I wonder why Windows Defender has the privilege to alter the system files. Read them for analysis? Sure! Reset (as in, call some windows API to have it replaced with the original), why not? But being able to write sounds like a bad idea.
However, I don't know what I'm talking about so take it with a grain of salt!
EvanAnderson 2 days ago [-]
AV had traditionally run as SYSTEM on Windows (and, in the past, often had kernel mode drivers too). I've always thought it was a terrible idea. It opens up exciting new attack surfaces. Kaspersky and McAfee both had privilege escalation vulnerabilities that I can recall. There have been a ton in multiple products over the years.
labelbabyjunior 2 days ago [-]
They kind of have to, though.
If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?
AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.
EvanAnderson 2 days ago [-]
The OS should do the SYSTEM-level lifting and scanning processes and behavior analysis should run sandboxed as low priv processes. It would require a clearly defined API and I feel like MSFT was always reticent to commit, leaving AV manufacturers to create hacky nightmares.
labelbabyjunior 1 days ago [-]
Well the OS should do nothing—remember MS was taken to court over that—but better privsep on the part of the AV, sure.
Technically, Defender can be replaced with 3rd party AV.
bux93 1 days ago [-]
Windows has separate SeBackupPrivilege for backup software, so why not for AV?
arcfour 23 hours ago [-]
What would this privilege look like that is meaningfully different from SYSTEM while being properly protected from/able to deal with malware that has an LPE?
formerly_proven 1 days ago [-]
“Because the remediation component requires SYSTEM, the entire AV needs to run as SYSTEM and we have to unpack malware in the kernel”
Fokamul 1 days ago [-]
Because to get Ring0, you just need signed vulnerable driver.
There are tons of signed drivers to explore ;-)
labelbabyjunior 2 days ago [-]
Some files under Windows are protected as the TrustedInstaller user, which is a more restrictive level of permissions than SYSTEM.
Unlike Windows Defender which is passive aggressive.
IFC_LLC 1 days ago [-]
I remember the times when Microsoft had a lot of problems 20 years ago because of Sasser and other viruses that were taking over Windows. They did not have any contenders. Yet they have stopped any software development for 9 months just to re-work their entire codebase to prevent things like direct memory execution and stuff like that. The result of that was Windows XP Service Pack 2. After that thing windows XP became a legend.
Now, when Linux is slowly creeping on one side, and Mac NEO on another they keep releasing this AI-slop.
By the looks of it they make most of their money from the cloud and other software things nowadays. And Windows has become a sidekick in their processes.
toyg 1 days ago [-]
I don't think SP2 made much of a difference in the popularity of XP. It was already dominant, and it's mostly remembered as "legendary" because it had become the target platform for every hardware and software vendor on the planet. Windows 98 was too flaky to engender any serious friction to upgrades, and Windows 2000 was not consumer-friendly enough; XP effectively unified the consumer and professional desktop markets, and became the gold standard.
SP2, if anything, slowed down adoption, since it threw a bunch of spanners in the way of third-party code. It was probably necessary, just to stem the flow of bad press, but no mean a key in XP's overall success.
IFC_LLC 1 days ago [-]
It was not that bad. I remember when SP fixed a bunch of issues with bluetooth, and windows CD burning program was better than any of the Nero Burning ROMs, cause those became unusable overbloated.
steve1977 1 days ago [-]
Also, technically XP was Windows NT 5.1, so it was built on a solid basis.
Whereas 98 was still in the kinda DOS-based 9x line.
And I fully agree with you to not mention Windows Me.
hulitu 22 hours ago [-]
> I don't think SP2 made much of a difference in the popularity of XP
The general knowledge was to wait until the SP were stable. This was hard. 4.0 had SP6, 2k had SP4.
orbital-decay 1 days ago [-]
There were several points in time (after the SP2 too) when installing WinXP with an active internet connection was nearly impossible, because it would get infected during the installation and shut itself down halfway through it.
nailer 1 days ago [-]
> Windows XP Service Pack 2. After that thing windows XP became a legend.
God that was an era. XP SP2 was a great OS, IE was the best browser, MSN was the most popular messenger, Skype was acquired, HTC's Windows CE devices were shipping real web browsers that worked over 3G.
By the end of the Ballmer era, Microsoft has lost the OS, the browser, the messenger, the meeting service and mobile.
uep 1 days ago [-]
I agree with you on everything except the browser. I'm pretty sure I was using Firefox (or maybe Opera?) on Windows before the release of Vista. I know I was still using IE for some ActiveX web apps for a while. This was the era that I switched over to Linux full-time, but both Windows 2000 and XP were great OSes at this time. Linux was painful to adopt, but I really loved the promise of "full-control" over my computer.
My peeve today is how bad modern chat programs feel compared to the old instant messengers. The modern programs all feel slow and clunky in comparison. I felt that all of the messengers I used (MSN, AIM, ICQ) were more responsive than their modern day equivalents.
Ah, what the times were those. Firefox was just gaining traction.
And I agree. Slack is sitting there, consuming over gig of memory on my computer, and Miranda NG was able to do the same functionality with cool skins and just 30 megs of ram.
Yes, I've just checked, even in 2009 you still have IE over 64% of browser usage.
uep 1 days ago [-]
They said IE was the best browser, not the most popular. I wouldn't dispute that IE was more commonly used at the time.
Just checked your link and this fits with what I thought in terms of marketshare. You can see that Firefox was ~25% of marketshare in 2009. Which is an enormous share of the pie when you consider that they couldn't stick a download link on the front page of the most dominant search engine, and it didn't come preinstalled.
Never used Maxthon.
Damn, this also reminded me that RSS feeds were everywhere back then, and the browser supported it directly.
IFC_LLC 1 days ago [-]
Oh don't tell me about Nero, Winamp, eMule, Download managers, auto-dialers, free internet on Saturdays after 2am till 9am, miranda NG, PHPBB, etc.
The internet was awesome.
nailer 24 hours ago [-]
> They said IE was the best browser, not the most popular.
TBF I should have said 'most popular' for all those categories.
Seriously this is my bugbear with code for windows: how did you figure that invocation out?
Anything for Linux you just type "make". If the author skipped a makefile, theres rarely much to it.
But when someone has a cpp file for Windows it looks like this.
delta_p_delta_x 12 hours ago [-]
This is a misrepresentation. This command-line is the compiler invocation, and is not the equivalent to 'make' on Windows. The actual equivalent on Linux, in the same order of the arguments to cl.exe would be:
I see no difference. One uses slash-demarcated arguments, the other uses hyphens. The g++ invocation is missing the flag for the exception handling model[1]. Otherwise, it is a matter of what you are used to. In fact, if you have MinGW, this exact command-line invocation will probably work correctly.
When you install the VS build tools you get nmake which processes most Makefiles just fine. Or you get a solution file, in which case you just open the solution in VS and press F5. Or if you are hung up about doing it in the command-line, it would be
msbuild.exe foo.sln
Or with CMake, which has a cross-platform command-line,
cmake --preset somepreset
Linux people who don't know Windows and complain that 'it looks like this' is my bugbear, when they can spend hours fixing a dumb in-tree driver with printf debugging that works plug-and-play on Windows.
I'd love to think that this person is a rogue AI, (better than Claude mythos?) Dropping two zero days in one month is pretty interesting. Nice work.
Dwedit 1 days ago [-]
Any way to disable the entire cloud tag system?
ranger_danger 2 days ago [-]
> normally I would just drop the PoC code and let people figure it out
Looks like that's exactly what they did though?
Or maybe they just meant that they don't usually explain how it works?
kijin 2 days ago [-]
Tney gave it a sexy name and set up a website about it (a github repo, at any rate), instead of just talking about it in a mailing list and getting a CVE like a proper bearded security researcher.
tclancy 1 days ago [-]
It’s getting warm above the equator, they may have shaved for the season.
2 days ago [-]
luma 1 days ago [-]
Tried to download and Defender blocks it.
trollbridge 1 days ago [-]
That's how the exploit works.
luma 1 days ago [-]
I can't seem to find any system files replaced, and the .exe was never executed. I'm running this in a test VM, but from what I can see, Defender signatures have been updated to block this prior to execution.
The exploit, from my reading, needs to be executed in order to do it's thing, but Defender isn't allowing it to be written to the filesystem on download.
molticrystal 1 days ago [-]
What is Defender marking it as? I also wonder if they are just special casing this program and it would work again if the code was shuffled a bit or if it used the AMSI sig [0] instead of EICAR or if they actually fixed the problem.
A local privilege escalation to root via an exploitable service?
Doesn't Linux have one of these CVEs...each week?
hnlmorg 1 days ago [-]
Only if you’re running daemons as root. Which would be an idiotic move to begin with because that’s not how distros package their services. So you’d have to intentionally make this mistake.
GuestFAUniverse 1 days ago [-]
Intentionally?
Ignorance is bliss!
Simply use docker in its (old) default setup, instead of podman, apptainer, docker-rootless ...
and that world is yours.
Added bonuses are the incredible stupid integration with ufw on Ubuntu, images with laughable uid mapping, ...
How that shit got traction baffles me.
hnlmorg 1 days ago [-]
That’s just the docker daemon. The actual docker services would (or at least should) still be running as its own user/group just like they would if you were running them on the host.
And that’s exactly how any reputable image would be built.
BodyCulture 1 days ago [-]
No.
hsbauauvhabzb 1 days ago [-]
Probably, but is that service deployed as part of the base operating system or a third party package? Can you remove the service if you deem the crazy service behaviour is unnecessary or too risky for your usecase?
IshKebab 1 days ago [-]
Not quite every week, but yeah it has a lot. And if the target uses sudo at all you don't even need an exploit!
But nobody mentioned Linux. There's no need for whataboutism. They both shouldn't have these vulnerabilities.
hnlmorg 1 days ago [-]
> And if the target uses sudo at all you don't even need an exploit!
Why would a target executable use sudo? There are proper mechanisms for automated elevation of permissions and sudo isn’t it.
sudo is designed for user interactivity. And by default prompts for a password. However some people get lazy and disable the password entry requirement.
IshKebab 1 days ago [-]
A target user. If you get local code execution on the account of a user that uses sudo you can trivially got root. Doesn't matter if they disabled the password authentication or not.
hnlmorg 21 hours ago [-]
Of course it matters if they disabled password authentication. If you require password authentication when running sudo then an attacker has to find a RCE exploit and then crack a password. Which is waaay beyond any effort the average attacker is willing to invest. Because At that point, root access isn’t really worth the effort.
An attacker will probably just use the host for sending spam emails, bot / DDoS traffic or look for other daemons they can jump to which weren’t web accessible (eg a database).
And furthermore, if you’ve got a RCE in a daemon then that code is the running as the daemons’ user. Which shouldn’t be in the sudoers file (eg wheel group) to begin with.
IshKebab 10 hours ago [-]
> If you require password authentication when running sudo then an attacker has to find a RCE exploit and then crack a password.
Nope! Just alias sudo to something that logs the password.
hnlmorg 14 minutes ago [-]
How are you going to do that without write access to the users home directory?
Like I said before, your RCE exploit will be running as the user and group of the service you exploited. For example www:www
So you’re not going to be able to write into Joe Bloggs .bashrc file unless Joe was stupid enough to enable write permission to “other”. Which, once again, requires the user to purposely modify the system into being less secure than its default configuration
gamer191 6 hours ago [-]
Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo. Then the user would run the command, be prompted for their password by the real sudo, and be none the wiser that a malicious script has just been executed
For what it’s worth, Windows’ security model says it’s not an exploit that programs can grant themselves admin rights if the user is an admin (https://github.com/hfiref0x/UACME). But afaik Linux doesn’t have that model so it is a bit of an issue that this is possible
hnlmorg 5 minutes ago [-]
> Interesting. If that’s possible
It’s not possible. At least not unless those users have already borked their own system.
The previous poster was clutching at straws.
Rendered at 18:49:28 GMT+0000 (Coordinated Universal Time) with Vercel.
However, I don't know what I'm talking about so take it with a grain of salt!
If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?
AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.
Technically, Defender can be replaced with 3rd party AV.
There are tons of signed drivers to explore ;-)
Lol
Now, when Linux is slowly creeping on one side, and Mac NEO on another they keep releasing this AI-slop.
By the looks of it they make most of their money from the cloud and other software things nowadays. And Windows has become a sidekick in their processes.
SP2, if anything, slowed down adoption, since it threw a bunch of spanners in the way of third-party code. It was probably necessary, just to stem the flow of bad press, but no mean a key in XP's overall success.
Whereas 98 was still in the kinda DOS-based 9x line.
And I fully agree with you to not mention Windows Me.
The general knowledge was to wait until the SP were stable. This was hard. 4.0 had SP6, 2k had SP4.
God that was an era. XP SP2 was a great OS, IE was the best browser, MSN was the most popular messenger, Skype was acquired, HTC's Windows CE devices were shipping real web browsers that worked over 3G.
By the end of the Ballmer era, Microsoft has lost the OS, the browser, the messenger, the meeting service and mobile.
My peeve today is how bad modern chat programs feel compared to the old instant messengers. The modern programs all feel slow and clunky in comparison. I felt that all of the messengers I used (MSN, AIM, ICQ) were more responsive than their modern day equivalents.
I remember the times when IE passed ACID test? Do we remember the ACID? http://acid2.acidtests.org/#top
Ah, what the times were those. Firefox was just gaining traction.
And I agree. Slack is sitting there, consuming over gig of memory on my computer, and Miranda NG was able to do the same functionality with cool skins and just 30 megs of ram.
Skins... Skins... We've lost even those...
Never heard about it (Europe).
Yes, I've just checked, even in 2009 you still have IE over 64% of browser usage.
Just checked your link and this fits with what I thought in terms of marketshare. You can see that Firefox was ~25% of marketshare in 2009. Which is an enormous share of the pie when you consider that they couldn't stick a download link on the front page of the most dominant search engine, and it didn't come preinstalled.
Never used Maxthon.
Damn, this also reminded me that RSS feeds were everywhere back then, and the browser supported it directly.
The internet was awesome.
TBF I should have said 'most popular' for all those categories.
Anything for Linux you just type "make". If the author skipped a makefile, theres rarely much to it.
But when someone has a cpp file for Windows it looks like this.
When you install the VS build tools you get nmake which processes most Makefiles just fine. Or you get a solution file, in which case you just open the solution in VS and press F5. Or if you are hung up about doing it in the command-line, it would be
Or with CMake, which has a cross-platform command-line, Linux people who don't know Windows and complain that 'it looks like this' is my bugbear, when they can spend hours fixing a dumb in-tree driver with printf debugging that works plug-and-play on Windows.[1]: https://learn.microsoft.com/en-gb/cpp/build/reference/eh-exc...
Looks like that's exactly what they did though?
Or maybe they just meant that they don't usually explain how it works?
The exploit, from my reading, needs to be executed in order to do it's thing, but Defender isn't allowing it to be written to the filesystem on download.
[0] https://github.com/Roadmvn/C-Full-Offensive-Course/blob/main...
With a link to: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
Doesn't Linux have one of these CVEs...each week?
Ignorance is bliss! Simply use docker in its (old) default setup, instead of podman, apptainer, docker-rootless ... and that world is yours.
Added bonuses are the incredible stupid integration with ufw on Ubuntu, images with laughable uid mapping, ...
How that shit got traction baffles me.
And that’s exactly how any reputable image would be built.
But nobody mentioned Linux. There's no need for whataboutism. They both shouldn't have these vulnerabilities.
Why would a target executable use sudo? There are proper mechanisms for automated elevation of permissions and sudo isn’t it.
sudo is designed for user interactivity. And by default prompts for a password. However some people get lazy and disable the password entry requirement.
An attacker will probably just use the host for sending spam emails, bot / DDoS traffic or look for other daemons they can jump to which weren’t web accessible (eg a database).
And furthermore, if you’ve got a RCE in a daemon then that code is the running as the daemons’ user. Which shouldn’t be in the sudoers file (eg wheel group) to begin with.
Nope! Just alias sudo to something that logs the password.
Like I said before, your RCE exploit will be running as the user and group of the service you exploited. For example www:www
So you’re not going to be able to write into Joe Bloggs .bashrc file unless Joe was stupid enough to enable write permission to “other”. Which, once again, requires the user to purposely modify the system into being less secure than its default configuration
For what it’s worth, Windows’ security model says it’s not an exploit that programs can grant themselves admin rights if the user is an admin (https://github.com/hfiref0x/UACME). But afaik Linux doesn’t have that model so it is a bit of an issue that this is possible
It’s not possible. At least not unless those users have already borked their own system.
The previous poster was clutching at straws.