http://blogs.technet.com/b/rhalbheer/archive/2008/11/16/security-one-of-the-key-reasons-to-migrate-to-windows-vista-part-2.aspxIn my last post , I briefly touched on different features of Windows Vista, which I think are important with regards to the view on Windows XP vs. Windows Vista. Let’s take a different approach now: I recently was on a panel in Eastern Europe where Ien-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/rhalbheer/archive/2008/11/16/security-one-of-the-key-reasons-to-migrate-to-windows-vista-part-2.aspx#3154932Mon, 17 Nov 2008 05:09:37 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3154932Larry Seltzer<p>I hadn't really thought much about UAC with respect to this vuln. As Mark Russinovich says, it's not a security barrier. If the user clicks Continiue then it hasn't done anything.</p> <p>As I say in my own blog, DEP is a barrier here, but there are ways around DEP. But those ways around DEP themselves run into ASLR. There are ways around ASLR but they are long shots.</p> <p>Nobody is probably going to go to the trouble of building an exploit that might, in rare circumstances, exploit a Vista system by getting through DEP and ASLR, even if it may work a small percentage of the time. The defense-in-depth in Vista, as you say, is formidable. Your odds of getting through with social engineering are much better than a technical exploit of even a serious bug like this.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3154932" width="1" height="1">http://blogs.technet.com/b/rhalbheer/archive/2008/11/16/security-one-of-the-key-reasons-to-migrate-to-windows-vista-part-2.aspx#3154797Sun, 16 Nov 2008 23:51:34 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3154797rhalbheer<p>Hi Larry,</p> <p>it is interesting to me how many people (and I do not refer to you) are writing something but not really reading the reliable sources, which have insights. Again, I am not referring to you – I just got a lot (and I really mean a lot) of questions around this vulnerability and most of it referred to some sources which I doubt whether they looked into the details.</p> <p>I appreciate your comment as it seems that your source caused some misconceptions. I you go to the MSRC blog (Microsoft Security Response Center) which is responsible for running the process around security vulnerabilities and look at their post (Microsoft out-of-band Security Bulletin (MS08-067) Webcast Q&amp;A ) I would like to quote:</p> <p>&quot;Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important?</p> <p>A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication. &nbsp;The Security Vulnerability Research &amp; Defense blog has a LOT more information about this. &nbsp;It is still important though…Protections afforded by UAC enhancements are in place even if the UAC prompting has been disabled.&quot; &nbsp;</p> <p>Additionally the SWI blog (referenced above) gives you some additional – really deep – background on the vulnerability.</p> <p>&quot;UAC mitigates even when the prompting is disabled</p> <p>As mentioned above, Windows Vista and Windows Server 2008 by default require authentication. But the security callback on the RPC interface has not been changed on the more recent platforms. Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level &quot;Untrusted&quot; while the named pipe requires at least a &quot;Low&quot; integrity level. Since &quot;Untrusted&quot; is lower than &quot;Low&quot; integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously. See <a rel="nofollow" target="_new" href="http://msdn.microsoft.com/en-us/library/bb625963.aspx">http://msdn.microsoft.com/en-us/library/bb625963.aspx</a> for more information.</p> <p>There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because &quot;Medium&quot; integrity level is a higher integrity level than &quot;Low&quot;, the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section. &quot;</p> <p>Last but not least, DEP was already part of Windows XP SP2 – even though disabled by a lot of OEMs.</p> <p>Does this help? Again, I did by far not want to insult you. I just do not like all the speculations which are not based on technical knowledge and analysis – not even sound investigation (like the link above)</p> <p>Any comment from your side is more than appreciated&#232;!</p> <p>Roger</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3154797" width="1" height="1">http://blogs.technet.com/b/rhalbheer/archive/2008/11/16/security-one-of-the-key-reasons-to-migrate-to-windows-vista-part-2.aspx#3154620Sun, 16 Nov 2008 17:44:21 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3154620Larry Seltzer<p>My impression was that Vista faired better then XP with respect to the MS08-067 bug mostly because of the DEP/ASLR combination. I'm not sure UAC really figures into it. </p> <p>I went into this in more detail in this blog: <a rel="nofollow" target="_new" href="http://blogs.pcmag.com/securitywatch/2008/11/why_vista_looks_good_after_the.php">http://blogs.pcmag.com/securitywatch/2008/11/why_vista_looks_good_after_the.php</a></p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3154620" width="1" height="1">