FW: Running IE with decreased privileges

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/15/05

  • Next message: Rafel Ivgi, The-Insider: "Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability" 
    Date:         Sat, 15 Jan 2005 10:53:24 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I received the following responses;

    -----
    From: "Felix Kasza"

    You may find NeoExec (http://neovalens.com/) of interest. Essentially, you configure it to modify the user's token for specific applications. They offer a demo download and a free (5 host) license for non-commercial, personal, use.

    *Far* less clumsy than runas, plus more fine-grained control if you want it.

    Cheers,
    Felix.

    Disclaimer: I have no financial relationship to them.

    -----
    From: Thierry Zoller <Thierry@sniff-em.com>

    Dear List,

    >I use this technique as follows with Internet Explorer:

    You might aswell cut down on the work and use DropMyRights.exe from Microsoft.
    http://tinyurl.com/6yfuz [Note: I checked this URL - Russ]

    I make use of it in my Tool Secure-It to give more secure access to Internet Explorer and Outlook.
    [*] http://www.sniff-em.com/secureit.shtml

    * Shamless Self promotion. 

    --
Mit freundlichen Grüßen
Thierry Zoller
mailto:Thierry@sniff-em.com
-----
From: "Willem" <wimmel@quicknet.nl>
Good suggestion, however since XP Mediacenter 2005 hit the shelves /savecred doesn't work anymore. I've been running as an non-priviliged user for quite some time and incouraging my friends likewise. Recently most of the new machines sold here in the Netherlands started to be shipped with MCE.
I've been looking but haven't found any info why /savecred can't be used anymore. Anyone got more info ?
Willem
-----
From: "Phillip R. Paradis"
Ivan Jones wrote:
> One of the lesser-used features of Win2K/WinXP/Win2k3's RunAs
> capability is to decrease rather than elevate the access of the
> interactive user when running a process.
It's lesser-used for a reason. Although running the process at a lower privilige level will protect against casual attacks, the fact that the reduced-access instance of IE is still running on the same desktop as more priviliged applications makes the desktop more vulnerable to Shatter-type attacks. Should IE be compromised, the malicious code would have the ability to post messages into the queues of other applications running on the desktop; potentially applications running with sufficient privilige to bypass the restrictions placed on the restricted account.
> This approach is not without it's shortcomings of course, e.g.
> - When IE is embedded in another app or launched via COM it still
> runs under your interactive account
> - Ditto if IE is started via association (e.g. clicking on a URL)
> - Website credentials are cached under a different profile to your
> own, and so on...
That, too.
For the truly paranoid, the best approach would be to log in with the restricted guest account, and use Run-As only when necessary and only for those applications which truly need higher privilige and have been vetted for shatter-type vulnerabilities. Applications with higher privilige should not be left running longer than necessary, either.
Even this isn't entirely safe; it's still possible for a shatter-type vulnerability to be exploited in the priviliged process by one of the lesser-priviliged processes running on the desktop. But there will be fewer such processes, and they won't be running constantly; it's harder to hit a small moving target than a large stationary one.
--
Phil
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Rafel Ivgi, The-Insider: "Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability"