Google, Microsoft work together for a year to figure out new type of Windows flaw

Researcher finds building blocks for privilege escalation: Can they be assembled to create a flaw?

Google, Microsoft work together for a year to figure out new type of Windows flaw

Enlarge (credit: Marco Verch / Flickr)

One of the more notable features of Google Project Zero's (GPZ) security research has been its 90-day disclosure policy. In general, vendors are given 90 days to address issues found by GPZ, after which the flaws will be publicly disclosed. But sometimes understanding a flaw and developing fixes for it takes longer than 90 days—sometimes, much longer, such as when a new class of vulnerability is found. That's what happened last year with the Spectre and Meltdown processor issues, and it has happened again with a new Windows issue.

Google researcher James Forshaw first grasped that there might be a problem a couple of years ago when he was investigating the exploitability of another Windows issue published three years ago. In so doing, he discovered the complicated way in which Windows performs permissions checks when opening files or other secured objects. A closer look at the involved parts showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so. The big question was, could these elements be assembled in just the right way to cause a problem, or would good fortune render the issue merely theoretical?

The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file.

Read 15 remaining paragraphs | Comments

Mandatory update coming to Windows 7, 2008 to kill off weak update hashes

Microsoft is phasing out SHA-1 hashes on its patches.

Mandatory update coming to Windows 7, 2008 to kill off weak update hashes

Enlarge

Windows 7 and Windows Server 2008 users will imminently have to deploy a mandatory patch if they want to continue updating their systems, as spotted by Mary Jo Foley.

Currently, Microsoft's Windows updates use two different hashing algorithms to enable Windows to detect tampering or modification of the update files: SHA-1 and SHA-2. Windows 7 and Server 2008 verify the SHA-1 patches; Windows 8 and newer use the SHA-2 hashes instead. March's Patch Tuesday will include a standalone update for Windows 7, Windows Server 2008 R2, and WSUS to provide support for patches hashed with SHA-2. April's Patch Tuesday will include an equivalent update for Windows Server 2008.

The SHA-1 algorithm, first published in 1995, takes some input and produces a value known as a hash or a digest that's 20 bytes long. By design, any small change to the input should produce, with high probability, a wildly different hash value. SHA-1 is no longer considered to be secure, as well-funded organizations have managed to generate hash collisions—two different files that nonetheless have the same SHA-1 hash. If a collision could be generated for a Windows update, it would be possible for an attacker to produce a malicious update that nonetheless appeared to the system to have been produced by Microsoft and not subsequently altered.

Read 2 remaining paragraphs | Comments

Windows 7 Extended Security Updates will double in price each year

Three years of updates will be available.

Windows 7's free support period ends on January 14, 2020. Microsoft is offering three years of support updates for the operating system on a paid basis with a new program called Extended Security Updates (ESU). Unlike previous after-life support options for Windows, which were offered as part of separately negotiated support contracts, the Windows 7 ESU updates will be available to any volume license customer, regardless of size or sales channel.

Pricing for this support has now leaked to Mary Jo Foley. For organizations already subscribing to Windows Enterprise, the first year of updates will cost an additional $25 per device. This doubles to $50 for the second year and $100 for the third year. Organizations can't skip a year, either; previous years must be paid for to obtain the year two and year three support. For companies sticking with Windows 7 Pro instead of subscribing to Windows Enterprise, the first year will cost $50 per device and will double each subsequent year to $100 and then $200.

There's no minimum purchase for the ESU subscriptions, so companies can buy as few as they need. It's not clear if there will be any volume discounts for larger deployments still stuck with the legacy operating system.

Read 1 remaining paragraphs | Comments

Windows 10 October 2018 Update is at last being pushed automatically

The update is still rolling out at a snail’s pace.

Who doesn't love some new Windows?

Enlarge / Who doesn't love some new Windows? (credit: Peter Bright / Flickr)

The ill-fated Windows 10 October 2018 Update has hitherto been offered only to those Windows users that manually sought it, either by using the dedicated upgrade and media creation tools or by manually checking for update in Windows Update. Three months after its initial release, Microsoft has at last started pushing it to Windows users automatically.

The update was originally withdrawn because of a data loss bug. A month after the initial release, the bug was fixed and the fixed update was made available. Even this release was limited, with a number of blocks in place due to known incompatibilities. As described above, it was then only offered to those taking certain manual steps to update their machines. One month ago, these blocks were largely removed.

Even with automatic deployment and installation now enabled, the beleaguered update is still rolling out in phases. Initially, it will be offered to spaces where Microsoft is most confident that the update will be trouble-free—machines with configurations already known and tested. As the tap is slowly opened more and the update is made available to a wider range of hardware, the company will use operating system telemetry to detect any lingering incompatibilities with device drivers or unusual software.

Read 1 remaining paragraphs | Comments