X

Symantec continues Vista bug hunt

In second report on Windows Vista security, Symantec says XP successor is prone to privilege escalation attacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
After poking around the Windows Vista networking stack, Symantec researchers have tried out privilege-escalation attacks on an early version of the Windows XP successor.

In a second report on Vista, Symantec takes on a security feature called User Account Control (UAC), in the operating system. The feature runs a Vista PC with fewer user privileges to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.

"We discovered a number of implementation flaws that continued to allow a full machine compromise to occur," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Attacks against Windows Vista's Security Model." The report was made available to Symantec customers last week and is scheduled for public release sometime before Vista ships, a Symantec representative said Monday.

Conover looked at the February preview release of Vista. The report describes how an attacker could commandeer a Vista PC with Internet Explorer 7, the reinforced version of Microsoft's Web browser. The final version of Vista is not expected to be broadly available until January.

The attack starts out by planting a malicious file on a Vista PC when a rigged Web site is visited. The placing of the file involves using a specially crafted Web program called an ActiveX control, which exploits a security hole. The report then describes how the malicious program could gain privileges and ultimately give an attacker full control of the PC.

"The triviality of this privilege escalation...foreshadows the grave difficulty that the Windows Vista security model will have enforcing the separation between low and medium integrity level under the same user account," Conover wrote.

Microsoft has already resolved most of the issues identified in the Symantec report, a representative for the Redmond, Wash., company said in a statement. "Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the final functionality of User Account Control," the representative said.

Additionally, Microsoft said the Symantec research assumes that the user is logged in with an administrator account, a setting Microsoft does not recommend. Instead, the software maker advises the use of standard user accounts, which will require users to enter a password to gain administrator-level privileges for certain tasks--to install software, for example.

Microsoft has pitched Vista as its most secure operating system ever. UAC and Internet Explorer 7 are two of the key ingredients to deliver that security.

The report on UAC is the second of three reports Symantec plans to release on Windows Vista. A first report, on new Vista networking technology, was publicly released last week. A third report, examining the Vista core, or kernel, is scheduled to be published this week on Symantec's DeepSight security intelligence service.

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the software giant is readying an enterprise desktop security product. Symantec has also sued Microsoft, alleging misuse of data storage technology it licensed to the company.

"Symantec continuously researches and analyzes new technologies," said Pamela Reese, a Symantec spokeswoman. "Even with the understanding that the issues discussed in this research will likely be resolved before Windows Vista is shipped, Symantec has opted to make this research public because of the public interest in Vista."

But telling the world at large about vulnerabilities in an operating system that won't ship for a while doesn't help anybody, noted John Pescatore, a Gartner analyst. Though it may help Symantec's marketing machine. "They want to sell desktop security software even when Vista comes out," Pescatore said.

Additionally, security companies benefit from getting their name associated with finding vulnerabilities. "It helps people trust them as a security company," Pescatore said.

Symantec said it is encouraged to see that Microsoft is taking care of the basics by improving the security of its newest operating system. "However, Symantec feels that customers are safer if they can exercise their choice to use the security capabilities offered by Symantec and others," Reese said.