A security vulnerability report claimed that they were able to bypass a security feature in three easy steps:
- Open Regedit.
- Go to HKLM\
Software\ Microsoft\⟦redacted⟧. - Double-click the Enabled registry value and change it from 1 to 0.
The security feature is now disabled!
Well yeah, because you disabled it.
The Enabled registry value is in the HKEY_
This is cut-and-dried but it’s really surprising how often people appear to be concerned that an administrator can compromise security.
No really, variations on this non-vulnerability are reported a lot. They all boil down to, “I found a security vulnerability: An administrator can disable a security feature!” Sometimes, they even admit it themselves: “You must run the PoC as an administrator.” Other times, they confess to not being an expert on the subject: “I am not a security expert, but I can confidently say that I can bypass the security feature using this method.”
Bonus chatter: Here’s another example of a vulnerability report in this category.
A malicious driver can bypass or disable Windows security features.
Step 1: Open an elevated command prompt.
…
Okay, I’m just going to stop you right there. If your first step is “open an elevated command prompt”, then you don’t need to do all those sneaky things to install the malicious driver in the super-clever way so that it can bypass and disable Windows security features. From the elevated command prompt, you can just disable the security features directly!
From a different point of view, the security vulnerability threat is rather real and scaring, although Microsoft is not to blame. Hiring trustworthy admins is not a trivial task and unfortunately nothing Microsoft could fix with a software patch. Instead of asserting Microsoft’s innocence, how about telling customers, that this is the reason why admins need to be treated well?
It seems like you have somewhat mixed feelings about whether or not this is a security bug giving that you decide to redact the full reg key path.
Raymond is just abiding by his own ground rules for the blog. You can find the “ground rules” link on the main page for the blog.
I don’t see mixed feelings here.
First of all, the redaction was probably just to anonymize the report even more when talking about it publicly.
Second of all, which specific registry key it is in question doesn’t actually matter. The whole point is that the registry tree under HKLM is writable only to Administrators by default, so for someone to be able to change that setting, they must either have or have had Administrator access.
I got CVE-2015-2552 for a Unicode handling bug to enable driver test signing mode with Secure Boot enabled. It required write access to Boot Configuration Database (“BCD”), so it definitely was on the other side of the airtight hatchway, and yet was considered a security bug.
It really depends on what you consider a security boundary.
It’s getting even weirder these days, because people who don’t understand security are issuing security warnings for non-things.
The contrived example is:
– Run Word
– Open a Word document
– The user can then see the contents of the Word document
To those of us who have been dealing with security boundaries, permissions, and ACLs in Windows since 1994 this sounds silly.
But people now have it in their head that no program should be allowed to open anything on the user’s PC.
Because of phones.
– people install apps on their phones
– the app cannot open files
– so when an app on Windows can open a file they think it’s a security bug
The Windows security boundaries and security features (as well as whether Microsoft intends to address it via a security update instead of a feature update) are described in Microsoft Security Servicing Criteria for Windows. Your scenario sounds like it breached the Secure Boot security goal described there.
I seem to recall a wise old system administrator who told a young admin “With great power comes great responsibility.”
You would probably not be surprised how many people think it’s a security problem that the local administrator has the power to trample upon group policy.