At the RSA Conference 2011 continuing today in San Francisco, exhibitors try all sorts of ways to get attention, especially from reporters. One intriguing approach came from BeyondTrust, a provider of software that controls what apps employees can use on the corporate network. On Monday, BeyondTrust publicized a vulnerability in the software of some of its competitors that does not affect its software.
The vulnerability concerns the ability of IT administrators to elevate access privileges to specific apps automatically without granting the standard user administrator status. They may be legacy or custom-made apps that previously required administrator status, but which the organization now accepts as safe. However, many of BeyondTrust’s competitors allow this automatic privilege elevation at the application layer, which is where the vulnerability lies.
An end user could exploit that vulnerability to gain full administrator privileges, not just to that one application but to the whole system, said Peter Beauregard, director of program management for BeyondTrust, who demonstrated the vulnerability for me at the company’s booth on the exhibit floor at RSA.
Instead of elevating privileges automatically at the application layer, BeyondTrust’s Power Broker suite of access control software manages the process at the kernel level of the operating system, said Beauregard, which prevents the exploitation of administrator privilege elevation.
“The key here is that if you use methods of elevation that don’t include kernel protection, you introduce a security vulnerability where the user can take full control of the machine and can make themselves an administrator again,” he said. That carries all sorts of security implications, such as the introduction of malware or access to other parts of the system for malicious reasons.
This is not a vulnerability in Microsoft Windows, Beauregard emphasized, but in the particular access control application. However, it is reminiscent of a vulnerability discovered in Windows in June 2009 that has not been patched.
In that case, standard users on a corporate network were able to bypass User Access Control (UAC) in Windows 7 to download apps even though they weren’t administrators. This happened because, while Windows 7 UAC settings provide a slider to set how restrictive the privilege elevation could be -- slide it to the top for the most restrictive, to the bottom for least -- the default setting is in the middle. Microsoft set the default there because when it made it more restrictive in Windows Vista, users complained they had to deal with too many prompts to approve apps, said Beauregard. Microsoft hasn’t patched this vulnerability, but simply advised customers to set the slider higher.
Typically, when someone discovers a vulnerability in Microsoft software, they don’t tell the world but just tell Microsoft, which develops a patch to repair the vulnerability and only then reveals it. In this case, BeyondTrust put out a press release rather than share the news with their competitors confidentially. This allowed BeyondTrust to wear a white hat at RSA.
But Brian Anderson, chief marketing officer for the firm, says its motivation was not to bash its competitors, but to perform a public service. BeyondTrust didn’t name specific vendors, didn’t reveal specific code and has offered to share information with competitors seeking to find out more.
So, it’s not like GM put out a press release explaining why Ford’s brakes don’t work. But it is a clever way for BeyondTrust, which I've written about before, to share an important warning about possible holes in access management software and at the same time show itself in a positive light.
Robert Mullins is a freelance journalist based in San Francisco. He has been writing about technology from Silicon Valley for more than a decade. He has covered such beats as network security, servers, storage, software development, telecommunications and, of course, Microsoft, for a variety of publications, most notably the IDG News Service and Network World.