Feeds

back to article Win 8 user? Thought that was a CAPTCHA? R is for ruh roh

A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines. The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating …

COMMENTS

This topic is closed for new posts.

I'd just like to say...

MICROSOFT FA oh wait

4
1
Silver badge

So, just to make this clear...

IF you've got SmartScreen turned off AND IF you've changed UAC to allow anything to do anything AND IF you don't have any AV, including Windows Defender THEN a) this might allow somebody to execute some code on your machine and b) you're a massive retard.

Is that about right?

8
9
Pint

Re: So, just to make this clear...

No. The code may be on site not known as malicious by SmartScreen, uac may not help you here as for hundred thousands other viruses still running on windows, and the AV does note always stop any threat just because it is here.

3 nice tricks that does not always work, or at least one of them would be out of business...

Final thoughts

a) remote execution exploits are usually listed as most critical security issues, and should not be overlooked

b) that condition you mention is already satisfied if the user choosing VistaBob 8

4
8
Silver badge
FAIL

Re: So, just to make this clear...

You're right, there are vanishingly small chances of any of these not working. Vanishingly small. Multiply those probabilities to get the odds of them all not working at the same time. ooooooooooh, scary. Not.

And you qualified on the second condition by your petty choice of abusive monikers.

1
9
Bronze badge

Re: So, just to make this clear...

Did you just say there is a vanishingly small chance of an anti-virus product not detect a virus?

I don't believe that that statement is entirely correct.

7
0
Bronze badge

Re: So, just to make this clear...

>IF you've changed UAC to allow anything to do anything

Basically you have to do this if you are running unsigned kernel mode drivers or services for which the code signing certificate has expired, otherwise UAC will constantly interrupt whatever you are doing as it doesn't have any facility to remember user settings for these specific conditions...

1
1
FAIL

IE8

i laughed out loud when i saw this bit: "the approach doesn't work on IE8 because the browser features pop-up warnings." so IE8 is more secure than newer version then :-)

it's a serious point for security though. In the old days when windows UI was relatively consistent and predictable, people knew what an OS dialog or a browser window looked like. With windows 8, things fly across the screen or take up full screen and the user has no way of knowing whether it's malware or an OS prompt.

23
0
Silver badge
Thumb Down

Re: IE8

the user has no way of knowing whether it's malware or an OS prompt.

And probably doesn't care anyway because they are sick and tired of stupid dialog boxes popping up asking them to confirm everything. Coming to a screen near you soon: "Are you sure you want to move your mouse to the right? [Yes], [No]"

4
3
Silver badge

Re: IE8

to be fair, ie8 would probably have been killed by the drive-by malware.

1
0

Re: IE8

"Are you sure you want to move your mouse to the right? [Yes], [No]"

Reminds me of an example of bad programming where the software author has not bothered putting custom text on the Yes/No buttons, of which there are many examples today. The best one I can roughly remember was:

The reactor has gone in to melt down and will explode in 10 seconds unless you do something. The only way to shut it off is to open the vent valves. However I was too lazy when programming this so have not changed the text on the buttons below. However, pressing YES will override the automatic opening of the vent valves and you really want to press NO to let them open on their own.

[YES] [NO]

1
0
FAIL

Couldn't get it to run ...

"there are a lot of ways to circumvent Smartscreen, so it means you can execute code with just one click. If you don't believe it you can test the online demo"

"This site is attempting to download multiple files. Do you want to allow" .. This type of file can harm your computer. Do you want to keep CosmicBreak_BR_setup.exe anyway?"

Ran CosmicBreak_BR_setup.exe in CrossOver and nothing happened ..

0
0
Silver badge
Joke

@dgharmon

And you, uhm, also checked your bank account just to be safe? ;-)

1
0
FAIL

Windows security problems are not fixable.

Microsoft can pretend to improve security all they want, but the bottom line is that Windows is a fundamentally broken design and it will *never* be secure.

3
5
Silver badge
Headmaster

Re: " Windows is a fundamentally broken design and it will *never* be secure."

Nor will any other OS you care to name or imagine - that is in the nature of the problem. Simply howling your distaste for Redmond will not change the fact that what one person can create another can circumvent - no system, whatever it might be is intrinsically secure. Anyone claiming otherwise is a snake oil salesman and should be tarred and feathered and run out of town on a rail.

6
4
WTF?

Re: " Windows is a fundamentally broken design and it will *never* be secure."

Does Linux allow you to run a remote executable direct from the browser then? Because OS X doesn't. I can't even imagine what was going through their minds when they thought that typing 'R' in a browser pop up was a useful shortcut for 'execute whatever follows', I'm guessing it was Vodka, should have been a brick.

2
0
Bronze badge

Re: Windows security problems are not fixable.

Android seems to have its fair share of security woes and malware that users are tricked into installing.

But nobody is pointing the finger at Linux, only at the stupid users.

0
0
Anonymous Coward

Re: " Windows is a fundamentally broken design and it will *never* be secure."

I can not only imagine, but name 2 from personal experience that are completely secure.

The first and obvious candidate is the venerable MVS (in its many incarnations) from IBM.

The second is RISCOS as installed on my much loved Archimedes.

Neither of these is currently available however both are exemplary.

Now you could reasonably argue that MVS is a special case and not a 'consumer' OS (which is what I suspect you meant) however RISCOS was a personal machine OS. It was secure because it was ROM based.

0
0
Thumb Down

@Arctic fox Re: " Windows is a fundamentally broken design and it will *never* be secure."

There's a difference between deny by default and allow by default. One of them doesn't work and can't work (as firewall manufacturers did learn).

I'll let you guess which is which

0
0
Silver badge

Solution to Virus's

Maybe we should all go back to CP/M. It might actually work!

Oh, and we had most of the source code (more or less).

0
0

RRRRRRRRRRR matey!

Oops.

0
0
Anonymous Coward

Forced to top

The problem isn't with Windows it's with opening "pop-under" windows in the browser. The demo doesn't work in FireFox (or at least on mine) because the window pops up on top. This is all that's needed to be done by the vendors to fix this - the "do you want to run..." window must always be the topmost window.

In fact, ANY window opened by the browser which is not to show a page should always open (and be forced to remain) above all HTML windows - can't hide anything then can they?...

0
0
This topic is closed for new posts.