Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security

Researchers Show How To Take Control of Windows 7 325

Posted by CmdrTaco from the hey-wait-a-minute dept.
alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)
This discussion has been archived. No new comments can be posted.

Researchers Show How To Take Control of Windows 7 More

Researchers Show How To Take Control of Windows 7

Comments Filter:

  • Physical Security is a big issue (Score:4, Insightful)

    by mc1138 ( 718275 ) on Thursday April 23, 2009 @12:23PM (#27689025) Homepage
    We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data. Combine this with a lot of companies having very poor physical security this could be more than something to just write off.

  • Physical access = root (Score:2, Insightful)

    by Anonymous Coward on Thursday April 23, 2009 @12:23PM (#27689027)

    If you got physical access already, it shouldn't be a surprise you can root the box.

  • Yes, why post this? (Score:5, Insightful)

    by Control-Z ( 321144 ) on Thursday April 23, 2009 @12:24PM (#27689037)

    If someone has physical control of the machine, all bets are off.

  • Who cares? (Score:5, Insightful)

    by Sj0 ( 472011 ) on Thursday April 23, 2009 @12:25PM (#27689045) Journal

    Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised. I always design my security around this fact, and if a machine needs to be secure against attack, it will be physically secure.

  • A hack! (Score:5, Insightful)

    by Anonymous Coward on Thursday April 23, 2009 @12:25PM (#27689057)

    This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

  • Boot from Live CD? (Score:5, Insightful)

    by neilobremski ( 1344051 ) on Thursday April 23, 2009 @12:26PM (#27689071) Homepage
    If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.

  • Critical information missing (Score:4, Insightful)

    by drsmithy ( 35869 ) <drsmithy&gmail,com> on Thursday April 23, 2009 @12:26PM (#27689077)
    There's a rather important aspect of this that's not discussed - how does this code get onto the computer in the first place to be executed during boot ?

  • Re:I cannot believe it... (Score:5, Insightful)

    by gnick ( 1211984 ) on Thursday April 23, 2009 @12:27PM (#27689113) Homepage

    OK, I'm not a Mac guy so I can say nothing about it. I've also not used Windows 7.

    But, really. If you give me physical access to damned near any Windows or Linux machine, it's owned. And there are a lot of people out there a helluva lot better then me.

    Sure, I won't be able to crack your encrypted archives. Nor your well-protected stored passwords. But hacking root/admin with physical access to the box isn't rocket science. Actually, it's much tougher with Vista than any Linux distro I've run into.

  • Mindless bashing (Score:2, Insightful)

    by Anonymous Coward on Thursday April 23, 2009 @12:28PM (#27689117)
    Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

    I would assume the only way to be immune against this type of attack would be encrypting the system partition, and a "bootkit" as they seem to be calling it that is aware of encryption may even be able to deal with that.

    Whats the story here again? That booting into a secondary OS gives you full control of data on an unencrypted hard drive?

  • pretty low on the spectrum (Score:1, Insightful)

    by Anonymous Coward on Thursday April 23, 2009 @12:29PM (#27689147)

    if it is a remote exploit that doesn't involve user interaction, I definitely want to hear about it (like homeland security's red=everybody panic)
    If it is a remote exploit that requires user interaction, I still want to hear about it (condition=orange)
    If it is a local exploit/privilege escalation that doesn't require root, it might be interesting (yellow)
    If it is a local exploit that requires root privileges, leave it off the front page.

  • Re:YOU weren't posting, ken dawson was (Score:3, Insightful)

    by bennomatic ( 691188 ) on Thursday April 23, 2009 @12:29PM (#27689153) Homepage
    I was going to say... if you have physical access, you can take out the hard drive, put it in another box, muck around with the data in any way you want and put it back. I'm an Apple fanboi at heart, but, geeze, this seems like a big, honkin' "What-ever!" to me.

  • Re:Physical Security is a big issue (Score:2, Insightful)

    by xmarkd400x ( 1120317 ) on Thursday April 23, 2009 @12:33PM (#27689245)
    Your "problem" has already been solved. Encrypt the hard drive. Companies don't care about losing sensitive data other than the monetary and reputation loss. If you lose a hard drive with private info on it, you only have to report a "breach" if it's encrypted.

