Security Problem am Ende von Setup Programmen

20/01/2008 - 10:47 von Hansjörg | Report spam
Hallo,

habe ich gestern in der allgemeinen Security community eingestellt und dacht
wàre auch hier interessant.
Ich habe mir aber nicht die Mühe gemacht dass zurück auf deutsch zu
übersetzen.

Hansjörg

Hey all,

just installed the latest version of Winamp (the old ones have a serious bug
in streaming that will allow to attack the machine - go for the latest
version or remove).
So also installed it on my sons machine (Vista). He is certainly not
Administrator and UAC is certainly active. Started setup, get the credUI as
expected, entered admin credentials, setup works fine.
But now there is this last page with a checked checkbox "Run Winamp now on
Exit" (yes - AOL WANTS you to run this program...).
OK - here is where the problem starts. What security context will actually
lauch Winamp when i click the "Finish" button?? Think once, think twice
AAAAHHHH the security of the admin that executed the setup, as all processes
spawned from this security context will inherit it's security context -
which is a fully elevated real administrator security context.
If you leave this option checked then you will hand over a admin context to
a non admin user and he/she/it/mixed will be able to do whatever the program
will allow him to do - ACCCESS ALL AREAS.
So what can we do about this?
- Take away the check certainly - it's easy, it works, you forget it sooner
or later (or if you have not read this you will not even know it)
- Give those people that create setup programs feedback that in the days of
UAC such an option is not what we want
- @MS: if you detect a setup program and automatically ask the user to run
int elevated check after the setup finished that there are no more processes
active that have been spawned from the setup process or one of it's child
processes. In case that such a process is still running a) kill it silently,
b) tell the user c) write a log to the security event log d) let Steve
Ballmer talk to the company who created the setup ;-) (option d can be
combined with a) to c)

Certainly all "First run..." activities will also be executed in the admin
context. And I think even the authors of the setup do not want to
personlaize the administrators account but the real user account.

Hope this post will help you to have a more secure Windows experience.

Hansjörg
 

Lesen sie die antworten

#1 Marcus W.
22/01/2008 - 02:03 | Warnen spam
Hallo,
ein Sicherheitsproblem einerseits und andererseits auch ein sehr làstiges
doppeltgekonfiguriere.
Per "[x] Run now" gestartet - alle fizzeligen Einstellungen getàtigt,
Programm beendet (Die Einstellungen sind natürlich da wo sie hin gehören im
User-Bereich [des Admins!]).
Na ja am nàchsten Tag normal gestartet...Oo ... alles nochmal machen ;)
Oft hilft ein herumkopieren aus dem Admin nach "normal"-User und rechte
setzen, aber ab und an hakelts gewaltig.

Nur so als Anmerkung falls sich jemand Wundert wo hin seine Einstellungen
sind am nàchsten Tag...

Grüße

Marcus

"Hansjörg" schrieb im Newsbeitrag
news:
Hallo,

habe ich gestern in der allgemeinen Security community eingestellt und
dacht wàre auch hier interessant.
Ich habe mir aber nicht die Mühe gemacht dass zurück auf deutsch zu
übersetzen.

Hansjörg

Hey all,

just installed the latest version of Winamp (the old ones have a serious
bug
in streaming that will allow to attack the machine - go for the latest
version or remove).
So also installed it on my sons machine (Vista). He is certainly not
Administrator and UAC is certainly active. Started setup, get the credUI
as
expected, entered admin credentials, setup works fine.
But now there is this last page with a checked checkbox "Run Winamp now on
Exit" (yes - AOL WANTS you to run this program...).
OK - here is where the problem starts. What security context will actually
lauch Winamp when i click the "Finish" button?? Think once, think
twice
AAAAHHHH the security of the admin that executed the setup, as all
processes
spawned from this security context will inherit it's security context -
which is a fully elevated real administrator security context.
If you leave this option checked then you will hand over a admin context
to
a non admin user and he/she/it/mixed will be able to do whatever the
program
will allow him to do - ACCCESS ALL AREAS.
So what can we do about this?
- Take away the check certainly - it's easy, it works, you forget it
sooner
or later (or if you have not read this you will not even know it)
- Give those people that create setup programs feedback that in the days
of
UAC such an option is not what we want
- @MS: if you detect a setup program and automatically ask the user to run
int elevated check after the setup finished that there are no more
processes
active that have been spawned from the setup process or one of it's child
processes. In case that such a process is still running a) kill it
silently,
b) tell the user c) write a log to the security event log d) let Steve
Ballmer talk to the company who created the setup ;-) (option d can be
combined with a) to c)

Certainly all "First run..." activities will also be executed in the admin
context. And I think even the authors of the setup do not want to
personlaize the administrators account but the real user account.

Hope this post will help you to have a more secure Windows experience.

Hansjörg



Ähnliche fragen