[HN Gopher] Windows 0day privilege escalation still not fixed ___________________________________________________________________ Windows 0day privilege escalation still not fixed Author : zaltekk Score : 255 points Date : 2020-12-23 17:09 UTC (5 hours ago) (HTM) web link (bugs.chromium.org) (TXT) w3m dump (bugs.chromium.org) | [deleted] | etiam wrote: | It may seem pedantic, but since this vulnerability is publicly | known since months back, and furthermore has been exploited in | the wild (according to description in the target article), is it | not per definition _not_ a 0day. | kjaftaedi wrote: | The reason it is considered a 0day is _because_ it is being | exploited in the wild. | | This wasn't discovered by a security researcher looking for | holes. This was discovered by a virus scanning company that | realized people were actively being attacked using this method. | saagarjha wrote: | It _was_ a 0-day at that point. Right now it is a 90-day. | albntomat0 wrote: | Only to Project Zero and Microsoft. | | Everyone else has known about it for exactly 2 hours. | saagarjha wrote: | Days are counted by how long a vendor has known about a | bug, not the general public. | albntomat0 wrote: | My understanding of the term is days are counted in the | view of "the defender," which is more than Microsoft | saagarjha wrote: | Microsoft would always be the first to know of the | defenders-any other defender would just tell them. It | then makes sense to count from there, rather than have | multiple counts for each level of people learning of the | vulnerability. | albntomat0 wrote: | I think your argument makes sense when the day counts are | close to each other. There really isn't any difference | between a 55-day and a 57-day, nor does it make sense to | account for some sysadmin who took a vacation day. | | I still think that your usage of "0-day" breaks down | precisely in the case we're in currently, where the | vulnerability has been exploited in the wild and | Microsoft has known about it for some time, but there is | not a patch available, and the general public (everyone | who has to defend against the exploit) found out about it | today. | luch wrote: | Not exactly, historically days are counted by how long | the editor has provided a patch fixing the bug, as in | "you[the adminsys] had X many days to apply the bugfix". | | 0day means no patch is available, whether the | vulnerability is known privately/publicly or not | saagarjha wrote: | If you (the public) learn of the exploit at the same time | as the vendor, then it is still a 0-day. You can | construct a definition where it is "a zero day to you, | the sysadmin" but that would really make it difficult to | pick a single day to measure from. For this reason the | most useful definition would be to measure from the | defender with the earliest knowledge, which would be the | vendor. | dmix wrote: | This seems to be a phrase that has a matter of | perspective. I always see people trying to nail down a | meaning but it always seems to little effect in day to | day discourse. | | I'm a fan of letting context infer meaning. And letting | certain words just naturally grow to whatever the culture | wants it to. It's always hard to fight back against it. | | There's a million examples of this on the internet where | people try to be pedantic about slang or word usage. All | that matters is "we know what you mean". I like to assume | enough people here know the _real_ difference zero days | vs existing vulnerabilities are. But in practice it | matters less. | tinus_hn wrote: | Not if the definition is 'a known security issue with no patch' | qeternity wrote: | Which it isn't... | qeternity wrote: | It seems that 0d has since become a synonym by some for | unpatched exploit. | Scuds wrote: | It feels l33t to appropriate the terminology of a | professional - | | like "We need to control the optics of the situation" | | "I flashed my cellphone but it failed and now it's bricked." | | but the unsophisticated public gets it wrong and now here we | are, every recent unpatched exploit is now 0day | segfaultbuserr wrote: | > _I flashed my cellphone but it failed and now it 's | bricked._ | | It doesn't sound wrong to me, both "flash" and "brick" are | correct in an appropriate context. It's not "updating the | system" but "flashing" if the process uses some low-level | recovery mode, and it would be "bricked" if can no longer | be recovered by usual means. | gruez wrote: | Most of the time "flashing" a phone (presumably referring | to androids) involves using the recovery, which is | basically a stripped down version of android. In that | sense it's not any lower level than booting off a USB | drive to fix your computer. | segfaultbuserr