so fluid. It smelled better design (gui, driver model,...) all over.

True. Well, some of us had that experience with NT 4.0 ;-)

The GUI side of NT4.0 lacked a tiny bit of glitter to make the 98/95 siblings irrelevant to a newcomer like me. 2K was the first to have a little visual appeal (slightly revamped color scheme, 16k icons, some animations/fades here and there). So much that I often disabled themes in XP to enjoy that 2K feel.

What happens when a user pirates a game or installs a codec that turns out to be malware?

It's the internet age, now. Local-only really isn't any more.

Well, when I grew up, you know what happened? The user realized he was an idiot, fixed the problem himself and was more careful next time.

Part of the reason it's so easy to infect technically illiterate crowd nowadays is that they didn't develop an immunity system - something us who grew up with computers take almost for granted. It doesn't really take that much to become almost completely immune to malware - 90% of it is simple to spot (don't download things from CNET or any other site that has lots of ads, and especially those that try to trick you into clicking them; don't open .exe's you didn't explicitly requested; know what's an .exe; don't open attachments you didn't expect; etc.) - but somehow the society at large doesn't bother. And yet they expect someone else to fix it for them. As the saying goes, "Any fool can use a computer. Many do.".

I understand how we got there. I don't like it, but well, Moloch does what he wants. The thing to remember is, the increased sterility of the ecosystem and all those things done "for Security!" come at the cost of the ability of general-purpose computation. Future systems will tend to be dumbed down to the point they're not general-purpose computers anymore.

I wish, I hope, they'll let us keep PCs as specialized machines, like lathes and mills.

Except that you only have to make a mistake once, you're really tired and a spear phishing attack happens and you open up that attachment - you're screwed. Hell, it may not do anything or it may install some super shady malware that will stay dormant for a long time.

Security is fundamentally broken - there is a lot of innovation that needs to happen to make our computers more secure. There are a lot of non mainstream systems that have better security, we need to move their practices/architecture into the mainstream.

Hell, when you see things like quantum insert - how can any user be expected to keep their machine secure.

This is an exceptional post. I had taken for granted learning an immunity to doing stupid things, like seeing that a popup designed to look like a window clearly wasn't a window due to the mild mismatch of themes.

You're spot on that most people don't bother learning these things anymore, and particularly in the tablet ecosystem where apps are expected to be doctored for them as they come from a trusted source.

The thing is malware can throw up those same windows that are in fact indistinguishable. There's no immune response that can pick it up.

Except windows still aren't supposed to pop up out of the blue. If you didn't expect a window to appear (especially a window offering actions), it's most likely malware. Again, having a feel for that comes from experience.

Except legitimate programs don't throw up windows out of the blue asking for your credit card number.

Prompts to enter your password to install something perhaps? Windows pop up out of the blue a fair amount. You only have to make a mistake once.

I have zero programs on any of my machines which pop up dialogs asking for sensitive information "out of the blue". Not saying they don't exist, only that they shouldn't and you should be suspect of any program which behaves this way.

It's not out of the blue; unless the prompt is a direct result of you intentionally running an executable or trying to tweak some UAC-ed options, it's malware.

Open an attachment? Help! What the heck is meant by that?

For all these years, I never clearly understood just what was meant by open an attachment. I don't have a clear description, definition, or explanation. Help! [No joke]


In about 1995, I was using some OS/2 e-mail program that wanted to put an icon somewhere for each e-mail message, screamed bloody murder at all those absurd icons until my throat was sore, got out the e-mail RFCs, and in about an hour used the TCP/IP interface of the scripting language Rexx to write my own POP3 e-mail software. Did all the e-mail reading and writing in just my favorite text editor, KEdit. The pair worked great -- used them for years.

Then, sure, just as in the e-mail RFCs, especially about multi-media internet mail extensions (MIME) or some such, there were attachments. So, again in Rexx, I wrote the basic base 64 en/decode software to handle attachments.

So, of course, I could receive a virus via e-mail totally safely -- to me, an attachment was just some simple ASCII characters to be interpreted as the base 64 encoding of something, maybe a JPG file. No harm in receiving the ASCII characters -- they look like just gibberish of simple typing by a very busy kitty cat walking on a keyboard, no harm in that -- or the base 64 code or translating that base 64 code to bytes and storing the bytes in a disk file. A file is just a sequence of bytes, any bytes at all -- harmless. Simple. Save.

So, if an attachment claimed that it was a JPG, then I might give the corresponding file from translation from base 64 to some graphic software to display the JPG. If in fact the attachment was an EXE to do harm to my computer data, etc., then I would trust the graphics program to notice that the attachment was not a JPG -- should be easy enough for the graphics program to tell.

