Re: CWS = Crummy Windows Security

From: Ron Parker (ron_at_PARKRRRR.COM)
Date: 10/08/04

  • Next message: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
    Date:         Fri, 8 Oct 2004 10:13:53 -0500

    At 04:18 PM 10/7/2004 -0600, Bartlett,James D wrote:
    >Well, the default user of a basic XP installation always has admin
    >rights. Every distressed CWS victim that I have ever dealt with was a
    >low-level user running a single account on a non-domain personal
    >machine. Being the only user on their machines, they were all admins.

    Since you're the second or third person to reply with something like
    this, I obviously wasn't clear enough with my previous statement. My
    point wasn't that AppInit_DLLs is safe because nobody should run as
    admin, anyway. Obviously that's a nice fantasy, but of course it's
    only the reality in well-administered networks. The real point was
    that given all of the other ways a person running as Administrator has
    to mess up the security of his machine, AppInit_DLLs is rather trivial.
    If you're the local administrator on a non-networked machine, you have
    the ability to install a device driver that runs at system startup,
    well before even WinLogon runs, and hooks the kernel's implementation
    of the RegXxx functions. And of course, when you have that ability,
    the lowlife cretin who wrote any spyware you may run also has that
    ability. This blows away anything you can do with AppInit_DLLs; at
    least the AppInit_DLLs method can be bypassed and detected by user-level

    Andrew Aronoff seems to have gotten the point; he mentions a whitelist
    managed by a central authority. However, I believe that down that
    road lies madness: eventually, because some users are too computer-
    illiterate to be trusted to administer their own machines, all of us
    will have to delegate administration authority to Big Brother. There
    is a compromise, of course, and it's one we've already accepted.
    Windows should treat anything loading in AppInit_DLLs as it currently
    treats a device driver or other plugin and have settings that allow
    the user to only run DLLs that are signed by trusted publishers.

    Of course, that just assumes all over again that users are competent
    to administer their own computers. There's just no getting around
    that assumption without taking administrative power entirely out of
    the hands of "unqualified" users.

    If we're going to demonize Microsoft for something, let's not demonize
    them for one of the hundreds of ways a user with administrative privileges
    can destroy his own computer. Let's demonize them for the real problem:
    that so many people are running untrusted code as Administrator without
    having been told about the security implications thereof.

    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"