wrote: | According to your standard: to "flash" something, at | least you need to use the bootloader itself, or possibly | at a lower level? Well, calling the process of uploading | a firmware image to an embedded device during early boot | via U-Boot as "firmware flashing" is well established, so | we can start from here... thus, uploading a new Android | image in _Android Recovery_ is not "flashing", but | uploading a "recovery" image in Android bootloader is? | Now, would you call firmware uploading via iOS's DFU mode | "flashing" too? Or do you believe that the DFU mode is | end-user accessible, thus not low-level enough? Then, | would you accept that uploading the firmware to the | baseband processor (which I believe uses its own EEPROM) | via DFU "flashing"? | | I guess the definition varies, it was what I meant by "an | appropriate context". | gruez wrote: | >thus, uploading a new Android image in Android Recovery | is not "flashing", but uploading a "recovery" image in | Android bootloader is? Now, would you call firmware | uploading via iOS's DFU mode "flashing" too? Or do you | believe that the DFU mode is end-user accessible, thus | not low-level enough? Then, would you accept that | uploading the firmware to the baseband processor (which I | believe uses its own EEPROM) via DFU "flashing"? | | The difference is that the recovery is almost a full | blown operating system. It can mount filesystems, has | various shell utilities installed, and there's a user | interface (through ADB and on-screen). This in contrast | to fastboot which has noneof those things, and only | allows you to flash/erase partitions with the help of a | computer. | segfaultbuserr wrote: | Fair enough. | d33 wrote: | What's wrong with the second example? | vmception wrote: | Now using the concept of language, what distinction does that | give you? What message does that convey to _anyone_ better? | | 0-day versus "publicly disclosed unpatched vulnerability" | doesnt help anyway | mindslight wrote: | "0-day ... still not fixed" makes it sound like someone is | expecting Microsoft to have created a patch for a new exploit | with same day turnaround. And therefore what's the big deal | that they haven't? | | If you want to use the "day" framing, the appropriate | headline is "90-day exploit still not fixed". The entire | point is that it's an old exploit that is still unpatched, | and _not_ some new discovery. | albntomat0 wrote: | It was an 0-day at one point in time though. Unless you're the | one using it, an exploit is only ever an 0-day in the past. | | An alternative title could include "actively used" or similar | to maybe be more clear. | cortesoft wrote: | So then every exploit is a zero day? | verroq wrote: | They all begin as a zero day. | tremon wrote: | Not true, some exploits are written by examining the | holes fixed by a vendor security patch, then writing an | exploit to target the systems that haven't been patched | yet. Those are not zero-day exploits. | albntomat0 wrote: | Every one that is initially found and used by an attacker, | up until it is detected. | | The exploit was a 0-day at one point in time. Furthermore, | I'd argue that the perspective of the one talking also | matters. If Microsoft etc know about it, but haven't | patched it or made anything public, it's definitely a 0-day | if used against me, as I haven't had any opportunity to | defend against it. | Jare wrote: | > 2020-12-03 Microsoft advises that due to issues identified in | testing, the fix will now slip to January 2021. | | > 2020-12-08 Meeting between MSRC and Project Zero leadership to | determine details and discuss next steps. The 14-day grace period | is unavailable as Microsoft do not plan to patch this issue | before Jan 6 (next patch Tuesday is Jan 12). | | > 2020-12-23 90 day deadline exceeded - derestricting issue. | | Ouch. With xmas in the middle the grace period, I could see how | this can be considered too strict on P0's part. Then, again, the | initial bad fix surely harmed whatever trust there was between | the parties. | hackcasual wrote: | It's being actively exploited, so frankly a 14 day grace is the | best MS can hope for | corty wrote: | Any grace period for actively exploited bugs is | irresponsible. Stuff that the bad guys use needs to be public | asap. | ta1272814 wrote: | Issues like these, the massive hack of US government, etc. | | Taken together these things feel like the death knell of Wintel. | geofft wrote: | Not being super familiar with Windows, is an escalation from "low | privilege" to "medium privilege" actually concerning in practice? | | (e.g., this be used for something like breaking out of a Chrome | sandbox?) | tonyedgecombe wrote: | The print spooler runs under the local system account so you | effectively get admin rights over the local machine. If it's a | terminal server then you control the server. | | Not sure about Chrome though. | gruez wrote: | https://chromium.googlesource.com/chromium/src/+/master/docs... | | >Integrity levels are available on Windows Vista and later | versions. They don't define a security boundary in the strict | sense, but they do provide a form of mandatory access control | (MAC) and act as the basis of Microsoft's Internet Explorer | sandbox. | | And yes, chrome uses it as a sandbox. | ChrisSD wrote: | To be clear, Chrome uses it as part of a "defense-in-depth" | strategy, but its sandbox does not rely on it. From your | link: | | > So, the integrity level is a bit redundant with the other | measures, but it can be seen as an additional degree of | defense-in-depth, and its use has no visible impact on | performance or resource usage. | zaltekk wrote: | > In May, Kaspersky (@oct0xor) discovered CVE-2020-0986 in | Windows splwow64 was exploited itw as a 0day. Microsoft released | a patch in June, but that patch didnt fix the vuln. After | reporting that bad fix in Sept under a 90day deadline, it's still | not fixed. | | https://twitter.com/maddiestone/status/1341781305126612995 | sedatk wrote: | > 2020-12-03 Microsoft advises that due to issues identified in | testing, the fix will now slip to January 2021. | zaltekk wrote: | More details on the original bug: | | https://securelist.com/operation-powerfall-cve-2020-0986-and... | intricatedetail wrote: | That's why I don't use Windows for work. It's not a system for | professionals. As usual with Microsoft - smoke and mirrors and | money is what matters the most. | app4soft wrote: | This is a feature, not a bug. | high_density wrote: | just wondering... is there any defense normies like me can do? | eg. turn some windows feature off? | [deleted] | xeeeeeeeeeeenu wrote: | It isn't exploitable remotely, so just don't run shady | software. | andrewxdiamond wrote: | Install a better OS | colejohnson66 wrote: | That's not a very helpful comment. Not everyone has a choice | in what OS they use (especially if it's at work) | corty wrote: | At work, when windows is corporate policy, you do not need | to care about exploits. It is literally other peoples' | problem. | annoyingnoob wrote: | Its a problem for _someone_ and knowing about any | mitigation is helpful. | corty wrote: | OK, yes, if you are the IT dept, you are on the hook. At | least if you are the ones who picked windows. But maybe | you didn't and strategically protested the directive to | use windows that came from up above. Then again, you | don't really have to care, not your problem... | colejohnson66 wrote: | _It is your problem_ because IT's job is to _prevent_ | this stuff from happening. It doesn't matter if the order | came down from above, you need to do what you can to | mitigate damage. | corty wrote: | There is a world of difference between "job" (try to do | it properly) and "responsibility" (you are on the hook if | things go wrong). If the order came from above and you | pointed out the problems, it might still be your job. But | not your responsibility. | annoyingnoob wrote: | You don't personally care so the rest of use should not | care either? You think its someone else's problem, so | hide the solution from everyone? | corty wrote: | You buy support contracts and software from Microsoft so | you don't have to care. If Microsoft fails like in this | case, you just shouldn't give them money. In all cases, | no need to ask anyone but Microsoft for a workaround or | other info. | annoyingnoob wrote: | Why even bother reading anything on this site or | commenting here when you can always just go to the source | or manufacturer? Obviously, you have all of the answers | anyway. Its clear no one here has anything to offer you. | The rest of us however find value in understanding the | experiences of others. | [deleted] | high_density wrote: | hm... do you mean linux-based? can't... Korean banks have | activeX + other crap requirements. (they even detect VMs in | linux) | | also, linux can't run apps like photoshop / adobe cc apps / | etc | | as for mac... I'm waiting for a M2 macbook pro 16 inch with | RTX 3090 graphics for about $1500... | jjuhl wrote: | "also, linux can't run apps like photoshop / adobe cc apps | / etc" - seem to run pretty well under Wine most of the | time... | _underfl0w_ wrote: | I haven't been able to get PS running in Wine since the | 2017 CC release (and that required some hackery). | | Are you aware of a way to get recent releases working | aside from QEMU or KVM? | [deleted] | TavsiE9s wrote: | That's not a very helpful comment and highly subjective. | Depending on