    Somebody with physical access can just use a boot CD and do what they want anyways.

  • Re:Critical information missing (Score:3, Insightful)

    by Sockatume ( 732728 ) on Thursday April 23, 2009 @12:33PM (#27689249)
    A bootable CD-ROM that then boots the OS while performing the in-memory patching required to make the machine vulnerable.

  • For a smart guy, dumb statement (Score:3, Insightful)

    by furby076 ( 1461805 ) on Thursday April 23, 2009 @12:39PM (#27689367) Homepage

    'There's no fix for this. It cannot be fixed. It's a design problem,

    There is always a fix. Every vulnerability is a "design problem". Sometimes the code to fix it is a separate app (e.g. firewall, virus protection), and sometimes it requires modification to the code. There is always a fix in software - it's just a matter of making it.

    This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. OS X) is immune from any virus/worms/hacks.

  • Re:Yes, why post this? (Score:5, Insightful)

    by Lord Ender ( 156273 ) on Thursday April 23, 2009 @12:39PM (#27689393) Homepage

    Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

    It was obvious to crypto pros that it is theoretically worthless, but this is a practical attack against it.

    Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can "prove" it's flawed to management without a working exploit.

  • Misleading title (Score:3, Insightful)

    by tuxgeek ( 872962 ) on Thursday April 23, 2009 @12:43PM (#27689443)
    At first glance at the thread title, my first thought was pop a Linux CD into the drive and reboot
    Voila no more Win7

  • Re:Attack requires editing RAM contents during boo (Score:3, Insightful)

    by vux984 ( 928602 ) on Thursday April 23, 2009 @12:50PM (#27689567)

    This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

    Even that wouldn't matter, because the first thing I'd in-memory patch is the checksum algorithm to always return 'ok'.

    The only real way to resolve this would be a-la console style 'trusted computing, and digital signatures through the whole bios and bootstrap process'. Of course, even this could be 'hacked' or 'modchipped' but at least it wouldn't be as simple as just putting in a disk.

    There is no security if they have enough physical access.

  • The reason (Score:5, Insightful)

    by kenp2002 ( 545495 ) on Thursday April 23, 2009 @12:53PM (#27689615) Homepage Journal

    ... the reason you are posting this article is to spread anti-microsoft hate and FUD for no reason.

    Why not post:

    With a gentoo install CD you can gain control of any linux system by overwriting key /etc/ files to give yourself root access unless you use encrypted drives...

    More useless propaganda from an MS-hater. I mean seriously, this is news? Next thing you'll post is the Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.

    Don't we have a NO FUD policy for articles?

    "Everyone is entitled to be stupid, but some abuse the privilege", as a result of this abuse, your Stupid License has been suspended for 60 days.

  • Re:For a smart guy, dumb statement (Score:3, Insightful)

    by JasterBobaMereel ( 1102861 ) on Thursday April 23, 2009 @12:53PM (#27689629)

    He is right there is no fix .... however the workarounds are pretty good ...

    If you are booting, then load the boot software at a random location, like they do with other programs once the system is running, and this hack will be *much* more difficult

    It's just that, as he says, Windows 7 assumes that during the boot process no user program can change things and it has complete control....

    If you are running in a virtual machine you *never* have complete control and so this will always work on any OS, but you can make it difficult ....

  • Re:I cannot believe it... (Score:5, Insightful)

    by DavidChristopher ( 633902 ) * on Thursday April 23, 2009 @12:57PM (#27689711)
    In the absence of physical security, taking over a vista, linux, mac os x or (insert vendor here) UNIX system is not difficult, providing you know the platform. No, the 'average gramma' can't do it, but most of us most likely can - with not much more than a google search and a quick download.

    I'm not a microsoft (or apple, or linux) fanboi by any means, but a system is only as secure as you actually make it. Disk encryption helps - it's a great idea - so I've honestly never met anyone who's used it.

    While this is certainly an interesting exploit, I doubt highly that many systems will be compromised in the wild with it.

  • Re:I cannot believe it... (Score:3, Insightful)

    by Sir_Lewk ( 967686 ) <sirlewkNO@SPAMgmail.com> on Thursday April 23, 2009 @01:02PM (#27689793)

    much tougher with Vista than any Linux distro I've run into.

