May 18th, 2020

Reporting on what you could do once you get to the other side of the airtight hatchway

A security vulnerability report arrived that reported that a program was vulnerable to a DLL planting attack if the rogue DLL were planted in the system32 directory.

This is not a vulnerability because writing to the system32 directory requires administrator privileges. An exploit which requires administrator privileges is not really an exploit since there is no elevation of privilege. You got from administrator to… administrator.

The finder justified the report by saying, “Obtaining administrator rights is trivial. Nearly all malware will gain administrator privilege as one of their first steps.”

Whether or not obtaining administrator rights is trivial, defending against a compromised administrator is pointless. The attacker has already achieved their goal. There’s nothing the program can do to defend against it, the administrator could go in and disable any defenses that the program could create.

For example, the administrator could just go ahead and do whatever bad thing they want, without ever running the compromised program. In other words, using the compromised program as part of the attack is just adding style points. It doesn’t give you anything you don’t already have. All you’re doing is bringing an irrelevant component into the story, and then blaming that component for something it had no control over.

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

5 comments

Discussion is closed. Login to edit/delete existing comments.

Newest
Newest
Popular
Oldest
  • kate cole

    You mean you just leave all this money laying around inside the bank vault? Anyone who comes in could just take it!

    • Alex Martin

      Getting inside the vault is trivial. Nearly all bank robbers will get inside the vault as one of their first steps.

  • Joshua Hudson

    He possessed the facts and couldn’t turn the facts into wisdom.

  • Henke37

    There really needs to be a tag for this series.

    • Brian Boorman

      There is a search box on this blog’s landing page. Just enter the search term “airtight hatchway” in the box and press the magnifying glass icon.

Feedback