their requirements and needs a different OS | might not even be feasible. | willcipriano wrote: | Pihole with the right block list can prevent known malicious | software from hitting its command and control endpoints. | | They can always use DOH but you can block DOH domains via the | pinhole as well. | uponcoffee wrote: | It's pretty easy to hardcore IPs of doh resolvers and bypass | pihole completely. | acdha wrote: | There's considerable precedent for seeding IP lists or | using stealthy tactics (e.g. imagine how it'd be trying to | block something which searches Google or Twitter, hits a | random ad network). | willcipriano wrote: | Fair enough. On the other hand it can also prevent users | from stumbling upon malware distribution sites by both | blocking them directly and secondly blocking | advertisements that often link to malware. | | All of this of course is part of defense in depth, | multiple layers of incomplete protection is better than | nothing at all. | acdha wrote: | Oh definitely, I'm not saying that there's _no_ benefit | -- the key point is the distinction between something | which you control to something you don't. DNS filtering | is good for clients you control but it's important to | understand that you can't force malware to use it to | avoid accidentally thinking that you're protected against | other threats (which I've heard various times from people | who should know better but weren't thinking about it | carefully in-depth at the time). | AnIdiotOnTheNet wrote: | Aside from using IPs directly, modern malware often uses an | algorithm to generate domain names for C&C communication. | Good luck trying to use a domain whitelist on the modern | internet because web developer seem to actively fight against | such a concept as not using every domain they possibly can. | high_density wrote: | isn't PiHole some kind of external firewall? that works 90% | of the average-joe known botnets against a desktop PC, but | it's not helpful for laptops / unknown-control endpoints. (or | endpoints that are really good at hiding) | benglish11 wrote: | PiHole is a network wide ad blocker that works at the DNS | level. Basically you route all of your network's DNS | requests through PiHole and it blocks any domains that are | known ad/malware domains. | david_perason wrote: | Why would you not just modify your hosts file on your | machine? Do you really need a raspberry pi for this? | duckmysick wrote: | Sometimes you don't have access to the hosts file, like | on an unrooted phone or a smart TV. | tinus_hn wrote: | No, it's a DNS server with blacklisting features. It can't | block traffic, it can only prevent some software from | looking up addresses. | dspillett wrote: | You can use PiHole or one of the many equivalents on a | laptop or other location shifting device in a few ways: | | 1. Run it locally and have it configured to use a public | name server as its source (if you run Windows/other there | are not doubt native options that'll work this way too). | Even if the network you connect to redirects requests to | public DNS resolvers you'll still be going through your | local filter. Though you'll need to set your machine to | ignore DNS config via DHCP, and you'll have to point it at | the local resolvers if the network simply blocks public DNS | servers. | | 2. Run it in a VM or container, this would mean you can run | PiHole specifically even if you are running Windows, and | configure as above. Memory requirements are pretty low so | unless you are using very low spec device it should fit. | | 3. If you have a hosted server (you can get a VPS big | enough for PiHole for a few $/year) or a publicly | addressable address at home, you can run a VPN and access | it that way (assuming the network you are on does not block | your VPN of choice of course). You don't have to run a VPN, | but I'd not recommend running a publicly addressable DNS | server. This will even work on phones depending on the OS | there and the chosen VPN. | | Of course these are not viable options for a lesser techie | user. | [deleted] | ffpip wrote: | What is the point of disclosing it if it is not fixed? I | understand it is to put pressure and likeness, but doesn't it | cause more harm than good? | | Windows is very popular. | gene91 wrote: | It is in the public's best interest to demand timely fix | because you never really know whether bad actors know about it. | A demand has no teeth, therefore you have to make a threat (fix | in 90 days, or we disclose publicly). A threat is only good if | you have a track record of delivering on it without exceptions. | Therefore, it isn't an option to not disclose it at 90 days. | albntomat0 wrote: | A while ago, responsibly disclosed bugs took an