> Windows Vista was aimed to bring UIPI, adding a "privelege level" to
the
process structure and changing the messaging system in a way so that
windows with "lower" priveleges are not allowed to send messages to
windows with "higher" priveleges, however, as far as I can see, one can
only make use of this feature for processes started with a filtered
token or software explicitly using SetNamedSecurityInfoW calls, so
threats may remain for services with GUI components and high-priveleged
applications started via runas or EPAL.

You're correct, but that statement is misleading since--in
fact--everything launched from an administrator account WILL be run with
a restricted token by default. Only applications with known
compatibility problems, installers, or those explicitly requesting
administrative privileges (either in a manifest or by the user doing
right-click "Run As Administrator") will run unrestricted. So this is
actually quite an effective solution. So this attack is not very useful
anymore. The only case where I found a Stter attack to be useful on
Vista is in a loq/medium integrity application with UI Access. In
earlier builds, UXSS.EXE was the only such process. On my beta 2
machine, this process doesn't seem to exist anymore, so I don't think
there are any attack vectors for Shatter anymore.

-----Original Message-----
From: Denis Jedig [mailto:seclists (at) syneticon (dot) de [email concealed]]
Sent: Saturday, August 05, 2006 3:34 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Account Control: Running Windows Vista with Least Privilege

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> *This session talks about the technology behind this change to
> Windows, including the isolation of Admin from Standard User code on
> the same desktop,

I would like to add that running higher priveleged applications on the
same desktop as lower priveledged ones is accompanied by a
security-relevant design flaw in Windows' unauthenticated window message
system allowing shatter attacks on windows of higher-priveledged
processes. I'd reference to the excellent work of Chris Paget
for further details.

Windows Vista was aimed to bring UIPI, adding a "privelege level" to the
process structure and changing the messaging system in a way so that
windows with "lower" priveleges are not allowed to send messages to
windows with "higher" priveleges, however, as far as I can see, one can
only make use of this feature for processes started with a filtered
token or software explicitly using SetNamedSecurityInfoW calls, so
threats may remain for services with GUI components and high-priveleged
applications started via runas or EPAL.

| All applications run by a limited user have the same UI privilege
| level. As a limited user, applications are run at a single privilege
| level. UIPI does not interfere or change the behavior of window
| messaging between applications at the same privilege level. UIPI
| comes into effect for a user who is a member of the administrators
| group and may be running applications with least privilege (sometimes
| referred to as a process with a filtered token) and also processes
| running with full administrative privileges on the same desktop. UIPI
| prevents lower privilege processes from accessing higher privilege
| processes by blocking the following behavior.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/

html/AccProtVista.asp

Denis

------------------------------------------------------------------------

---
------------------------------------------------------------------------

---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]