Windows 8 offers some promising opportunities for attackers, but overall is a much more secure operating system than its predecessor, a researcher told the Black Hat conference.
There are at least three attack points in Windows 8 that with more work might yield vulnerabilities that could be exploited, says Sung-ting Tsai, leader of an advanced threat research team for Trend Micro, who was interviewed for this story after his Black Hat presentation.
WINDOWS 8 UPDATE: Desperate for developers?
The first of these is getting around limitations placed on Windows 8 Metro style applications that prevent them from accessing the Internet. Rather than trying to break through that restriction, an application could instead access an application that has such permission.
So an application that lacks an Internet permission could still send messages to the Internet via Internet Explorer or Microsoft Media Server and append local information to the URL that IE or MMS is instructed to seek, he says. Similarly, a Word or Excel file that the Metro app accesses could contain code to connect the Internet.
With Internet access, a rogue app could upload data from the local machine to a machine on the Internet controlled by an attacker.
Microsoft says it won't do anything about this, according to the company response Tsai includes in his Black Hat presentation. That's because accessing the Internet would be visible to users, who could stop it if they disapproved. Similarly, antivirus products could catch such access. Once this type of activity is reported to Microsoft, it could remove the app from user machines.
Tsai says he disagrees. When the average user sees a Metro app launch MMS, it won't raise suspicion that the application is trying to access the Internet, he says. But even if the user is aware, it is difficult to determine whether the access is normal or malicious behavior. Antivirus software would have similar difficulty telling the difference, he says.
Another possible evasion calls for using the command prompt cmd.exe from within the application container sandbox to trigger other executables outside, Tsai says.
Microsoft says this is not a problem and Tsai agrees. But he says that it is possible that in conjunction with other executables, it could potentially exploit other vulnerabilities.
He also looks at ClickOnce, the installation package running on Windows 8. It is possible to get it to launch files to the file system that could be harmful. Tsai says Microsoft agrees and will fix it in the next release of Windows 8.
Another possible weakness he explored is dll hijacking -- inserting malicious code that is disguised as a dll that an application is looking for. He says Internet Explorer tries to load some dlls that it no longer needs. If the names of such dlls could be found they could be used to disguise malware that the browser would load.
The problem could arise in any app when unnecessary dll loading remains, he says. Microsoft says there is no dll hijacking problem in Release Preview of Windows 8.
Tsai says a programming feature of Windows 9 Metro apps could be exploited. This feature allows apps to access folders and files they would otherwise not have access to. This could be used as a means for stealing data and sending it to attackers.
As a rule, Metro apps can access only documents, videos, music and photo files and folders. But developers of apps can provide exceptions that allow apps to access other files and folders.
A malicious application could be given access to the folder Downloads, and then the user could be socially engineered into downloading a malicious file from the Internet that would wind up in Downloads, giving the application access to malicious code.
Microsoft says this is a feature for developers, not vulnerability and is under the user's control, so is not a threat. Tsai says he could imagine tightening up the exceptions programmers are allowed to make. For instance, files could be accessed but granted read-only permission.
Tsai also discusses three potential attack points that he was unable to exploit:
= the kernel level advanced local procedure call (ALPC)
= the component object model (COM) application programming interface (API)
= the Windows Runtime (RT) API
Attacking at ALPC messages at the kernel level is very difficult, but it offers access to a rich flow of application call information, Tsai says. But he has developed four scripts to intercept these messages that he plans to make public.
So far, he has not been able to develop an exploit against Windows 8 using these scripts against ALPC or even found a vulnerability, but the scripts do provide a way to automate looking for vulnerabilities, he says.
The second attack point he examines is against COM servers, objects that provide services to clients. In Windows 8, Metro applications run in containers, secure sandboxes that limit the applications' access to only those resources it absolutely needs. And requests for those resources go through the RT broker. The broker is a go-between that limits this access to resources.
But if the application can gain direct access to COM servers, attackers could bypass the sandbox. This COM access would have to be done manually via basic scripts possibly written in assembly language. But if a COM with high permissions could be accessed, attackers could theoretically fashion compromises to the system. "It's not easy but it's possible," Tsai says.
The Windows RT API is a third point of possible attack. Tsai says he attacked it via fuzzing -- sending it random commands to see if they cause the API to malfunction and create a vulnerability. This takes time and luck if an attacker is to succeed, he says, and he had some luck.
He discovered a memory corruption vulnerability in Windows 8 Consumer Preview that he reported to Microsoft and that Microsoft patched with Windows 8 Release Preview, he says.