[vox] Exploits for non-admin accounts in Windows?
Karsten M. Self
kmself at ix.netcom.com
Thu Mar 24 02:35:17 PST 2005
on Wed, Mar 23, 2005 at 09:32:10PM -0800, Richard Crawford (rscrawford at mossroot.com) wrote:
> Yes, it's a Windoze question, but I'm trying to make a point with
> someone who wants to build me a crippled computer for my development
> workstation.
>
> I was told today by the IT manager in our office that if you don't run
> your Windows computer as an administrator, you never need to worry about
> adware and spyware and viruses. This seems like an awfully fishy claim
> to me, but maybe I'm just over-paranoid. Am I?
I'm not a legacy MS Windows expert. I don't even play one on the
Internet.
My understanding is that through WinNT 4.0, there were known core RPC
(remote procedure call) holes which made privilege escalation trivial.
Eric Raymond's _The Art Of Unix Programming_ and Nick Petreley's recent
comparison of GNU/Linux vs. legacy MS Windows security models,__ (as
well as much of his prior work) cover this closely.
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
Anectdotally, friends whose information I tend to respect speak of users
without admin access who've been assaulted with malware installed and/or
running with Admin/System privileges.
An interesting hack is a utility which allows a user to gain _system_
privileges (higher than administrator). Which would seem to indicate
something wrong with the security model. The author doesn't believe in
software licensing (I've written him about this), so the code isn't
generally usable, but he's posted it online here:
http://p-nand-q.com/download/supershell.html
Then there's the fact that DOS-based legacy MS Windows systems have _no_
concept of user-level security anyway. User log-ins simply serve to
provide an advisory preference as to your local user profile (other
users can access your local user profile). Any file can be deleted or
modified by any user. Only remote access (e.g.: network/domain login)
is "secured", but that only to the extent the local system can be
trusted (e.g.: not at all, really).
So: I'm really not sure what the current state of the art is, but
history, anecdote, and example strongly usggest your IT manager is
thinking wishfully.
Peace.
--
Karsten M. Self <kmself at ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Yvonne, I love you, but he pays me.
- Casablanca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox/attachments/20050324/4e8a6deb/attachment.bin
More information about the vox
mailing list