Re: Windows Vista winsat.exe Integer Overflow

On Thu, 03 Apr 2008 10:58:14 PDT, "Thor (Hammer of God)" said:
> Hey Valdis -
>
> > > So, if you have someone who is going to run as administrator anyway,
> > > download the untrusted .exe, execute it, and then confirm the
> > > execution of the program without concern for what happens, we can't
> > > really fault the OS for that at this point in the game.
> >
> > I wasn't faulting the OS - I was pointing out it's still a viable
> > attack vector, despite the OS's best efforts to stop it.
>
> I know you weren't specifically faulting the OS for this -- it's just
> that when I see posts that combine the "non-issue of the day" with a
> requirement of "this is bad because if I can get the user to run
> arbitrary code as administrator first, then I use that code to exploit
> his vulnerability" coupled with "and this is easy because it's trivial
> to get people to run malicious code and we all know they all just click
> through all warnings" that it just gets to be too much.
>
> I'm aware that you didn't say all of the above, but it's what the net
> result of the thread became.

>From the *prevention* side of the fence, it's true - once you get the user
to run untrusted code as administrator, the box is pwned good and thoroughly.
And since there's a wide variety of things that can happen, "nuke it from
orbit and re-install, it's the only way to be sure" is the operative phrase.

The number of *different* things that can be done once you get an initial
foothold of executing code is more probably interesting to those of us who
do computer forensics, where the exact mechanism *is* relevant to figuring
out what happened, and (possibly) how to prevent it from happening again.