back to article We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe

Software buried in Windows since the days of WinXP can be abused to take complete control of a PC with the help of good ol' Notepad and some crafty code. On Tuesday, ace bug-hunter Tavis Ormandy, of Google Project Zero, detailed how a component of the operating system's Text Services Framework, which manages keyboard layouts …

  1. SW10
    Devil

    Confidence

    "It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."

    That’s what you think...

    1. MiguelC Silver badge

      Re: Confidence

      That sound you hear comes from some deep, dark, hidden basement, where an NSA cave dweller screams in horror "My preciousssss...."

      1. Jemma Silver badge

        Re: Confidence

        It's OK... Sam'll kill 'em if they try anything.

    2. Anonymous Coward
      Anonymous Coward

      Over Confidence

      Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows. Of course the NSA has source code access along with several other three letter agencies. Funny they didn't mention it.

      Of course looking at XP era material with a code profiler is like looking at a Vegas motel room under a strong blacklight. Some things cannot be unseen.

      1. Rich 11 Silver badge

        Re: Over Confidence

        like looking at a Vegas motel room under a strong blacklight

        You owe me a cup of tea (Earl Grey, hot).

      2. Michael Wojcik Silver badge

        Re: Over Confidence

        Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows

        Yes. Such as Microsoft's own static-analysis scanner, which is a near-state-of-the-art hybrid of simulated execution and symbolic analysis. (There was a good paper on it from Microsoft Research in CACM a few years back.) Data tainting and data flow analysis find this sort of thing easily in cases like this, where, as Ormandy wrote, there's simply no validation.

        They have the technology. They have the resources. They just don't have the will.

        1. bombastic bob Silver badge
          Facepalm

          Re: Over Confidence

          why should they check their OWN code for vulnerabilities? They have the CUSTOMERS as BETA TESTERS now!!!

          what a massive challenge that complexity presents Microsoft's engineers from a security standpoint.

          Not THAT massive. Back i nthe mid 2000's they should have done THIS instead of Vista:

          a) audit every line of code using their massive programming staff, instead of "re-re-inventing" windows [with the exception of the vulnerable parts]

          b) NOT re-re-invent it for WIndows "Ape" (8) nor Win-10-nic, but INSTEAD audit the HELL out of EVERYTHING, looking for basic vulnerabilities.

          You have to think like thief, applying crowbars, hammers, and chemicals to locks. You can't "just assume" anything about marshalling. You have to check EVERY buffer length, even for trivial stuff.

          strcpy(buffer, "string") - no!

          strncpy(buffer,"string",sizeof(buffer)) <-- better

          (you never know whether or not a buffer overflow might cause that static string pointer to be altered)

          that being said MICROSHAFT WASTED A DECADE AND A HALF of WALL TIME to re-re-re-re-invent windows into the PILE OF CRAP it is today!

          And oh, they left some serious OLD vulnerabilities in it, too... from a time when they wanted EVERYTHING insecurely interacting with EVERYTHING, and wanted ActiveX to be a MAJOR part of web pages! Pretty clueless, yeah.

          icon, because, facepalm

          1. Jamie Jones Silver badge

            Re: Over Confidence

            Long before Mac OSX became a thing, I used to say that MS should grab FreeBSD, and rewrite windows as a GUI, and include a compatibility layer for win32 stuff.

            Of course, Gates being the "shove the OS into the GUI" kind of guy, they went the NT route instead, then Mac OSX more or less did it instead.

  2. Gene Cash Silver badge

    "a scumbag has to be running code on your machine anyway, which is not a good situation"

    You mean like in a browser?

    1. Luke McCarthy

      JavaScript code can't call Win32 API functions, not without using a browser exploit first anyway. It's probably possible with VBScript in older versions of IE though...

      1. Michael Wojcik Silver badge

        not without using a browser exploit first anyway

        Well, problem solved! Or not. (Of course, with many users running browsers with elevated privileges in the first place, once that browser exploit is available there's no need to elevate.)

        In any case, this "the attacker has to be able to run unprivileged code first" mitigation is not nearly as useful as some people seem to think. It provides no defense against insider attacks. It provides none against social engineering. Against malware in the software supply chain. And so on.

  3. wayne 8

    Is this why a "notepad" app doesn't come with Android?

    I've often wondered why, with every general purpose OS I've worked with having a text editor in the distro, why Android phones don't have one. The carriers put useless shit in there, but no text editor.

    Is it a conspiracy?

    1. Peter Gathercole Silver badge

      Re: Is this why a "notepad" app doesn't come with Android? @wayne

      Not at all. Google want you to use it's Web or Cloud applications instead, which is why there is no native Calendar app, and only a basic Contacts application shipped with Android. Phone makers often add their own, but they are very rarely compatible with those supplied by the other phone makers.

      (Using the Web based apps also ensures that you keep data services on so that your device is track-able, as well)

      I look back at the baked in set of applications that used to be in PalmOS with a great deal of fondness. Always there, always work the same, always compatible with the last PalmOS device you owned.

      1. bean520

        Re: Is this why a "notepad" app doesn't come with Android? @wayne

        Ummm...AOSP (that is, open source Android) does have a natural be calendar app

      2. bazza Silver badge

        Re: Is this why a "notepad" app doesn't come with Android? @wayne

        I look back at the baked in set of applications that used to be in PalmOS with a great deal of fondness. Always there, always work the same, always compatible with the last PalmOS device you owned.

        Modern Android BlackBerries come with a decent set of things, far better than Google imho. Always there, very compatible with Exchange, iMap etc. You can pay for them on any other Androids too.

    2. boltar Silver badge

      Re: Is this why a "notepad" app doesn't come with Android?

      Why would you want a text editor on a phone or tablet? They're media consumption devices. If you want to do that sort of thing use a proper computer.

      1. illuminatus

        Re: Is this why a "notepad" app doesn't come with Android?

        To.make notes?

      2. anothercynic Silver badge

        Re: Is this why a "notepad" app doesn't come with Android?

        It's called 'making notes'... Reminders, little "oh, yes, before I forget what that wine was called" things. Some stuff is inane, some stuff isn't.

        1. MacroRodent Silver badge

          Re: Is this why a "notepad" app doesn't come with Android?

          My usual method for such notetaking is to send email to myself. Has the advantage of being immediately available on a computer, too. Never missed a notepad on phones.

        2. boltar Silver badge

          Re: Is this why a "notepad" app doesn't come with Android?

          I haven't written notes outside work since I was a student, but each to their own. I guess if you have a bad memory its useful. But then you'd probably lose the phone anyway so...

          1. NetBlackOps

            Re: Is this why a "notepad" app doesn't come with Android?

            Whether I'm doing science, engineering or business, I've found my breadcrumb trails invaluable at keeping track of the various avenues I've pursued. Forgetting is not desirable, especially in cases where lives are involved. Not true for most, though. That it often saves time and money.... So, saving my scribbles is ... nice.

            Aside: to the send myself an email suggestion, no way am I sharing. Hell, good luck Google, et al., getting a look at my device, even.

            1. boltar Silver badge

              Re: Is this why a "notepad" app doesn't come with Android?

              If you're involved in safety critical areas and yet have a memory so bad you have to write yourself post-it style notes then please tell us what these areas are so we can avoid anything you've been involved in. Either write proper documentation or don't bother with the task at all.

          2. anothercynic Silver badge

            Re: Is this why a "notepad" app doesn't come with Android?

            It's not about bad memory. It's about just having it somewhere else *in case* of bad memory. But, as you say, to each their own. And not everyone is as blessed as you must be. :-)

        3. Ken Hagan Gold badge

          Re: Is this why a "notepad" app doesn't come with Android?

          *My* phone has a microphone ...

      3. GnuTzu Silver badge

        Re: Is this why a "notepad" app doesn't come with Android?

        What??? I have Vim installed on my phone. O.K. so I rarely use it. But, it's so very comforting to know that I always have Vim with me.

    3. Mage Silver badge
      Facepalm

      Re: Is this why a "notepad" app doesn't come with Android?

      Jota is easy to download from playstore, nice text free editor and doesn't seem to have adverts.

      There is no included File manager or image editor, or terminal client either.

    4. Nano nano

      Re: Is this why a "notepad" app doesn't come with Android?

      The article is about a vulnerability in Windows. Android runs .... Linux, and Android.

  4. Ross Nixon

    NotePad? Useless old thing. Won't stay on top. Doesn't have color coding. Use NotePad3, I use and recommend it.

    1. Brian Miller

      The thing is. notepad was just used as a demo. The flaw isn't in notepad itself, but what it must connect to on the inside to function. Windows is full of cruft and is more like an old building with many little empty spaces in it - a fire hazard. The "new and improved" Windows has brought forward much of the "old and fscking" Windows. I wouldn't be surprised to see things from Windows 95 in there.

      1. sgp

        I don't understand, they promised us it's been "rebuild from the ground up". What is going on?

        1. gannett

          Recompile is the new rebuild.

        2. boltar Silver badge

          The did rebuild from the ground up , they just didn't bother to clear the ground first.

        3. Anonymous Coward
          Anonymous Coward

          It was rebuilt from the ground up remains of MS-DOS and Windows 95.

        4. Brian Miller

          This is how it's done:

          make clean

          make

          (and then a lot of Perl scrips run here to glue things into a distributable form.)

          Ship it.

    2. gerdesj Silver badge

      NotePad Windows? Useless old thing.

      1. Captain Scarlet Silver badge
        Mushroom

        Sorry but Windows + R and notepad for a simple text editor is actually very useful (and I don't like change), Linux has similar old programs which do the job perfectly from a terminal session (i.e pine for quick text editing and I don't like change).

        1. A.P. Veening Silver badge

          Notepad is very useful every once in a while, in this case for privilege escalation. Note that in this case Notepad was used for the demo, but it could have been done with your favourite browser or email client as well, as long as there is some way to enter some text.

          1. Sam Crawley

            I thought the main purpose of notepad was to remove unwanted text formatting before pasting back into the 'smarter' application you are struggling with?!

            1. Captain Scarlet Silver badge

              Yup must admit I do that, shame it strips out the line feed field (or was it new line)

              1. Martin an gof Silver badge

                Notepad updated after 33 years!

                Personally, I use Notepad++ when in Windows.

                M.

                1. Captain Scarlet Silver badge

                  Yup have installed on machines I use a lot because of the language colour option, but its not on every machine I have access to.

  5. seven of five

    I am surprised.

    Given the amount of things notepad can´t do, I am seriously surprised it can be used for an exploit. Way to go, M$.

    1. Anonymous Coward
      Anonymous Coward

      Re: I am surprised.

      Whereas given the amount of things Emacs *can* do (#), you'd not only be surprised if it *couldn't* be used for an exploit, you'd expect it to already include an in-built exploit mode (alongside M-x kitchen-sink-simulator).

      (#) Its only major omission being a decent text editor. (Sorry, but as a vi user, that ancient joke is practically obligatory...:-) )

  6. amanfromMars 1 Silver badge

    Why the Fuss. It is not as if it was shared in Russian or Chinese to Alert You

    Did you not get any of the earlier registering memos on the meme*? ........ Words Create, Command and Control and Destroy Worlds ........ and that can easily be turned on and tuned in to terrifying in a whole myriad of consequential existential extremes.

    And without them are you no more than dumb ignorant savages to be herded and entertained/employed and enjoyed as animals appropriate to the whims of SMARTR Connected Virtual Machines?

    * An earlier registering memo on the meme

  7. Ian Emery Silver badge
    Windows

    I keep getting ridiculed for talking about a rare file overwrite bug

    I insist it has been around through every version of Windows back to at least Win98; yet I keep getting told that is impossible.

    Yeah right.

    I propose El Reg has a competition; a full set of Vulture gear to the person who turns up the oldest code found in the latest Win10 build.

  8. JimmyPage Silver badge
    Boffin

    TL;DR but this seems a variant of message loop hacking ?

    Us greybeards know how multitasking OSes actually work - by cycling through a message loop deep, deep, deep inside the actual silicon. At that level, the OS trusts - *has* to trust - that the queue of commands has been legitimately created.

    It is possible to secure a message loop against hacking - by signing every message with the key of the process that inserted it. But we prefer performance to security.

    1. Michael Wojcik Silver badge

      Re: TL;DR but this seems a variant of message loop hacking ?

      Not really, no. It's a system component running with excessive privilege and a whole bunch of buffer-overflow vulnerabilities. The interface used to exploit those vulnerabilities is not privileged.

  9. Winkypop Silver badge
    Devil

    No problem

    Plenty more where that came from...

  10. Anonymous Coward
    Anonymous Coward

    "buried in Windows since the days of WinXP"

    I knew the wisdom of my decision to never upgrade from Windows ME would be vindicated by history.

    1. Anonymous Coward
      Anonymous Coward

      Re: "buried in Windows since the days of WinXP"

      It was probably there in Windows 1.0

      I've made this comment thousands of times over the years, to no effect whatsover in corporate policy, but Windows - even the latest version - is insecure by design. Because at the most fundamental level in it's kernel, it still expects there to be one user. Which didn't make much sense in the 80s, as multi user systems were already up & running.

      So 35 years on. and we've arrived at a situation where the safest way to contain Windows is in a VM somewhere that can't break out. The VM itself (of course) won't be running on Windows.

      1. phuzz Silver badge
        Facepalm

        Re: "buried in Windows since the days of WinXP"

        The NT kernel was designed to be, and is, multiuser, and has been used in Windows since NT (obv), and in all versions of Windows since 2000.

        I can only imagine that your demands for corporate policy changes also include missives about the lack of CRT monitors and floppy drives.

        (PS, a single user OS made sense in the 80's when the OS was designed for use on machines which could physically only be operated by one user at a time. Mac OS classic wasn't multiuser either)

        1. Anonymous Coward
          Anonymous Coward

          Re: The NT kernel was designed to be, and is, multiuser,

          Who said it wasn't ?

          The problem is that it still has to provide some thunking down to single-user mode in order to keep that precious compatibility with certain flagship apps.

          IE being one of them.

          At which point all bets are off, as the kernel can't validate what it's passing and has to hope it's what was intended.

          It's deep. It's *very* deep. But its there.

        2. Richard Plinston Silver badge

          Re: "buried in Windows since the days of WinXP"

          > when the OS was designed for use on machines which could physically only be operated by one user at a time

          In the late 1970s I used, and programmed for, multiuser MP/M machines that were 8085 based with bank switching 256Kb memory with two or three serial terminals. I still have one of these here (but not switched on for may years). I also have a couple of multiuser Polymorhic 8813 64Kb machines from the mid 70s that had two or three monitors running off a multi-port video card.

          There were many multiuser/multitasking OSes that ran on 8080, 8085, 8086 or 680x0 machines at the end of the 1970s. These even ran on the IBM PC/XT such as DRI's Concurrent-DOS that had one user on the monitor and two on serial terminals (preferably with an EEMS memory card).

          > The NT kernel was designed to be, and is, multiuser,

          It certainly was designed to be, but Bill had them remove this feature because he wanted to sell a copy of Windows NT to each and every user and not one copy to be shared by several. Citrix brought multiuser operation (concurrent) to OS/2 (again with serial terminals) and then to NT. MS had to obtain Citrix's code to make TSE (Terminal Server Edition) to make NT multiuser concurrently.

          1. Michael Wojcik Silver badge

            Re: "buried in Windows since the days of WinXP"

            It certainly was designed to be, but Bill had them remove this feature

            Rubbish. Multiuser support may have been removed from userland in non-server versions of Windows, but it most definitely remains in the kernel. All NT versions support multiple WinStations, Sessions, and Desktops, and every thread has a security token which identifies what user account it's running as.

            What Citrix added was userland support for making use of those multiple WinStations, Sessions, and Desktops. RDP does something similar, as does Fast User Switching.

            While Windows (even the server versions) is not particularly good at supporting multiple simultaneous users - certainly not nearly as good as pretty much any other multiuser OS - that's not because some feature was removed from the kernel.

            1. Richard Plinston Silver badge

              Re: "buried in Windows since the days of WinXP"

              > Multiuser support may have been removed from userland

              Granted. It was removed from userland for the reason given, and then added back into userland by Citrix.

            2. Arthur Daily

              Re: "buried in Windows since the days of WinXP"

              Remember GCHQ and other security organisations giving Windows Evaluated product status EAL ratings for the Military/Govt etc?

              Well it seems every bloody text field was nickable, and probably not xor'ed out letting it be hoovered up by something else. Its great news for the next Snowden or Assage or Manning. I doubt this has been patched everywhere and I doubt sensitive text boxes have not been wrapped up, by poorly written apps. IBM mainframe has memory keys and storage pools - so not nickable. I bet this breaks screen scraping and disability/Blind applications as well.

  11. Nageki
    Holmes

    Privelage escalation

    Every day there are new privelage escalation exploits being uncovered, whether in Windows, drivers, or third party applications. At this point I think it is fairly safe to say that if you have malicious code running on your Windows machine, it is already too late.

    That is no excuse not to fix them of course, but it seems like wishful thinking to assume that they will ever all be discovered, let alone fixed.

    1. vulture65537

      Re: Privelage escalation

      privilege

  12. Walter Bishop Silver badge
    Terminator

    Windows and legacy code

    Who was it touting Windows as containing all brand new code that wouldn't need anti virus?

  13. GreggS

    Next you'll be telling us MS Paint has a vulnerability!

  14. O RLY
    Windows

    Not 2001

    But 2018 had the same calendar. So, too, do Windows bugs cycle and recycle with minor tweaks.

  15. DJ

    MS Paint has a vulnerability.

    But only while the computer is switched on.

    (runs toward jacket near door...)

  16. fidodogbreath Silver badge

    Sandbox?

    Even sandboxed AppContainer processes can perform the same attack

    Apparently, AppContainer is more sand than box.

    1. Robert Moore
      Coat

      Re: Sandbox?

      "Apparently, AppContainer is more sand than box."

      I knew a girl like that once... Very abrasive, and didn't put out.

      Sorry, couldn't resist.

  17. Frank Thynne

    Microsoft just doesn't care

    As every day passes I become more disturbed by Microsoft's disregard for Quality Assurance in its culture and feel that it is heading for a reckoning that could destroy it and much of the world's economy with it.

    To continue to develop new features while failing to deal with long-established flaws is reckless and offensive. It's time to treat Microsoft's licence terms are unfair and unenforceable and sue it for selling dangerously flawed products before it becomes too late.

    1. Anonymous Coward
      Anonymous Coward

      @Frank Thynne - Re: Microsoft just doesn't care

      Why would they care ? It's not like they're losing clients on that. And they are not alone, just look at Facebook, Equifax, CapitalOne, number of big banks and all others. I keep learning in security classes about loss of reputation but I fail to see it materializing in real life.

  18. Trixr Bronze badge

    Nothing is ever too trivial

    Especially since I literally just came across a fairly reputable and recentish Windows admin blog advising in great detail how to allow non-Domain Admins to logon to your DCs via RDP. I mean, FFS, if you don't know what RSAT tools are for, you shouldn't be running a domain.

    So yeah, get some rando doing password resets on your DCs and enjoy the privilege escalation attacks right on the security source.

    The article stupidity was compounded by advising the use of group policy to add a nested group to the BUILTIN/Remote Desktop Users group so that the config would "apply to all DCs". If you don't know that the domain BUILTIN groups apply to all DCs anyway, see earlier remark about capability in running a domain.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019