Then I moved to Windows XP and then SP3 and Outlook 2003, and I'm still there and see little or no reason to change but just want to get on with my real work where XP SP3 is fine.

So, Outlook has attachments. Still, I never knew just what the heck was meant by open an attachment. So, if an attachment, say, in some MIME e-mail header line or some such, claims that it is a JPG file, then maybe give the attachment, translated from base 64, to some graphics program and trust that the graphics program will (1) display a real JPG without harm or (2) give an error message at anything else. Similarly for PNG, GIF, BMP, HTML, CSS, JS, etc.

For an EXE, of course, certainly, no way would Windows let the thing try to execute as software, right? I mean, not a chance, true? Or, the old, rock solid, first rule of computer security was to never, but never permit data from an untrusted source to execute as software, right? Handle such data just as bytes, sure, okay, safe, etc., but just no way ever let it execute as software, and that should be okay, right?

So, what does open do that is not safe?

No joke: In all these years, I've heard about e-mail and open an attachment and still have no clear description, definition, or explanation that would say just what open does or why it's dangerous.

As far as I can tell, the people, maybe who wrote Outlook 2003, who talked about doing an open on an e-mail attachment never really made at all clear just what the heck they were talking about.

Since many people still are afraid of open, where I see little chance of harm, maybe others would like some clarity, too.

Help! [no joke].

As you correctly state, the attachment is just a bunch of base64 encoded text with a file type specifier in MIME. "Opening" an attachment involves bundling it off to the shell for the shell to handle that file type.

So, JPEGs get handled by the JPEG shell handler. DOCs get handled by the DOC shell handler.

And unfortunately EXEs get handled by the EXE shell handler. This breaks the rule that you stated, that you should never ever permit data from an untrusted source to execute. This is where the problem lies!

As far as "open" means, it is a piece of terminology to explain the concept of saving data to a temporary store and then passing that file reference to the shell, which typically for most programs gets passed as a parameter to that file-type-handling program. Explorer > Tools > Folder Options will list file types in there and you can see how different types are handled, and the parameters passed to programs.

Of course, the base64 encoding, temporary file saving, shell passing is a bit more complex to explain to someone than using the expression "open", hence why people just say "open the attachment".

It's a terminology thing.

Yes, at least in the media, there is a lot of confusion about how e-mail and 'open' work. E.g., for




in that NYT piece on hacking banks in Russia there is:

"In many ways, this hack began like any other. The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait. When the bank employees clicked on the email, they inadvertently downloaded malicious code. That allowed the hackers to crawl across a bank’s network until they found employees who administered the cash transfer systems or remotely connected A.T.M.s."

So, to get infected all they had to do was just click "on the email"? Not even click on an attachment! That must be some strange, dangerous e-mail software!

Open in case of attachment means the same it means in case of anything else in the system - take the data and give it to some program to handle.

Attachments, be it EXEs or DOCs or whatever, exist as bytes in memory but don't (at least, they shouldn't) get processed - that is, opened - until you explicitly ask to.

At that stage why do you even need exploits? No-one would flinch at giving the installer for a game or codec admin permissions.

Local privilege exploits are problematic for corporate environments where not all users can be trusted 100%, and for the gullible less-technical users.

Today, with public hosting nearly universally offering VMs instead of traditional user accounts on a single operating system - never mind the whole Docker trend of giving every single piece of the application its own virtual OS install - are "large multi-user systems" even worth worrying about anymore?

But this is basically orthogonal to the modern application of (OS-level) privilege boundaries, which is to protect the user from compromised application processes. This escalation doesn't let someone "take over your computer without you doing anything" by itself, but once someone has exploited an IE bug and found themselves able to run arbitrary code on users' computers in a sandbox - which happens all the time - that's exactly what it allows.

The short answer is yes; such operating systems are required to run Docker, LXC and other approaches which all utilize similar tools.

I'm not that familliar with Docker but looking at http://en.wikipedia.org/wiki/Docker_%28software%29 it is built on the same resource isolation features as LXC which I am using on two of my test systems.

The resource isolation features are, in fact, built on top of a large multi-user system, which happens to have powerful security context support and abstractions built in. The contained applications operate, from a userspace perspective, as if they are their own system when in reality their kernel is actually the host kernel and their users really virtually re-mapped to distinct accounts within the host kernel.

>only locally exploitable

That didn't seem to be the case to me? It seemed to be a privilege escalation bug.

EDIT: I'm stupid. Some other user talked about physical access bugs, so confused that with locally exploitable.

The above poster means that the exploit does not involve penetration via networking (remote exploit.) Only once 'local access' has been obtained (through maybe a remote exploit) can this privilege escalation be used.

Meaning instead of doing things with your user account, they can instead hijack your whole system. A keylogger on windows, for instance, does not need ring0 to function. The difference isn't really that large on a personal single-user windows setup. You're pretty screwed even if they don't manage to get ring0.

