back to article Windows 0-day pops up out of nowhere Twitter

It's not a vulnerability bad enough to force Microsoft to release an out-of-cycle patch – however, CERT/CC has just put out an alert over a newly disclosed privilege escalation bug in Windows. According to the tweet that set the hounds running, it's a zero-day with a proof-of-concept over on GitHub: Here is the alpc bug as …

Page:

  1. chuckufarley

    This reminds me of...

    ...the times I can't remember. I can't remember them because in the late 1990's through early 2000's after a client's system was hosed by LPE and we have reimaged and restored backups for the ten thousandth system that month we would celebrate the milestone by turning off our pagers and phone then going to the nearest place serving high test jet fuel and calling it "Happy Hour." I can't be sure what happened after that except to say that I usually made it home some how.

    It's a bit cliche to say "The more things change..." but I do wish some things wouldn't stay the same.

  2. Mayday Silver badge
    Alert

    Gone

    https://twitter.com/SandboxEscaper/

    That didnt take long. Sure to be elsewhere of course.

    1. Jack of Shadows Silver badge

      Re: Gone

      The GitHub and vulnerability note links work fine here.

      1. Anonymous Coward
        Anonymous Coward

        Re: Gone

        Nice to pack it in a format that could trigger vulnerabilities like CVE-2018-10115

  3. Destroy All Monsters Silver badge
    Pint

    Burning_this_is_fine_dog.jpg

    LOL

    (And who is SandboxEscaper and is he linked to Putin and/or Assad and/or Corbyn?)

    1. DCFusor Silver badge

      Re: Burning_this_is_fine_dog.jpg

      No, it's China, in the bathroom, with Dept o State email server forwarding, get with the times!

      1. MyffyW Silver badge

        Who is SandboxEscaper?

        I'm pretty certain SandboxEscaper is not Satoshi Nakamoto.

      2. Someone Else Silver badge
        Coat

        Re: Burning_this_is_fine_dog.jpg

        No, it's China, in the bathroom, with Dept o State email server forwarding [...]

        Sounds like you just won Clue, the Millennial's Edition!

  4. Sorry that handle is already taken. Silver badge

    This guy's angry about something

    1. big_D Silver badge

      For me, that is the bigger story, who is this guy? What is his beef with reporting through channels? Why did he just throw it out on Twitter and not report responsibly?

      1. Anonymous Coward
        Anonymous Coward

        > For me, that is the bigger story, who is this guy? What is his beef with reporting through channels? Why did he just throw it out on Twitter and not report responsibly?

        Sounds like previous bad experience.

      2. JohnFen Silver badge

        "What is his beef with reporting through channels?"

        I don't know about him in particular, but bepending on the company, reporting through channels can be a very frustrating and risky experience. He isn't the only one to give up on it entirely.

        1. Anonymous Coward
          Anonymous Coward

          I saw Notgear respond to a security vulnerability report, by asking the finder of the vulnerability to post it in their public web forums to get help...

      3. Michael Wojcik Silver badge

        Why did he just throw it out on Twitter and not report responsibly?

        While responsible disclosure is certainly more common than it was, say, a decade ago (and much more common than when Rain Forest Puppy published the original RFPolicy back in, oh, 2000?), it's hardly unknown for people to just throw vulnerabilities out on Twitter or other media. This one just attracted some extra attention because it came with a PoC and is fairly serious.

        But subscribe to VULN-DEV, for example, and you'll see plenty of potential 0-days flowing by as people discuss whether there's something exploitable in a failure they've run across.

        Responsible disclosure has costs, even if they're mostly cognitive load and opportunity costs; that's one reason why many companies have bug bounties. And working with PSIRTs and other disclosure-handlers can be irritating. I'm on a PSIRT myself, and we put a lot of effort into being polite and receptive. But not everyone does. I've dealt with some PSIRT types who are abrasive and dismissive.

    2. Fibbles

      Her Twitter claims she has depression and was having some sort of episode.

  5. Anonymous Coward
    Anonymous Coward

    I think SandboxEscaper could do with a nice cup of tea.

    1. MyffyW Silver badge

      And maybe a hug (once he's had a shower)

  6. NotTrue

    Seems like a total mischief maker to me, chuck the code out "in anger" knowing it has a good potential to cause a lot of trouble if used quickly amongst the ever wise user base who don't update their machines at patch release..

    1. Anonymous Coward
      Anonymous Coward

      Or a security researcher submitted the 0 day but got 0 return, so he/she went public. That's an assumption based on what happened last year.

      1. fm+theregister

        I would bet he used unofficial channels to make a bigger buck, and was crossed.. auf!

  7. Lee D Silver badge

    I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.

    The fix, therefore, is to only let the code you want to run to run locally and deny everything else.

    I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance. Approved, verified-source, signed-off code only. Even then you can be compromised (e.g. escaping a web-browser sandbox, etc.).

    If a local user get can system privileges on a machine in so MANY different ways, you just can't assume that they won't try, and therefore have to design your security and systems to compensate as much as possible.

    The expectation for arbitrary code execution for anyone other than an administrator (already game over) or developer (who probably can mess up your system in a billion different ways, not least compiling exploit code into their programs) is something that I can't justify.

    1. John Robson Silver badge

      Agreed - but there are occasions when people manage to run code anyway.

      This is a failure in the next layer of defence - someone who conned your software (via a buffer overflow, or whatever) into running software shouldn't be able to get more rights on the system than that software had initially...

    2. Nick Ryan Silver badge

      It's multi-layer therefore execution rights followed by elevated rights on a local system is bad, however getting elevated rights in a domain (administrator) context is incredibly bad. Luckily this is somewhat harder, unfortunately it's definitely not impossible.

    3. Anonymous Coward
      Anonymous Coward

      I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.

      So you have given up on multiuser systems?

      1. Anonymous Coward
        Anonymous Coward

        So you have given up on multiuser systems?

        In the majority of use cases, especially on Windows, "keeping honest people honest" is generally enough.

        An administrator would usually have some level of trust before granting access, and their would be some level of accountability.

    4. J27 Bronze badge

      It would be at least a little better if applications were all automatically sandboxed by the OS like they are on Android or iOS. But it doesn't look like Microsoft is able to get any developer buy-in on that idea. It's a shame because it only hurts the end user. Of course, I'm a web developer who occasionally writes mobile apps, so porting legacy code to WinRT isn't really something I do. I imagine it's probably a huge pain.

      1. JohnFen Silver badge

        "But it doesn't look like Microsoft is able to get any developer buy-in on that idea"

        I don't want that as an end-user, either. Optional sandboxing? Fine. Automatic sandboxing? Not fine, unless I can disable it.

      2. LDS Silver badge

        "a little better if applications were all automatically sandboxed"

        It does work on phones because the applications are still quite limited and mostly used in isolation by a single user. On a server or desktop PC where multiple different applications need to access, share and exchange data, it would become quite an issue.

        Windows 8 attempted it - UWP apps are sandboxed, but are also more limited.

        And still, bugs that allow to escape sandboxes do exist - in some ways "elevation of privileges" one are alike - user mode processes should be "sandboxed" by their limited privileges.

    5. Michael Wojcik Silver badge

      I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance.

      I don't know about "thinks it's a good idea", but I've seen a lot of supposedly "secure" systems1 - military, financial, medical, whatever - that let users run arbitrary code. Far more than the converse, in fact.

      If you think systems that people claim are secure commonly impose these sorts of restrictions, I'm afraid you're being wildly optimistic.

      1Which is a meaningless description anyway. Security isn't an absolute, and declarations of relative security mean nothing except in relation to a threat model.

  8. Pascal Monett Silver badge
    Facepalm

    "unaware of a practical solution to this problem"

    Well that's reassuring.

    MS continues its glorious history of selling swiss-cheese security to millions.

    Thank goodness XP, Vista, Windows 1 0 were all rewritten "from the ground up", otherwise we'd have the same bugs and exploits that we had in every previous version.

    Oh wait . . .

    1. JohnFen Silver badge

      Re: "unaware of a practical solution to this problem"

      Yes, Microsoft deserves to be ridiculed for all the various times they've claimed that Windows has been "rewritten from the ground up".

      But, in all fairness to Microsoft, Windows is a very complex piece of software, and all software -- without exception -- has bugs, and the more complex, the more of them it has. This includes bugs with security implications.

      1. Anonymous Coward
        Anonymous Coward

        Re: "unaware of a practical solution to this problem"

        There's only one program we can prove MS re-wrote from the ground up...it is the one they "lost" the source code to when they had a little "anti trust" issue.

    2. Tom Paine Silver badge

      Re: "unaware of a practical solution to this problem"

      You picked the wrong icon!

      Srsly though - of course they're unaware of a solution to the problem, it;'s a 0day. Hence the headline, which reads "Windows 0-day pops up out of nowhere Twitter".

  9. zb42

    first windows LPE that I remember

    The first windows LPE exploit that I was aware of was released in February 1999 by Dildog of the L0pht, almost twenty years ago.

    1. chuckufarley
      Trollface

      Re: first windows LPE that I remember

      The first LPE I remember is everyone and their dog being able to use the Administrator account as a daily driver. Of course, Microsoft called it a "Feature" and those of us in the trenches felt the pain from it directly or indirectly.

      1. Anonymous Coward
        Anonymous Coward

        "and their dog being able to use the Administrator account"

        Tell developers who stubbornly kept on - and some still do today - writing in system directories and local machine registry keys... and those aren't the worst behaviour some application can show.

        1. Nick Ryan Silver badge

          Re: "and their dog being able to use the Administrator account"

          Largely because the idiots* didn't appreciate that not having full adminsitrator access to something was a good idea and therefore wrote everything on the assumption that every execution of their code would have full administrator access. It was also easier - laziness is the cause of many security issues.

          * I was such an idiot once... although admittedly many years ago. What I've always done since has been hijacked by buzzword bingo: DevOps.

          1. Anonymous Coward
            Anonymous Coward

            "I was such an idiot once..."

            Most of us were. Those who learnt programming in DOS and Windows 2.x/3.x didn't have to care about permissions and privileges. Just as soon I got a machine with NT4 I understood my code had issues, and old habits had to be forgotten to write better code.

            I like my job, and believe keeping my skills and knowledge up to date is essential. It looks other think it just pays the bills, and have to deliver what is asked them with the minimal effort. Changing habits and writing a little more code to cope with newer environments and requirements it's too much for them - and their managers. Many of them work for or sold their code to companies too big for MS to ignore them and enforce stricter rules and kill non-compliant applications.

            Anyway this vulnerability looks rooted again in something needed to make kernel calls faster - the bane of every operating system...

        2. Anonymous Coward
          Anonymous Coward

          Re: "and their dog being able to use the Administrator account"

          Tell developers who stubbornly kept on - and some still do today - writing in system directories and local machine registry keys... and those aren't the worst behaviour some application can show.

          I see you have also used software from Sage.

          1. robidy

            Re: "and their dog being able to use the Administrator account"

            Cisco wouldn't do that ha ha ha plop...

      2. Tom Paine Silver badge

        Re: first windows LPE that I remember

        I hate to break this to you, but anyone can use root. It wouldn't be a very useful account if it couldn;'t be used, would it?

        Now, if you're talking about bad operational practices in GIVING users admin accounts... that's hardly Microsoft's fault, is it now?

  10. steamnut

    More cloud anyone?

    U$oft would like us all to log in to virtual cloud-based machines in the future. It's all part of their drip drip subscription model (ditto Oracle, Adobe etc). But, just imagine the chaos that would (will) ensue when the machines they they have total responsibility for go tits up or are compromised.

    Windows is clearly still a very flawed OS with U$oft trying to calm us with their regular patch updates. And yet the bugs still come.....

    It's bad enough that Azure and Office365 (more like 360) go offline for long periods of time but who knows what the affects would be of total shutdown.

    Thank goodness there are alternatives.

    1. Anonymous Coward
      Anonymous Coward

      Re: More cloud anyone?

      What makes you think the alternatives are as secure, much less more secure? The fact that they haven't had nearly as much scrutiny? How many vm escapes have happened in AWS, IBM,and Oracle clouds? Do you think you have accurate data?

    2. John Brown (no body) Silver badge

      Re: More cloud anyone?

      "U$oft "

      Who??

      1. Anonymous Coward
        Anonymous Coward

        Re: More cloud anyone?

        I believe they intended to write a "μ" (lowercase Greek Mu character - the metric notation for "micro" meaning 10-6) instead of the English letter "U." The dollar sign "$" substitutes for an English "S" because some people still think that's clever in 2018.

        With that in mind, it is pretty obvious that they are talking about Google.

      2. Crazy Operations Guy

        Re: More cloud anyone?

        "U$oft "

        Another of those convoluted ad hominem attempts at an insult. I presume they meant to use the greek letter "μ" (mu), which is used in measurement systems to indicate the prefix 'micro'. The dollar sign because that has been standard parlance.

        I'd give it a 8/10 for creativity, but a 1/10 for readability.

        Besides, to whose benefit is this? The vast majority of people commenting here are already quite familiar with Microsoft being greedy assholes and aren't going to argue with you about it. And its not like you have to obfuscate their name, Microsoft has much better things to do than to cruise a forum like this trolling for people that aren't fans...

        1. Walter Bishop Silver badge

          Re: More cloud anyone?

          ‘"U$oft " to whose benefit is this?’

          A more appropriate title would be Ubersoft :]

  11. Anonymous Coward
    Anonymous Coward

    Seems as though he has submitted quite a few bugs with CVE and had little credit

    Found a blogspot cached.

    http://webcache.googleusercontent.com/search?q=cache:Sroj-BmjiHcJ:sandboxescaper.blogspot.com/+&cd=4&hl=en&ct=clnk&gl=uk

    1. Nick Ryan Silver badge

      Re: Seems as though he has submitted quite a few bugs with CVE and had little credit

      If that's them then they have insecurity issues that should (please) be dealt with first rather than security issues.

      Honestly, I don't care what gender/sexuality/whatever someone identifies with as long as they're competent... but I do understand that it may need to be taken into account sometimes. I also know that, unfortunately, much of the world doesn't feel the same way. It read like that they needed to state personal issues as an excuse or an apology for finding security issues? It seems wrong, and perhaps somebody crying out for attention or help more than anything else.

      ...and no, I'm not intending to be nasty in any way.

  12. Zippy´s Sausage Factory
    Windows

    Now I'm just waiting for Microsoft to classify it as "not a problem, won't fix" because the steps to reproduce it are more than just clicking on a link in an email.

    Yes, I am cynical, thanks for asking...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019