Neowin.net

Yeah. It's an exploit, like the little Windows XP hack where you can get admin with just CMD and task manager.

Oh please, NO MORE OF THE STUPID "software that does bad things can be made by the user to run on Windows" supposed flaws. Guess what!? My car has an unfixable flaw! If I drive it into a brick wall at 100 MPH it will be destroyed and everyone inside will most likely die.

I think if someone has physical access there are a lot of exploits, the entire point is that you have to physically be sitting at the computer.

Exactly. I guess I can now claim that reformatting a hard drive is an 'Unfixable' exploit as well.

The only reason these security exploits call it an 'Unfixable' exploit is because it generates hype.

This doesn't even have anything to do with Windows 7. It's a theoretical "attack" that affects every OS ever. I'm really confused why people are repeating this story.

Are you from the Department of Redundancy Department?

dude...i had to litterally LOL @ that comment. so damn funny!!!

I think you meant that it affects both Vista and 7, since is uses the new WINLOAD.EXE boot process that was introduced in Vista. And you might have also meant that this is more than "theoretical", since it has been demonstrated.

Other than that, your statement is pretty accurate.

I've heard that one before.

Now be a good little boy and fetch me a bucket of steam and some glass nails aswell please

I think what he meant is that the idea that software can be made to harm any OS if it is installed/run locality by a user with root privileges. This is not a flaw in Windows, it is an example why real-time anti-virus software is important, especially for users who don’t understand the difference between safe attachments and executables.

I meant you can also do this against XP, Linux, Mac OS, FreeBSD, OpenBSD, etc.

You clearly said:
This doesn't even have anything to do with Windows 7. That is untrue.

and
It's a theoretical "attack" that affects every OS ever. When it is not theoretical. It was demonstrated. It used the fact that Windows Vista & 7 use a boot loader that makes an incorrect assumption that loaded code = executed code = safe. Please demonstrate how their method can be used against, say OpenBSD. There is a PDF that shows their method linked in the article.

No it isn't. The only reason Windows 7 was mentioned in the story was to have a more interesting headline. The actual "attack" is a theoretical one which affects any OS that I'm aware of. The proof-of-concept they have targets Vista and happens to have the same impact on the current builds of Windows 7, if the largely impactical preconditions are met.

Calling it "unfixable" is ridiculous, there are numerous ways to protect yourself from this attack, many of which are already employed commonly enough. My Vaio Z running Win7 is impervious to this kind of attack, for example, for several reasons.



It's theoretical because it makes assumptions which usually are not valid. For instance, "I can somehow alter the code loaded into memory, after it is loaded but before it is executed during the boot process without the OS noticing."

If you can do that, it will work against any OS. It won't work against Windows if you're using a TPM, as my laptop does for instance, because Windows continually verifies that the boot path has not been altered. I don't even think their POC works on EFI systems to begin with. And it won't work against any machine if you can't inject code via a boot device. So unless you can physically open the machine and attach a new drive and then edit the BIOS configuration (assuming there's no password protection on it) to boot to that device, you can't even get started with attempting this attack. You can't just leave a bootable CD in the drive even if the disc is bootable, because at power on the machine will say "press any key to boot to CD/DVD."

I can't think of any attack based on this idea that wouldn't be significantly less practical and effective than a simple hardware keylogger attached to the keyboard.

*cough*Mac"*/cough*

Sorry, couldn't resist.

This would affect Mac OS X, Unix, Linux, FreeBSD, all Windows Versions, etc... Basically this type of exploit can affect every single OS.

I doubt it, that's kind of the point of the TPM.

TPM has a hack out involving freezing the pc (no joke)

Yes, and it's a real attack, but it's ridiculously impractical and only effective some of the time.

Actually it isn't. A standard rootkit hides in the OS and modifies the kernel in memory to remain invisible. It can be detected and removed. This one hides in the MBR and will remain stealthed. They will probably figure a way to remove it though.