To the extent that "local-only" is a mitigating factor, it shouldn't be. Real intruders are likely to layer their attack; a network exploit to get in, maybe a local-only privilege escalation to get deeper. They aren't picky.

It's a huge factor to a personal computer user. This exploit means almost nothing to those users because just having their single account jacked via a remote exploit is screwed enough. Privilege escalation is diddly squat.

If we are talking about a corporate user, then it means a lot more.

These days, having the IE renderer process running in the "protected mode" sandbox jacked is theoretically not "screwed enough"; I think this vulnerability would allow escaping from that sandbox. Correct me if I'm wrong, as I don't use Windows.

You might be right, I don't know much about the sandboxing. After a quick Google search, it seems like the details are sparse.

The kernel move was, reportedly, for performance reasons. I think if you use NT workstation at the time, you'd probably notice this compared 95/98. I believe MS also runs http in kernel space under http.sys. There's no backwards compatability there for legacy 8 or 16-bit apps as, you know, the web is younger than those apps and even then a browser would not need to interface with them.

I think MS is eternally hamstrung by performance and legacy issues because those two things are in demand for so many of their customers. Windows fits this market, which is fairly sizeable. Of course now with hardware at the speed its at, you can get a lot more slack. I've found the linux desktop to be horribly slow until the past couple of years where there's a glut of CPU/GPU performance on even the most commodity equipment. I can run, and have run, Win7 on equipment that shipped with XP and its been a fairly pleasant experience. Running, say, a gnome or KDE WM on that equipment is a nightmare. MS, for all its faults, is fairly conservative in many regards, especially performance.

At the end of the day this is yet another security issue that needs to be patched. The larger issue in my mind isn't MS decisions from 15 years ago, but why so much of our software infrastructure is being written in languages that more or less beg for stack/malloc vulnerabilities. These constant tirades about MS are just more "the beatings will continue until morale improves" and not really a constructive conversation about security. I think in the near future we'll be looking at all our stuff written in Rust-like languages and wonder why the hell it took so long to do.

Lastly, Win10 is a technical preview. Finding bugs is exactly what should be going on here. Are we really being this critical on pre-release software? I don't see any other software held up to such a standard.

> Lastly, Win10 is a technical preview. Finding bugs is exactly what should be going on here.

FTA: "We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview."

The specific "Windows 10" aspect is click-bait; the exploit is for Windows

"we managed to create a reliable exploit for all versions of Windows – dating back as of Windows XP to Windows 10 preview"


I thought the big reason for moving the GUI into the kernel was for performance rather than compatibility.

That was the official word from Microsoft at the time, but Mark Russinovich, who had Sysinternals.com at the time, benchmarked and said that pushing low-level graphics commands (draw line, fill, etc; stuff graphics cards do) across the kernel boundary wasn't a bottleneck. He was critical of those decisions. Microsoft eventually hired him to shut him up.

>Microsoft eventually hired him to shut him up.

Well i don't buy that part. When I first came across sysmon/regmon/procmon, I found it to be an amazing piece of work. An extremely small free standalone program that gave you a realtime insight into the OS? Heck, if I kept a list of people to hire, he would definitely be on it!

That thing was even 1/10 of the "hello world" Go program I compiled!!!*

*(~100Kb vs 1Mb) I know Garbage Collection adds a lot to size but its still a fun comparison.

The large binary size of a Go program has nothing to do with "garbage collection". It's because the binaries are statically linked against the Go runtime. Try compiling a static C "hello world" program and it will be comparable in size to the Go binary.

I think the "hired him to shut him up" thing is a bit of a myth. From the horses mouth: http://youtu.be/o1DskPD-Ngc?t=2m21s .

Having said that, he was quite vocal at the time, and I personally think that he may have been a large part of the huge Vista -> Win7 improvements, although have no evidence to support this. The timing just seems about right.

And because he was clearly a genius.

There's a story behind that buyout. Russinovich had a business called Winternals, and had written NTFSDOS [1], which allowed access to NT file systems under DOS.[2] Microsoft didn't like that, because it allowed booting from a floppy, bypassing NT's security restrictions, and resetting the administrator password, copying, or modifying files. (The concept that a computer could be secure when someone had enough physical access to boot a new OS seems silly now, but back then, the opposition was script kiddies, not intelligence agencies and organized crime.) So Microsoft bought Russinovich out. Wikipedia: "Winternals was acquired by Microsoft mid-2006. Microsoft has removed any traces of NTFSDOS..."

[1] https://en.wikipedia.org/wiki/NTFSDOS [2] https://web.archive.org/web/20000126093942/http://sysinterna...

