July 1st, 2026
like1 reaction

It rather involved being on the other side of this airtight hatchway: Changing administrative settings

A security vulnerability report arrived that went roughly like this:

An attacker can bypass security policies by modifying the following registry keys to disable ⟦security feature 1⟧ and ⟦security feature 2⟧.

The statement is true, but what they don’t mention is that administrator privileges are required to modify those keys. This is like saying that a door lock is insecure because you can open the door from the inside. If you are inside, then you have already gotten past the door!

Indeed, the purpose of those keys is to define the security policy in the first place! So it boils down to “It’s a security vulnerability that an administrator can change a security policy.”

What the security researcher found was that if your system has been compromised, the first guy who gets into your inner sanctum can make your system even more vulnerable.¹ If you assume that the attacker has full control, then it’s not surprising that they control everything.

¹ Isn’t this the plot to half of the sci-fi movies ever made? The plucky hero sneaks behind enemy lines in order to disable the bad guys’ shields long enough to let the rest of the team in. This isn’t a security flaw in the shields. It’s a security flaw in whatever was supposed to protect the switch that turns off the shields.

The sci-fi movie analogy would be “If we can get to the switch that turns off the shields, then we can turn them off!”

Well, yeah. The hard part is getting into the room that has the switch.

It rather involved being on the other side of this airtight hatchway.

Bonus chatter: This is a repeat of It rather involved being on the other side of the airtight hatchway: Disabling a security feature as an administrator, but this type of bogus vulnerability report happens so much, I wrote it up again before I realized that it was a duplicate.

Topics

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

5 comments

Discussion is closed. Login to edit/delete existing comments.

Sort by :
  • Shawn Van Ness

    google AI search results for the phrase, only briefly note that it’s a line from Hitchiker’s Guide — the bulk of the summary text describes how the metaphor applies to cybersecurity

    • Chris Iverson

      Heh, I wonder if that’s been influenced by how long Raymond has used the phrase on this blog, explicitly to refer to cybersecurity stuff.

  • Nikolas Gloy

    Is this type of “vulnerability” reported by real security researchers, or self-proclaimed “security researchers”?

    • Chris Iverson

      Probably the second, but from Microsoft’s PoV, it doesn’t matter.

      The same amount of resources has to be dedicated to triaging it regardless of the credentials of the reporter.

      • Ray

        @Chris Iverson I wonder if they get a lot more AI generated “reports” these days that equally make 0 sense. And have to triage it with the same number of trained people.