Splitting of hairs...

Root kits can be OS level or sub OS level. As the hardware BIOS/EFI/etc can also be affected by a 'root kit', and thus becomes invisible to the OS, no matter what OS.

There is also several specific sub-OS root kits out there already, so this story is NOT new, and the one making the biggest news as of late is the one that can be created under Linux via Linux's own calls that can NOT be removed from the mainboard or HD once it happens.

The whole 'root kit' definition gets fuzzy, but it basically means below the 'root' of the computer OS, which can be either in the OS's itself at Ring 0 or even below that at a hardware level.

It is just in how far you stretch the definition, especially when dealing with non-technical readers...

For example:
http://www.networkworld.com/community/node/41180

Could be called a root kit, though technically, it is more intrusive than an average root kit, but is the best way to talk about it to end users or basic security IT people.

Cache posisioning is the point of injection, but the lingering effects are what a root kit would do, so is it a root kit? Yes and No...

Snow Leopard, the new version of Ubuntu just came out...

thats 3 operating systems.. not a great deal

Yeah, because we're used to getting so many OS's every day.

Yeah, but that's one from each major player... Once you've covered Windows, OS X and Linux... there's not much left.

I was thinking the same exact thing. Isn't the point of any exploit to give remote control over the computer without the hacker even needing to physically be there. I mean if you had the computer write in front of you that whole step is removed. You could just load the key logger or whatever yourself.

yes but it was stated in the article that remote access was comming in an updated version and imagine all those pc shops and big name department stores person goes into each installs vbootkit 2.0 with remote access on every pc in the shop goes out and off to the next you could theoreticaly infect hundreds of pc's a day befor they even get to a users hands

There's a IT security idiom that states: "if a hacker has physical access to your computer, it's no longer your computer"

Lol: "He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer."

Hah, great find.

Yes. This rootkit (someone's link called it a bootroot) only relies on physical access. The attacker would reboot the machine with the disc or floppy in the drive. That disc would write a new MBR and cause the system to become infected. Upon reboot the system would be infected at the MBR level. This is a near undetectable attack unless you happen to be at your computer 24/7.

It isn't a hack?

Try reading their 2007 whitepaper on their earlier version, and you will see how technical it is, and how it works. It truly is a "hack", and does an amazing job.

But it's not "unfixable." The fix was built-in to Vista and Win7. BitLocker + TPM

This discussion sub-thread is about whether it was a "hack" or not.

It is a classic example of an interesting hack.

Maybe you meant to post a reply to someone else? (and, yes, I agree it is fixable, but would require changing their boot loader again)

Yeah this got attached to the wrong thread, sorry. Not sure how that happened.

And fixing it wouldn't require changing the bootloader. The fix shipped with Vista, you just need compatible hardware (TPM).

Awww crap! This whole time I thought I was hacking. DAMN IT!

It may not me yours, but it doesn't have to be his either.

Are you sure? I can give you physical access to my PC which has encrypted HD - good luck

and my axe will comprimise your box in seconds!

Sure. I'll just turn it on, freeze the memory with an upside down can of cold air, dump it to disk to get the key, and Tada! Instant HDD access.

Only if you force me to enter password, first, but that's always an option, of course.

and mine requires a thumb print and a usb key to be inserted aswell before it'll even think about booting up so good luck in tryin to cut of my hands and raid my pockets for the usb key

Seriously. Who cares about how your setup is secured. Unless you have some ultra-secret bomb-creating stuff or porn videos from Keeley Hazel, I don't want in. Like "doug_jnr" said, I won't feel bad if I don't get to see your files, but I'm pretty sure you'll be mad if I axe your computer.

I could always cut your thumb off and torture you until you give me the USB key (or just find the USB key). Why waste all my time hacking when beating the living crap out of you until you submit is so much faster?

I could also just wait for you to log in then knock you out or kill you and now I have everything required to get your data!