NTFSDOS was released in the late '90s, Microsoft acquihired Russinovich in 2006. That program wasn't any more of a factor than all the other wonderful utilities he'd developed over the years. In fact, if you're looking for something Russinovich was forced to retire right after acquisition, you really should mention NewSID.exe, which was really shut down hard while in ascendance (as virtualization became commonplace).

I think MS just wanted to hire one of the best Windows hackers of all time, and they pounced as soon as they got a window of opportunity for whatever reason. Everything else was a bonus.

Yes, Mark was running sysinternals for years before Microsoft hired him.

Great programs he produced though! Really really helpful. One of the first things I install on a new OS.

Great programs that are still available free from Microsoft ;-)

> Microsoft didn't like that, because it allowed booting from a floppy, bypassing NT's security restrictions, and resetting the administrator password, copying, or modifying files.

This sounds nonsensical, like folk history. You can already create a boot disk to do this using all Microsoft tools: Assuming the volume is not BitLocker'd it's pretty simple to do all of this stuff with WinPE [1], including the version that shipped in 2006, or with a Windows setup DVD. Or you could simply move the drive to a machine where you are an admin.

I am pretty sure they bought winternals because they wanted to hire MarkRuss.

[1] http://en.wikipedia.org/wiki/Windows_Preinstallation_Environ...

This was in the nineties, no PXE back then.

The winternals acquisition happened in 2006. And you don't need pxe for what I described either.

You could use the recovery console to gain access to an NTFS partition and I think it was a Windows 2003 disc on Windows XP wouldn't even ask you for the administration password. You couldn't access encrypted directories, but NTFS-DOS was hardly a threat. Most Linux Live CDs could at least read NTFS.

Don't forget about NTSwitch[1]. This little gem would switch Windows Server to Windows Workstation and vice versa.

[1] http://windowsitpro.com/systems-management/making-windows-cl...

> Microsoft eventually hired him to shut him up.

... and they tasked him with this obnoxious and highly dispensable cloud computing project. Anything just to keep Mark shut up, ANYTHING.

Mark Russinovich was hired by Microsoft for any number of reasons, not the least among them being the fact that he was easily one of the top Windows hackers out there. I can still remember marveling over the books he used to write about Windows internals - good stuff, and really made me aspire to become a better developer.

The funny thing is this claim reminds me of Skywing. Yes, I am talking PatchGuard.



He/she was quite blunt and rude about it, but he was right - GDI calls are Win32 API stuff or Windows API (that you don't see much of anymore, as there are wrappers for it every few years in the form of MFC / .NET etc.)

in terms of GUI, performance is responsiveness...

and for a windows system, it needs to support a range of hardware configurations...Some could be really slow...

That is correct.

Backward compatibility is the root of quite a bit more evil than premature optimization.

Modern CPUs still implement the A20 gate functionality, for example.

Backward compatibility, OTOH, is key to a large fraction of upgrade revenue.

Not to mention that the scrollbar code is triggered by a LOT of window messages. If you wanted to draw scrollbars yourself, you'd have to eat a bunch of messages, not just WM_PAINT and the like.

On my last count, you needed to swallow 11 different types of messages.

>When your OS kernel handles scroll bars, you're doing something wrong.

it's pretty core to the idea of windows though. kind of like a printer - i wouldn't be surprised if a printer driver was in the kernel. or age of empires, which is a Microsoft property. just load it into the kernel in case you need it and you dont need much DRM, if people end up buying it it can get unlocked.

A game residing in the kernel. Have you gone mad?!

I cannot imagine how anyone didn't get that I was making a joke. Originally I ended by saying that I'd draw the line at including all of creative suites (photoshop, illustrator, etc) would be too much, since it's a third party and Microsoft shouldn't be playing favorites with what's in the kernel like that.

in essence i was agreeing that a microkernel is no place for a scroll bar!

Your joke was a bit deadpan. But I'm laughing now ;-)

sorry, i wasn't actually in a funny mood.

More than that, Vista (along with .NET) put http stack into kernel. It's called http.sys

They finally created a separate font server process in Win10.


This vulnerability seems to be in win32k.sys. The UI side of NT is something I know less about than other pieces, however, my understanding is that a lot of user32.dll in an NT-based system is simply trapping into win32k.sys. Similar to the fact that most stuff in ntdll is just a syscall stub.

I respect the NT kernel but it has visible warts. I will give you that they are not always the same warts as what people complain about on HN.

> Are you on crack?

Personal attacks are not allowed on Hacker News, regardless of whether someone else is wrong.

Ever try showing some respect to your fellow HN users?

Anyone else noticed the rise of offensiveness here?

Goes with the territory; the front door stays open here. But yeah, I've noticed. It ebbs and flows.