extraordinarily | long time to be patched. Disclosure deadlines ensure things are | patched in a responsive manner. They only work though when the | reporter actually follows through if the deadline is missed | (and has standing & legal projection to execute like the | Project Zero folks). | TheDong wrote: | Historically, vendors often refused to allocate time to patch | things for anywhere from months to years. | | Leaving vulnerabilities in products for an extended period of | time is a problem, and adding a deadline helps to ensure that | important security issues actually do get triaged and | addressed. | | As a recent project zero blog post about their policy calls out | (https://googleprojectzero.blogspot.com/2020/01/policy-and- | di...) "We've seen some big improvements to how quickly vendors | patch serious vulnerabilities, and now 97.7% of our | vulnerability reports are fixed within our 90 day disclosure | policy." | | It sounds like it's working as intended. The only way you can | make it actually work is to make sure it has some teeth though, | hence you have to actually disclose when you say you will. | | > doesn't it cause more harm than good? | | Microsoft is harming its users by not fixing a security | vulnerability. In this case, it's even more clear since there's | "in the wild" exploits. Project zero's just helping to raise | awareness of the harm microsoft's causing. | [deleted] | codexon wrote: | If you've ever try reporting vulnerabilities, you'll see that | some companies won't ever fix the problem until it is | widespread. | theptip wrote: | This is a foundational policy question in security research, | and Project Zero gives a lot of detail on its aproach, e.g. | | https://googleprojectzero.blogspot.com/p/vulnerability-discl... | https://googleprojectzero.blogspot.com/2020/01/policy-and-di... | ffpip wrote: | Thanks for sharing the links. I knew it was a policy, but | never really looked more into it. | [deleted] | stefan_ wrote: | I'm dumbfounded why Microsoft can't fix this, it's essentially | just a parameter validation issue. They must have some ghoulish | software actually relying on the broken behavior. | | Add to that their recklessly incompetent initial fix: | | https://twitter.com/maddiestone/status/1341781306766573568 | tonyedgecombe wrote: | Perhaps they are trying to avoid breaking 3rd party code. | | I've spent quite a lot of time poking around in the print | spooler and my gut feeling is it's probably riddled with issues | like this. | Meph504 wrote: | I would agree I was baffled how basically windows will take | anything from print drivers and ram it into the spooler. | tonyedgecombe wrote: | Also I suspect nobody wants to work on it because who wants | to do printing. | m-p-3 wrote: | That must be some kind of purgatory where developers goes | to slowly die inside. | q3k wrote: | I assume it's bigcorp slowness, having to roll up all updates | into patch batches, following release schedules, testing | against all release trains, going through QA, etc. No | accelerated way to push critical, but trivial software fixes. | Retric wrote: | Microsoft has patched issues fairly quickly in the past. This | may be a "critical" issue, but I think they have even higher | internal classifications which this doesn't qualify for. | the8472 wrote: | MS can and does issue out of schedule patches every now and | then. This presumably doesn't meet the bar since it only is a | local privesc. | foepys wrote: | Last year they pushed some "simple" fixes fast and broke | quite a few older VB applications. That was quite a fun day | at my office when some customers couldn't work anymore... | dmix wrote: | This is interesting do you have more details you could | share or point to a link? | qz2 wrote: | Alt+tab has been thoroughly broken on Windows 10 20H2 for over | two months now. It randomly switches between the second and | third window. No fix in customer facing versions yet either. | | They are slow and incompetent. | FartyMcFarter wrote: | This may explain it: | | https://www.wsj.com/articles/microsoft-diminishes-windows- | ro... | | > The company is breaking Windows in pieces. The platform | technology, on which Microsoft's partners build their own | devices, apps and services, will now fall under Scott | Guthrie, who runs the Azure business. Mr. Guthrie's unit, | called Cloud + AI Platform, will also include the company's | mixed-reality business, including Microsoft's Hololens | device, as well as its artificial-intelligence business. | | Maybe someone with insider knowledge will comment, but it | looks like Windows is far from being a priority for | Microsoft. | dmix wrote: | Man I still can't believe Azure is number 2 behind Amazon | for cloud computing. When