    And us linux users consider that a feature.

  • Re:Physical access = root (Score:4, Insightful)

    by paroneayea ( 642895 ) on Thursday April 23, 2009 @01:08PM (#27689905) Homepage

    Linux boxes are rootable. They *should* be rootable. The only time they aren't are when you don't have control any more (because of DRM & etc). But then they are only Linux in as much as the Kernel goes, not as much as the kind of Linux that Linux users advocate. I've recovered a broken plenty of times by popping in a boot cd and chrooting it.

    The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

  • Re:Critical information missing (Score:2, Insightful)

    by Sicarul ( 1440309 ) on Thursday April 23, 2009 @01:10PM (#27689943) Homepage
    If that's the case then it's as vulnerable as it would be if you let it boot any LiveCD, if booting from CD is disabled in the BIOS and it is protected by password this flaw isn't applicable... It isn't a serious flaw, how did this get to be a top story??

  • Re:Yes, why post this? (Score:3, Insightful)

    by YesIAmAScript ( 886271 ) on Thursday April 23, 2009 @01:23PM (#27690231)

    If you think accessing a machine through a browser is the same as having physical access "for all intents and purposes", then you aren't actually considering nearly enough intents and purposes.

    You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

  • Re:I cannot believe it... (Score:3, Insightful)

    by gnick ( 1211984 ) on Thursday April 23, 2009 @01:26PM (#27690287) Homepage

    Yes - My first system breach (not counting MS systems that were completely unsecured - I mean actually circumventing security) in the wild was back in the early 90's - A university *nix system. The thing that made (makes) *nix such an easy target is that you can actually understand how it works. Windows is full of holes, but it's so frigging weird and hard to wrap your head around the bizarre OS that the casual cracker won't bother learning what's going on. If your only goal is to satisfy some childish desire to breach security and smugly toss your hands in the air and declare yourself an 31337 hacker (as was my case), Linux is the way to go.

    Agreed - Being able to understand your OS is indeed a feature for people living in Linux world.

  • Agent Phil has something to say... (Score:3, Insightful)

    by geekmux ( 1040042 ) on Thursday April 23, 2009 @01:37PM (#27690503)

    If someone has physical control of the machine, all bets are off.

    Ah, apparently you've never heard of Phil Zimmerman or have ever seen a James Bond movie, have you?

    Point here is there is quite a bit that has and can be done even at the physical layer. Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one. TrueCrypt is a great free alternative too.

    And I for one am glad this was posted. Just helps enlighten everyone on the importance of good security practice regardless of how shiny and new the OS is.

    There are no foolproof Operating Systems out there, just fools who think there are.

  • Re:YOU weren't posting, ken dawson was (Score:2, Insightful)

    by Computershack ( 1143409 ) on Thursday April 23, 2009 @01:37PM (#27690511)
    How is it any different to shoving in a Linux Live CD, running BartPE or running Windows setup, doing a repair install and sticking your own account on?

  • Re:Physical Security is a big issue (Score:4, Insightful)

    by mhall119 ( 1035984 ) on Thursday April 23, 2009 @01:44PM (#27690643) Homepage Journal

    Even if you're using Windows to encrypt your hard drive, this exploit might still be effective. From the very few details in the article, it modified the Windows boot files in memory while it's booting. If they can do that, then they just wait for you to log in and decrypt your hard drive, and their tainted processes have access to all your data.

  • Re:I cannot believe it... (Score:3, Insightful)

    by DMUTPeregrine ( 612791 ) on Thursday April 23, 2009 @02:14PM (#27691301) Journal
    Whereas with Linux you just boot into single user mode & use passwd to set the root password.

  • Re:I cannot believe it... (Score:3, Insightful)

    by tixxit ( 1107127 ) on Thursday April 23, 2009 @02:32PM (#27691677)
    Unless, of course, the admin has set the box up to require a password for single user mode as well.

  • Re:Yes, why post this? (Score:2, Insightful)

    by Matheus ( 586080 ) on Thursday April 23, 2009 @02:47PM (#27691993) Homepage

    Not that I really like cheering for M$ BUT what I take away from this article is that if these people are resorting to "physical-access" attacks to break Windows7 then maybe it has a chance of being a decently secure OS.

    I can always hope :)

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close