It's a flaw. A bad one. But things like this get patched every day. Only an idiot would believe there aren't plenty of other undiscovered security flaws in windows, or any other OS. What matters is whether this flaw was ever exploited, whether it was ever spotted in the wild, before it was patched.

I am more than happy to criticize microsoft. I truly hate windows and everything it represents. But the system seems to have worked here. The bug was reported and patched before it became a widespread issue. I'll save my venom for those all-to-common days where Microsoft fails to address a problem in a timely manner. (or also Apple, plenty of venom for them too.)

I am more than happy to criticize microsoft. I truly hate windows and everything it represents.

Why's that?

I'm hoping for an in-depth substantive analysis of the factors leading you to come to such a conclusion, but I don't want to take up a bunch of your time or make it seem like I'm asking you to justify anything.

Windows is a proprietary ecosystem where choices are made for the benefit of microsoft's shareholders and nobody else. It is full of compromise. From DRM to hamstrung "student" versions, Windows is not your friend. Microsoft's business practices, specifically the way they market windows on oem machines, are also downright deceptive. I never use windows at home but, because I buy laptops, I actually own many windows licenses. Those "sales" are part of Microsoft's bottom line and are pitched to shareholders as if I am actually using microsoft products.

I have never met anyone who truly likes windows. They tolerate it. They are used to it. But they never say "Yes, I am happy with this new version. The upgrade sure made my life easier!" I'd rather have my wisdom teeth re-installed and re-pulled than be part of another office transitioning from one version of windows to another.

I gave up on windows when, after buying a little netbook, I decided to give it a chance. I plugged in an MS-brand optical mouse and was told that windows needed to connect to the internet to download the driver to run the mouse. That was windows's last breath on any of my personal machines.

And death to docx.

To offer an alternative:

I used to have the same "that upgrade DIDN'T make my life easier" with every new version of Fedora that I installed, until GNOME3, which completely removed any trace of productivity that I had.

I then ditched desktop Linux.

I don't think people enjoy new versions of anything (look at the backlash to Lion since Snow Leopard), there are still vocal complaints about Yosemite in OSX land.

My parents like Windows.

My brother likes Windows.

I use it daily and find it tolerable, like you.

But I think it would be naive to say that nobody likes Windows, don't you? Try giving any of my family or my wife my MacBook and see how angry they get in a short space of time.

If you didn't go "man gnome3 sucks, I'm reverting back to gnome2 (or never upgrading gnome in the first place), or moving to the mate fork, or using the comparable xfce until mate stabilizes" like the rest of us who can't stand gnome3, maybe you were never meant to have Linux on the desktop for long. I mean, GP's first complaint, my emphasis:

>Windows is a proprietary ecosystem where choices are made for the benefit of microsoft's shareholders and nobody else.

All software distributors make choices for someone's benefit, maybe sometimes even for the users', but the difference with non proprietary ecosystems, like Linux, is that users can make their own choices if they don't like the ones made for them. Sometimes this requires coordinated effort (like forking gnome2) that can sometimes be so effortful it might as well be as out of reach as changing choices in the closed ecosystem, but many other times it's as simple as installing a different desktop environment through your distro's package manager. What if I don't like the new look of Windows or OS X? I can choose not to upgrade the entire platform, but that's it, unlike in Linux land where I can upgrade piecemeal. It's even worse if I don't like a webapp's new look -- I can't even use the old version. I can of course stop using it. Great choice that, when it's the only alternative to 'tolerate'.

I agree with you that it's silly to say no one genuinely in a non-fanboy way likes Windows. (I live with such a person.) Personally I find Windows intolerable for anything but playing games on Steam and NoMachining into a Linux workstation. If my day-job was programming C# applications, I'd probably tolerate Visual Studio too. If that was my hobby and all my time was with Windows, and I forgot all I know of the Linux world, and like my housemate I installed various 3rd-party tools to change the boneheaded choices Microsoft occasionally makes (this does make my last paragraph hyperbole) then I might even like Windows as a whole.

>What if I don't like the new look of Windows or OS X? I can choose not to upgrade the entire platform, but that's it, unlike in Linux land where I can upgrade piecemeal.

You underestimate the customisability of Windows. Its ecosystem is mostly proprietary and closed-source, but that didn't stop people from modding what they could - just look at all the "post your desktop" threads that appear in various forums and you'll see lots of examples that are barely recognisable as Windows anymore. A lot of these involve little more than copying/replacing a few files, or some registry editing, so it's actually not so difficult at all.

In fact I'd say that "upgrade piecemeal" with Linux is made more complex because of all the dependencies that often arise with various apps all wanting very specific versions of libraries, multiple competing standards that do not interoperate (count all the GUI toolkits...), and emphasis on portability that tends to reduce the availability of binaries.

Some people go as far as replacing the shell:


...or even removing/replacing more fundamental components:


As for OS X... I agree there's not much customisation going on there, but I'd attribute that more to the demographic of Apple users. If Apple had the same marketshare with Mac OS as Microsoft has with Windows, I bet there would be a ton more modding happening.

I've used both Windows and Linux, and can say that I like and hate both, but for different reasons.

Actually, I stuck with GNOME2 for as long as I could. But then it got to feel like I was running Windows 3.11 in amongst Windows 7 contemporaries. Combined with the fact that I was writing OSX software, it made sense to buy a MacBook and virtualise all the OSes I was running, so Windows and my ancient comfortable version of Linux have their VMs still running.

You're right though - it's impossible to change the UI on OSX (other than grey or blue for the buttons, that is all, and now with a "dark" menubar which I like) and Windows is limited. I too keep my proper Windows dualboot partition for playing games (hurray for Homeworld Remastered this month eh!).

I think once we've been exposed to other OSes and use them daily for different things (I used to maintain racks of Linux and Windows servers of differing ages, some ancient machines along with new), the differences sort of fade and the rabid fanboyism for each OS gets wearisome. They each have their faults, their good points, and are all useful for getting stuff done, each with differing or potentially irritating approaches for doing that!

I myself sigh using Windows 8/8.1 and find Explorer under Windows 7 to be irritating compared to the XP one but that's just me and I should get used to it. It will be interesting to see what Windows 10 brings.

It is possible to change the UI in OS X! http://flavours.interacto.net/ – they're working on a new version with 10.10 support now.

Looks interesting! Hopefully it doesn't cause instability? I know in Obj-C you can link in low-level but such hackery isn't always rewarded with stability.

> I have never met anyone who truly likes windows.

I like windows.

I'm not sure you qualify, except (of course) he has met you...

He should have started with "Nice to meet you."

I'm old enough to believe that meeting on an online forum doesn't qualify 'met'. "I met the President on twitter" doesn't count.

> And death to docx.

I wouldn't mind some elaboration on this point; I would think it's a step up from .doc at the least.

Docx doesn't play nice. At a time when they could have contributed to open standards such as odt, and as projects like Openoffice were getting a handle on the doc format, Microsoft rolled out DocX to stir the pot.

DocX has some silly compression built in. Microsoft pitched this to some large customers on the basis of all the disk space it would save. How large are text documents? Are they really in need of compression? Only he most massive of corporations see any appreciable reduction in storage needs over the old doc format.

ODF also uses compression.

> I have never met anyone who truly likes windows. They tolerate it. They are used to it. But they never say "Yes, I am happy with this new version. The upgrade sure made my life easier!"

Plenty of people felt that way about the Vista to Windows 7 upgrade. (fewer felt that way about the 7 to 8 transition)

"I have never met anyone who truly likes windows"

Interestingly, I've seen a small group of Windows fanbois arise within the last couple of years. Very much like the Apple fanbois; just as irrational and quick to take offense at any criticism of MS and Windows.

But I agree with you that most people I know also tolerate windows. Some are even happy with it because they can do things with a computer that has windows.

That was until Windows 8 came out. I was surprised by the amount of hate windows 8 received, and it was well deserved IMHO. But then I was also surprised by the few people who didn't hate Windows 8, some even liked it. The fanbois.

It's not fanbois, it's actual real-life users who love it. (Not all of them, but a high proportion, in my experience.)

Windows 8.1 is terrific on tablets and devices with touch screens. My wife loves it. I think most if not all the hate came from stuck-in-the-mud XP users, and from Windows 7 users with non-touch screens. Which is fair enough.

Those are, of course, the vast majority of Windows users, so -- even though most of them have never used it seriously -- they drown out the real Windows 8/8.1 users.

In my experience, most users don't have surface or windows tablets. And they came from XP or 7. As far as I can tell, they use windows 8 as seriously as when they used xp and 7.

You can dismiss the vast majority of people who have that experience, but that would be ignoring the reality for most people. Fortunately for Microsoft, MS has decided to listen to the huge amount of complaints and get rid of the problematic interface.

I've always wondered what the win8/8.1 supporters would have MS do about the situation. Tell the vast majority of "unserious" users to suck it up, shut up, and use Win8? No change is necessary, you just have to get serious about using it? I'm asking because I don't understand the point of view of win8 supporters.

BTW, I really do think that there are MS fanbois out there. Not trying to be insulting or anything, just something that seems to be a new trend. Peace.

I'm not dismissing their experience (if any), just pointing out that it's not the whole story. I like Windows 8/8.1 a lot, but I'm still using Windows 7 on my desktop....

My point is that there is no discontinuity between lots of people loving Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it -- or, more often, hating the idea of it -- on non-touch machines.