Well according to the hackers, they doing on windows again because it is the most secure OS.

OSX and Linux are too easy to hack these days.

OSX fell in Pwn2own. Not sure where your evidence and supporting information for your Linux claim is.

Respect from who exactly? To the average people? They don't care about that. Windows is still THE OS to break. It is more profitable to hack a Windows machine than any other OS. It is e-peen if they just hack an OS for fame. They want the monetary gain. The hacking community already knows it can be done for the OS, it's just not worth their while.

This is an exploit that doesn't involve access to the internals (plus all the stares for using a screwdriver and opening a PC case up and pulling a hard drive out).

This just boots off CD/USB and you don't get any stares like you are doing anything unusual. Rebooting Windows happens quite often, you know.

It's not really about getting access to data. I could install my custom OS and I would have access to everything. It has always been that easy. That's why they have encryption and TPM to change that.

The real hack is that they are able to use and remain in the windows environment.

While you're correct in theory; someone needs BIOS access to set the machine to boot from removable media. Assuming you can not open the case the reset the BIOS (and subsequently the password), unless you find the BIOS password you won't be able to make the machine to boot from your infected removable media.

Thus in essence, if BIOS is password protected and PC is set to boot only from its boots HDD its impossible to install this unless you have access to the internals.

I don't think theres a way to reset the BIOS fiddling with jumpers and batteries on the mobo, right?

Well, actually - it does not. Perhaps if you run XP. At work, for example, the only reboots that my machines EVER get are monthly patch days. Same was on Vista (Win 7 now).

Are you aware how very FEW of these machines are set with BIOS passwords and to not boot from CD?

It seems you are not.

umm not really. unless you still use XP.

Also lots of machines (especially laptops) have BIOS passwords that cannot be reset. And if your machine has a power-on password set via the BIOS that will also foil this attack. Basically there are lots of protective measures that will make this attack impractical or impossible.

no not realy every bios manufacturer builds in a backdoor just incase you forget your password and it's as easy as a reboot dive into bios use the backdoor password and save and reboot and its game over

Which is obviously a major security hole since it renders local passwords useless. Vista should have fixed this but didn't; Win7 probably won't fix it because it's Vista-like, but hopefully the next one will.

I agree. Win 7 will be huge. Good luck to the so called competitors out there.

Dude, Microsoft could take a dump on your lawn, and you'd still call it "jaw-dropping"...

Microsoft took a dump on our lawns (Vista) and we hardly called it jaw-dropping.

Win7 right now for still being beta and far from being RTM IS jaw-dropping. Its a very polished, rich and blazing fast OS. What else do you want?

Personally for me the only thing missing is native .mkv support but thats a tiny minor detail.

because there is pass protection ?
windows crypts the files so they can't be accessed unless you log and type correct pass.
the thing nobody notices here is that it removes the user pass which means decrypts the crypted files too.

Clone the drive. Then take it home boot off a cd that removes the login password and your golden.

The wors thing is no antivirus can catch that kind of exploit.

If I had a laptop and if it got stolen I'd automatically assume that my personal data is pretty much exposed, no matter the OS or encryption.

I guess your best bet would be to be running an encrypted hidden partition inside a dummy one. Assuming no one knows you were running a hidden one you'd be safe.

Every operating system out there is vulnerable to this style of attack, which requires physical access to the computer. Don't worry about it.

If you worry about this, you sould just not even have a computer, because if someone can get access to your computer in your house without your knowladge, then you have bigger problems then this

Though not as critical as fixing remote exploits, local security matters a lot. Issues like this shouldn't exist. If you go for a coffee and forget to lock your PC it's your fault. If I can run an exploit and escalate privileges to SYSTEM it's the OS fault (anyone keeping track of the Linux privileges escalations these days)?. You wouldn't believe what kind of far-fetched issues are actually being fixed, e.g. there was the one of Windows not wiping swap temporary space used to hold unencrypted data to be written to an encrypted partition.