they first started their | marketing push to developers years ago, which I remember | was very aggressive and full of evangelism marketing which | I disliked, I kind of blew them off as some mid tier or old | school oddity. | | But it really shows you how powerful their enterprise sales | machine is and the legacy reach of existing programming | languages/frameworks. | | It's always easy to underestimate Microsoft I guess. Ditto | with Oracle and the like. From our view down in the startup | world. | | That said. Alt-tab not working is an embarrassment though. | And I hope they really haven't let their OS QA slip this | badly in favour of some growth area or whatever. | Quarrelsome wrote: | They still have a big .NET following and they make it | easier to use Azure via their toolsets. I feel like it | was mildly obvious that they'd do okay. | 411111111111111 wrote: | They're including managed services like office 365 in | that number though. | | Might be fair because aws includes their services as | well, but I'm pretty sure aws main income is from ec2, | while azure is business tooling like active directory, | office etc | semi-extrinsic wrote: | And they seem to be pushing customers very hard on moving | from on-prem to cloud for Office and email stuff. I don't | know if they're subsidising the cloud services for now, | or what. | plif wrote: | Microsoft is also mostly purely tech. Amazon and Google | (Alphabet) are more pervasive and threatening to other | industries. | | For that reason, I'm not surprised. I've seen the | decision come down to not wanting to give money to the | other two many times. MS is in a great position there. | thekyle wrote: | I may be wrong but I don't believe Microsoft even has a | dedicated Windows division any more. | radicaldreamer wrote: | Well that and they got rid of their QA and test engineers | so nothing is caught before it's sent out... you just | can't rely on free beta testers for everything. | jodrellblank wrote: | > You just can't rely on free beta testers for | everything. | | Linux distros seem to manage pretty well...? | | Or is this "it's only bad if Microsoft do it"? | 9HZZRfNlpR wrote: | If I'm paying for it, which I do hell no. O also use | Linux but I don't ost for it, and it's hobbyist / power | user os and I can actually fix things there unlike | windows. | _jal wrote: | We pay RH rather a lot of money for the excellent testing | and integration they do. (And alt-tab works, if you want | it to.) | | Or if you're trying to limit this to individual use, I'll | grant you equivalence once Microsoft stops charging their | beta testers and offers them the source. | ehvatum wrote: | That's an interesting point. Which for-profit Linux | distro is using you as an unpaid beta tester for their | closed-source code? | gralx wrote: | Fair point. But 90% of Linux submissions are corporate, | last I checked. Corporations (usually) do a lot of | internal testing before submitting, and then maintainers | have to review submissions. This is long before the | public ("beta testers") has to deal with any bugs. | | And that's only the kernel. Distributions and their | package maintainers have their own quality controls, as | do cross-distribution upstream developers. Public bug | trackers (beta testers) are a complement to these. The | division of labour in quality control of Linux systems is | fine, diverse, and of variable effectiveness before beta | testers come into the picture. | withinrafael wrote: | Yep. For those that are seeking a temporary remedy, open | Registry Editor, navigate to HKEY_CURRENT_USER\Software\Micro | soft\Windows\CurrentVersion\Explorer, create/modify REG_DWORD | value named AltTabSettings and set its value to 1. Restart | your PC (restarting the Shell alone is possible but will | currently introduce more bugs). | tubs wrote: | Oh god I thought I was the only one who had noticed this... | it drives me mad every single day. | millzlane wrote: | I rely heavily on alt+tab. I haven't noticed this. Can you | explain a bit more? | bzb6 wrote: | I think it only happens if you use Edge | cheschire wrote: | It does exactly as described. Sometimes it will shift to | the second window as intended. Often it will skip to the | third window open instead, requiring one to continue | cycling back to the second window. | nkrisc wrote: | You can Alt+Shift+Tab to go in reverse direction. | gralx wrote: | Or just release Tab while keeping Alt depressed and | navigate the thumbnails with the arrow keys. | sedatk wrote: | > 2020-12-03 Microsoft advises that due to issues identified in | testing, the fix will now slip to January 2021. ___________________________________________________________________ (page generated 2020-12-23 23:00 UTC)