So, the solution is to retain the best parts of Windows 8 on touch-based devices while making it more usable on non-touch devices. Which is what Microsoft is doing.

Either way, you'll note that Windows 7 Pro is still available from Microsoft as a current product, and that it will be supported until 2020.

"I'm not dismissing their experience (if any)"

Does that mean if someone doesn't like Win8, they don't have any experience? Or they're not serious? Sounds like an insulting dig at people you don't agree with.

"My point is that there is no discontinuity between lots of people loving Windows 8 on touch-based 2-in-1s and tablets and lots of people hating it -- or, more often, hating the idea of it -- on non-touch machines."

??? Not sure what you're trying to say here.

"Windows 7 Pro is still available from Microsoft as a current product"

Good news if you don't want Win8 on your laptop/desktop. I guess you'll have peace when Windows 10 comes out, and you don't have to hear any negative comments about Windows 8.

> Sounds like an insulting dig at people you don't agree with.

Yes, I shouldn't insult people just because they're ignorant and can't be bothered to learn how to use Windows 8, which in my experience, is predominantly the case.

It's certainly usable on desktops etc without touch screens, but it's suboptimal on those systems, which is why I don't load it on them. That doesn't mean I can't use it and appreciate its qualities on touch-screen PCs.

I shelled out money for a 8.1 license.


CP/M (circa 1974) had a command line prompt like this: "C>"

Windows (circa 2014) has a command line prompt like this: "C:>"

Basically the same after 40 years. Forty ... years. Same old totally obsolete "drive letter" file system architecture.

Although the comparison is to be obviously taken with a grain of salt, it is clear to old-timers like me that Windows has been ultra-conservative with advanced software technologies (modular filesystems, ZFS, etc...) and this has hurt tremendously the evolution of OS software "for the masses".

It does not require a big leap of faith to believe that we could have had a far more advanced <consumer> OS if Windows had not existed.

Quite a pity.

Don't get too hung up on the drive letter. It's a bit like saying UNIX is out of date because everything starts as '/'. Besides, the Windows filesystem is actually modular under the covers. https://msdn.microsoft.com/en-us/library/windows/hardware/dn... And Windows CE is (mostly) source-compatible and has no drive letters.

You can have filesystem drivers, filesystem filter drivers, and pseudo-filesystems. It's just that the documentation is buried in the DDK. And there isn't a "community" of users for Windows in the way there is for Open Source.

To the extent Microsoft keeps giving us fun things to play with, we will see more and more hackers doing fun things with Microsoft.

That's the cool thing, we don't really have a huge attachment or loyalty over any reasonable time frame. We use the best tools for the job. There's plenty of room for Microsoft to start providing incredible value to its developers.

I'm looking forward to containers on Windows. I'm looking forward to faster upgrades and better package management. I'm looking forward to seeing the best they can do. There's a lot of talent in there somewhere, I hope they let us see it.

This is my biggest difficulty with * nix. With drive letters, I know for a fact that Windows is installed on C: and I can format all the other volumes. But in what volume is the system installed on a * nix?

You don't have to justify that comment to me. I used used Windows since it was a 286-PM DOS program serving as a proof-of-concept, through present. I am so unimpressed with their technical management of a product that should have been mature more than a decade ago.

Your invective dismisses your analysis as always subjective.

Considering Microsoft doesn't seem to fix some bugs even within 3 months of finding out about them (see the Project Zero vs Microsoft case), and that Microsoft's policy is to first announce the NSA and other government agencies about bugs in Windows before it gets a chance to fix them, then hell yes it's being exploited.


They love the taste of boot leather. What can I say.

This doesn't "bypass all Windows security measures". As of Windows 8, processes can disable win32k syscalls using SetProcessMitigationPolicy with ProcessSystemCallDisablePolicy.


Is ProcessSystemCallDisablePolicy somehow similar to seccomp on Linux? I understand that seccomp allows to selectively allow/disallow individual system calls while this disallows all win32k calls. But I don't know how similar these features are in the security impact.

Apparently, chromium - which uses seccomp on linux - uses ProcessSystemCallDisablePolicy on windows: https://src.chromium.org/chrome/branches/1312/src/sandbox/wi...

They're comparable features. In both cases, a simple but hardened filter is placed in front of some part of the kernel attack surface. Vulnerable processes (e.g. renderers) opt in to these protections so that, in the event of compromise, they're less likely to be vectors for a successful escalation of privilege attack against the kernel syscall interface.

How do they find exploits like this? Do they check every single kernel functions for unchecked pointers? Do they have some automated way to discover this?

On figure 4 the legend says that static code analysis made it possible to discover the chain of calls.

How many billions are MS making from Windows? Why aren't they doing that static analysis??

