InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Welcome, new admin

YOU KNOW HOW to set up Windows 2000 and XP workstations so that users must log on with passwords and they can't administer other users or your network. It's easy, right?

Wrong. The basic design of the Win32 architecture, going back to 1993, has enough built-in weaknesses to allow anyone with guest privileges to gain full admin rights.

The problem, in a nutshell, is that Windows allows applications to give themselves higher privileges than the current user of the PC enjoys. These are known as "interactive services." If a user gets such an app to run a command that requires system privileges, well, hello, new admin.

Microsoft has long advised outside companies not to take advantage of interactive services. But Windows undoubtedly includes such capabilities because Microsoft developers wanted them.

An example is the Still Image Service, a Windows 2000 program that runs automatically when you plug in a scanner, camera, or similar device.

In September 2000, Microsoft acknowledged that an ordinary user of a Windows 2000 machine could use this service "to assume any desired level of privilege." The resulting admin rights might not be limited to the hacked PC. As Microsoft said at the time, "It's unlikely, but not impossible, that the malicious user could extend control to the rest of the network" (see http://www.microsoft.com/technet/security/bulletin/MS00-065.asp).

Microsoft eliminated its program's problem in Windows 2000 Service Pack 2. But now it turns out that you're at risk in a lot of other ways.

Chris Paget, a consultant who goes by the handle Foon, has published a paper showing that numerous apps allow users to gain admin privileges. For example, with fairly simple utilities, he can use Network Associates' VirusScan 4.5.1 to grab system rights. (His paper is making waves because pros disagree on how far the hole goes. Please read http://online.securityfocus.com/archive/1/286185/2002-08-25/2002-08-31/1.)

VirusScan spokesman Ryan McGee says, "This flaw could be exploited to cause serious damage, so we have to take it seriously, and we do."

Many apps allow this instant-admin trick, even by remote access. "Clearly this is a serious design flaw in Windows that violates basic security principles," says privacy expert Richard Smith, the proprietor of ComputerBytesMan.com. "It seems any corporation with Windows NT/2K/XP boxes set up with multiple users needs to be concerned."

In the future, Microsoft could stop ordinary users from communicating with processes that have high privileges. But this would hose so many apps that it apparently won't be done.

Microsoft's director of security assurance, Steve Lipner, says, "We are aggressively addressing this issue." If the problem can be patched without breaking apps, he said, Microsoft will do it. But, he added, "If this is strictly a matter of third parties using the API in a way that is counter to our recommendations, and there was nothing we could do, we'd call it a day and walk away."




RELATED ARTICLES

Windows flaw could be used to forge digital signatures
Microsoft says found security flaw in Windows


RELATED SUBJECTS

Security
Networking

Click here for all of Brian Livingston's past columns.
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.
SeeBeyond Webinar - Topic: UCCnet, Thurs., 9/26/02 , 8-9 am PST

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.