back to article Win 8 user? Thought that was a CAPTCHA? R is for ruh roh

A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines. The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into …

COMMENTS

This topic is closed for new posts.
  1. Lallabalalla

    I'd just like to say...

    MICROSOFT FA oh wait

  2. dogged

    So, just to make this clear...

    IF you've got SmartScreen turned off AND IF you've changed UAC to allow anything to do anything AND IF you don't have any AV, including Windows Defender THEN a) this might allow somebody to execute some code on your machine and b) you're a massive retard.

    Is that about right?

    1. darklordsid
      Pint

      Re: So, just to make this clear...

      No. The code may be on site not known as malicious by SmartScreen, uac may not help you here as for hundred thousands other viruses still running on windows, and the AV does note always stop any threat just because it is here.

      3 nice tricks that does not always work, or at least one of them would be out of business...

      Final thoughts

      a) remote execution exploits are usually listed as most critical security issues, and should not be overlooked

      b) that condition you mention is already satisfied if the user choosing VistaBob 8

      1. dogged
        FAIL

        Re: So, just to make this clear...

        You're right, there are vanishingly small chances of any of these not working. Vanishingly small. Multiply those probabilities to get the odds of them all not working at the same time. ooooooooooh, scary. Not.

        And you qualified on the second condition by your petty choice of abusive monikers.

        1. teebie

          Re: So, just to make this clear...

          Did you just say there is a vanishingly small chance of an anti-virus product not detect a virus?

          I don't believe that that statement is entirely correct.

    2. Roland6 Silver badge

      Re: So, just to make this clear...

      >IF you've changed UAC to allow anything to do anything

      Basically you have to do this if you are running unsigned kernel mode drivers or services for which the code signing certificate has expired, otherwise UAC will constantly interrupt whatever you are doing as it doesn't have any facility to remember user settings for these specific conditions...

  3. Tim 11
    FAIL

    IE8

    i laughed out loud when i saw this bit: "the approach doesn't work on IE8 because the browser features pop-up warnings." so IE8 is more secure than newer version then :-)

    it's a serious point for security though. In the old days when windows UI was relatively consistent and predictable, people knew what an OS dialog or a browser window looked like. With windows 8, things fly across the screen or take up full screen and the user has no way of knowing whether it's malware or an OS prompt.

    1. AndrueC Silver badge
      Thumb Down

      Re: IE8

      the user has no way of knowing whether it's malware or an OS prompt.

      And probably doesn't care anyway because they are sick and tired of stupid dialog boxes popping up asking them to confirm everything. Coming to a screen near you soon: "Are you sure you want to move your mouse to the right? [Yes], [No]"

      1. Danny 14

        Re: IE8

        to be fair, ie8 would probably have been killed by the drive-by malware.

      2. Wize

        Re: IE8

        "Are you sure you want to move your mouse to the right? [Yes], [No]"

        Reminds me of an example of bad programming where the software author has not bothered putting custom text on the Yes/No buttons, of which there are many examples today. The best one I can roughly remember was:

        The reactor has gone in to melt down and will explode in 10 seconds unless you do something. The only way to shut it off is to open the vent valves. However I was too lazy when programming this so have not changed the text on the buttons below. However, pressing YES will override the automatic opening of the vent valves and you really want to press NO to let them open on their own.

        [YES] [NO]

  4. Anonymous Coward
    FAIL

    Couldn't get it to run ...

    "there are a lot of ways to circumvent Smartscreen, so it means you can execute code with just one click. If you don't believe it you can test the online demo"

    "This site is attempting to download multiple files. Do you want to allow" .. This type of file can harm your computer. Do you want to keep CosmicBreak_BR_setup.exe anyway?"

    Ran CosmicBreak_BR_setup.exe in CrossOver and nothing happened ..

    1. Anonymous Coward
      Joke

      @dgharmon

      And you, uhm, also checked your bank account just to be safe? ;-)

  5. IGnatius T Foobar
    FAIL

    Windows security problems are not fixable.

    Microsoft can pretend to improve security all they want, but the bottom line is that Windows is a fundamentally broken design and it will *never* be secure.

    1. Arctic fox
      Headmaster

      Re: " Windows is a fundamentally broken design and it will *never* be secure."

      Nor will any other OS you care to name or imagine - that is in the nature of the problem. Simply howling your distaste for Redmond will not change the fact that what one person can create another can circumvent - no system, whatever it might be is intrinsically secure. Anyone claiming otherwise is a snake oil salesman and should be tarred and feathered and run out of town on a rail.

      1. jubtastic1
        WTF?

        Re: " Windows is a fundamentally broken design and it will *never* be secure."

        Does Linux allow you to run a remote executable direct from the browser then? Because OS X doesn't. I can't even imagine what was going through their minds when they thought that typing 'R' in a browser pop up was a useful shortcut for 'execute whatever follows', I'm guessing it was Vodka, should have been a brick.

      2. Anonymous Coward
        Anonymous Coward

        Re: " Windows is a fundamentally broken design and it will *never* be secure."

        I can not only imagine, but name 2 from personal experience that are completely secure.

        The first and obvious candidate is the venerable MVS (in its many incarnations) from IBM.

        The second is RISCOS as installed on my much loved Archimedes.

        Neither of these is currently available however both are exemplary.

        Now you could reasonably argue that MVS is a special case and not a 'consumer' OS (which is what I suspect you meant) however RISCOS was a personal machine OS. It was secure because it was ROM based.

      3. Tomato42
        Thumb Down

        @Arctic fox Re: " Windows is a fundamentally broken design and it will *never* be secure."

        There's a difference between deny by default and allow by default. One of them doesn't work and can't work (as firewall manufacturers did learn).

        I'll let you guess which is which

    2. Anonymous Coward
      Anonymous Coward

      Re: Windows security problems are not fixable.

      Android seems to have its fair share of security woes and malware that users are tricked into installing.

      But nobody is pointing the finger at Linux, only at the stupid users.

  6. Herby

    Solution to Virus's

    Maybe we should all go back to CP/M. It might actually work!

    Oh, and we had most of the source code (more or less).

  7. DanceMan

    RRRRRRRRRRR matey!

    Oops.

  8. Anonymous Coward
    Anonymous Coward

    Forced to top

    The problem isn't with Windows it's with opening "pop-under" windows in the browser. The demo doesn't work in FireFox (or at least on mine) because the window pops up on top. This is all that's needed to be done by the vendors to fix this - the "do you want to run..." window must always be the topmost window.

    In fact, ANY window opened by the browser which is not to show a page should always open (and be forced to remain) above all HTML windows - can't hide anything then can they?...

This topic is closed for new posts.

Other stories you might like