Maybe they are and this was already documented internally, but potentially marked as a low threat, but now that it was found outside of Microsoft it's a bigger problem? I'm just spitballing here, one would have to assume that Microsoft is doing static code analysis.

OK, but it wasn't found before the current OS cycle presumably because one would imagine they'd fix it ... ha-ha!

So it either wasn't found or they found it and continued to bake it in to the OS nonetheless. Which is better?

> This particular vulnerability appears in the GUI component of Microsoft Windows Kernel

There's your problem right there.

Are you saying that Microsoft are incapable of releasing a decent product or a stable API? If so, you'd be wrong on the second count, and I'd say the first too but then argument would ensure.

The Windows API and all related systems are stable and mature.

And I'm saying this as an OSX user.

> Are you saying that Microsoft are incapable of releasing a decent product or a stable API?

No, I'm saying that implementing scrollbar handling in the kernel is a bad idea. It's not something which requires privileged system access, and thus should be done in user mode where bugs like this won't lead to privilege escalation.

But everything in the OS will use a scrollbar, so put it in the kernel, right? :-) Only kidding.

I think OSX got around this problem by removing scrollbars haha only kidding

You make an excellent point, sorry to misunderstand your original post.

How many of those new protections listed (DEP, ASLR, page 0 mapping) are still useful with a system like Rust? Cause it seems like a hell of a lot of effort is going into hardening the environment cause the code is just that leaky, but I'm probably misunderstanding something.

Theoretically if you had a kernel written in Rust, I suppose you could implement the system call interface such that all pointers passed to the kernel from user space would be considered "borrowed" under the Rust type system, and then have all your "return to user space" mechanisms recognised by the compiler as terminating their lifetime.

I'm not sure if that's enough though, considering that, in general, the kernel can't assume anything passed to it by reference via a system call isn't mutated by another userland thread. Furthermore, even if everything were written in Rust, the kernel can't just trust that a userland process was actually compiled in a way that faithfully employed Rusts compile-time safety guarantees... so I think any notion of shared garbage collection is tricky without a program loader that did code verification.

Microsoft have done some work in this area with their Singularity and Midori projects[0]. Singularity in particular eliminates hardware isolation between processes.

I think the simple answer here is that the kernel should be copying anything passed to it by reference if it intends to do anything beyond a single atomic read operation. This is why, on Linux for instance, send() can't return to user space until the data has been copied in to kernel controlled memory, and why we have nice things like splice() and sendfile() to deal with the performance hit of doing so for common cases.

[0] https://en.wikipedia.org/wiki/Midori_%28operating_system%29

Removing hardware isolation in general is not a good idea. There are enough hardware errors to cause problems. You don't want a bitflip to cause everything on your server to become corrupted. (Bitflips can be reduced by using ECC ram. But still, the principle remains.) (Worse: you don't want someone to be able to take over your entire physical server from one of the virtual servers)

One option would be for the kernel to temporarily mark the page(s) referenced as read-only, and do copy-on-write where necessary. This would prevent the (presumably) common case of not having the page modified by another thread while the kernel processes the data to not incur the delay of copying the data. Might only be worth it for larger amounts of data, though.

None of these protections is 100% reliable; they make exploiting harder, but they often don't make it impossible.

Rust is memory-safe so assuming the rust implementation is correct, it should never lead to executing user data. OTOH there have been plenty of e.g. JVM exploits over the years, which were mitigated by DEP, and the JVM offers the same kind of safety guarantees.

All of those are band aids that wouldn't be needed in first place if the world had adopted something like Modula-2 (just a possible example) instead of copying UNIX and bringing C along for the ride.

Rust would help as long as unsafe code blocks aren't exposed to the outside world. Which still seems a bit hard to accomplish, as many Github projects suffer from unsafe overdose.

However, even memory safe languages suffer from logical errors.

GM once used an in-house version of Modula-2 for its embedded controllers [1]. I wonder if they regret the switch to C in light of all the bad press about remote vulnerabilities[2][3]. It sounds like the biggest problem is that features are exposed without any protection, though.

[1] https://en.wikipedia.org/wiki/Modula-2#Modula-GM

[2] http://www.cbsnews.com/news/car-hacked-on-60-minutes/

[3] http://www.caranddriver.com/features/can-your-car-be-hacked-...

The dead code comment at the end was informative. Does anyone else use code analysis of C/C++ to find dead stores etc.?

I have used flawfinder, cppcheck and Xcode (clang's) analysis which has helped me find issues.

> After some hard word, however, we managed to produce a fully working exploit which we’ll describe.

Wait, now I'm confused... was it a single bit, or an entire word that triggers this bug? ;)

I'm sorry, wait... they hacked it through the scroll-bars? You can't make this shit up.

Remove those unnecessary lines of code and you will be surprised how the security holes close by themselves.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact