Windows 8.1 Administrator Access
Windows 8.1 Administrator Access

Windows 8.1 bug Allows Administrator Access

Security,
04
Feb 2015

Windows 8.1 Administrator Access

Google publicly disclosed a Windows 8.1 bug that allows administrator access to PCs. The disclosure highlight a vulnerability affecting millions of users.

This has left Microsoft outraged, especially considering that they were about to release a patch for it.

The news originated from Forshaw, one of Google’s researchers who found the bug and published it online. The bug is backed up by the Google’s POC (proof of concept) scheme, which was tested on an updated version of Windows 8.1. It’s not entirely clear whether earlier versions of Windows, such as Windows 7 operating systems, are also affected by the bug.

Microsoft went on to express their displeasure by stating that such bug reports shouldn’t be released until after a fix has been made available.

According to Microsoft, for such a bug to cause problems, the perpetrator trying to access the computer would need to know the password of the local machine. This is still a big enough risk to have over a network, as any hacker will use this simple fact as motivation to steal passwords and ultimately gain elevated user privileges.

An unpopular decision?

Google’s Project Zero carries out research and bug testing on various systems. Once they find a bug, their policy is to give 90 days for the vendor to fix the issue.  The 90 days disclosure time had passed and Google went ahead and published their report a couple of days short of Microsoft releasing an update, on their patch Tuesday.

Patch Tuesday occurs on the second, and sometimes fourth, Tuesday of each month in North America.

Patch Tuesday occurs on the second, and sometimes fourth, Tuesday of each month in North America.

It leaves little to guess why Microsoft recently pulled their ANS (Advanced Notification Service) from the general public and made it only available to paid Premier support clients. This means that only paying customers would know of the security issues before their scheduled release on Patch Tuesday.

The vulnerability: Briefly explained

An internal function exists within the Windows 8.1 operating system, known as AhcVerifyAdminContext. Google’s proof of concept tested this using a couple of programs and some commands to bring up the calculator in Windows as an administrator.

Vulnerability Overview:

  • The vulnerability in unpatched versions of Windows 8.1 has a function which consists of a token. The problem is that this token doesn’t correctly verify if the user logged onto the computer is an administrator.
  • It checks the footprints from user’s impersonation token and matches these between the user’s SID and the system’s SID.
  • What it doesn’t do is verify the token’s impersonation level against anything else.
  • This leads to the vulnerability where an identity token can be added from a local process on the system, and as a result, skip the verification stage.
  • This vulnerability only needs to be exploited by someone who knows that it’s available on an un-patched version of Windows 8.1.
  • The hack could be something like an executable that creates a cache, and uses a registry entry on the computer to reload itself.
  • All that would be required is to use an existing application on the computer to run and elevate these privileges.

The proof of concept Google used includes two program files and a set of instructions for executing it. This resulted in the Windows calculator running as an administrator. Forshaw states that the bug is not in UAC (user access control) itself, but that UAC is used as part of it to demo the bug.

Protecting Yourself and Your Business

We suggest keeping your anti-virus updated, along with Windows Security Updates to patch up known vulnerabilities on the computer. Depending on your office set-up, it is also a good idea to enable firewall on PCs too if not at least your network.

For more ways to secure your business data and systems, contact your local IT professionals.

Read More

Office 365 Users: Hack Vulnerability

Security, Software, Uncategorized, , , ,
05
Jan 2014

OnsitePCSolution_Office_365_Vulnerability

Noam Liran, the chief software architect at Adallom, recently detected a flaw in Microsoft Office 365 which can easily expose account credentials through Word Documents that are hosted on a webserver which is currently invisible to existing anti-virus software.

What Specifically Is The Problem?

When a user downloads a document from a SharePoint server, the user is required to log in their account first – after which the server verifies the login credentials and then issues an authentication token. Liran discovered that he can use his own server to copy the responses which are sent from the sharepoint.com domain server.  At that point he can generate and fake the token. An attacker doing this can inject his code to connect to an untrusted web server to capture the user’s private Office 365 authentication token.  This allows the attacked to go to the user’s organization’s SharePoint site to access anything they want without the user knowing. According to Liran this is a perfect cyber crime in which the organization does not know they have been hit.

Microsoft has been working on this vulnerability, but at the time of this writing the backdoor still existed.

How would this work in the real world?:

  • The user will get an e-mail asking them to review a document or visit a webpage. This document could be coupons, someone’s CV or contract.
  • The user will click on the link and be redirected to Sharepoint which will ask to open the document in Word. If the user accepts, Word will request the document from the malicious webpage.
  • The malicious webpage in turn will ask Word for an Office 365 token. The malicious webpage gives Word a legitimate looking document in return. The attacker will then have the Office 365 token and access to the organization’s data.

OnsitePCSolution_Word_Document

This is a serious potential threat to organizations and companies that use Office 365. Important company data can be stolen without anyone knowing. The attacker could also monitor the data which could be confidential. The attacker also has access to delete the data.

What Can I Do To Protect My Business?

Until Microsoft comes up with a solid solution to this vulnerability, users should not open any unknown or suspicious looking emails.  They should also confirm from known senders to verify the authenticity of the email.  It is also important to absolutely avoid clicking on any unknown URLs and links or open attached documents in a file.

For further assistance, let your office IT support know about this vulnerability and stay ahead of a corporate data breach.

 

 

Read More
1 10 11 12