September 6, 2002 01:01 PM PST
Welcome, new admin
Brian Livingston
YOU KNOW HOW to set up
Windows 2000 and XP workstations so that users must log on with passwords
and they can't administer other users or your network. It's easy, right?
Wrong. The basic design of the Win32 architecture, going back to 1993, has
enough built-in weaknesses to allow anyone with guest privileges to gain
full admin rights.
The problem, in a nutshell, is that Windows allows applications to give
themselves higher privileges than the current user of the PC enjoys. These
are known as "interactive services." If a user gets such an app to run a
command that requires system privileges, well, hello, new admin.
Microsoft has long advised outside companies not to take advantage of
interactive services. But Windows undoubtedly includes such capabilities
because Microsoft developers wanted them.
An example is the Still Image Service, a Windows 2000 program that runs
automatically when you plug in a scanner, camera, or similar device.
In September 2000, Microsoft acknowledged that an ordinary user of a Windows
2000 machine could use this service "to assume any desired level of
privilege." The resulting admin rights might not be limited to the hacked
PC. As Microsoft said at the time, "It's unlikely, but not impossible, that
the malicious user could extend control to the rest of the network" (see
http://www.microsoft.com/technet/security/bulletin/MS00-065.asp).
Microsoft eliminated its program's problem in Windows 2000 Service Pack 2.
But now it turns out that you're at risk in a lot of other ways.
Chris Paget, a consultant who goes by the handle Foon, has published a paper
showing that numerous apps allow users to gain admin privileges. For
example, with fairly simple utilities, he can use Network Associates'
VirusScan 4.5.1 to grab system rights. (His paper is making waves because
pros disagree on how far the hole goes. Please read
http://online.securityfocus.com/archive/1/286185/2002-08-25/2002-08-31/1.)
VirusScan spokesman Ryan McGee says, "This flaw could be exploited to cause
serious damage, so we have to take it seriously, and we do."
Many apps allow this instant-admin trick, even by remote access. "Clearly
this is a serious design flaw in Windows that violates basic security
principles," says privacy expert Richard Smith, the proprietor of
ComputerBytesMan.com. "It seems any corporation with Windows NT/2K/XP boxes
set up with multiple users needs to be concerned."
In the future, Microsoft could stop ordinary users from communicating with
processes that have high privileges. But this would hose so many apps that
it apparently won't be done.
Microsoft's director of security assurance, Steve Lipner, says, "We are
aggressively addressing this issue." If the problem can be patched without
breaking apps, he said, Microsoft will do it. But, he added, "If this is
strictly a matter of third parties using the API in a way that is counter to
our recommendations, and there was nothing we could do, we'd call it a day
and walk away."
Send tips to Contributing Editor Brian Livingston at brian@brianlivingston.com.
Get Window Manager and his E-Business Secrets e-zine free at
