{"id":408,"date":"2024-09-27T13:00:00","date_gmt":"2024-09-27T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=408"},"modified":"2024-09-27T13:00:00","modified_gmt":"2024-09-27T13:00:00","slug":"microsoft-privilege-escalation-issue-forces-the-debate-when-is-something-a-security-hole","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=408","title":{"rendered":"Microsoft privilege escalation issue forces the debate: \u2018When is something a security hole?\u2019"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security vendor Fortra announced on Friday what it is describing as a Microsoft security hole that would allow an attacker who had stolen low-level access credentials to escalate them to high-level access.<\/p>\n

Privilege escalation is hardly a new issue<\/a>, but it is a critical tool in an attacker\u2019s arsenal. Privilege escalation is also a routine part of the administrator\u2019s day, but when an attacker can escalate privileges without an admin being alerted, that can be a disaster. That seems to be the essence of the hole that Fortra is trying to flag.<\/p>\n

Microsoft acknowledges the capability, but considers it a convenience issue, as admins need to have the ability to escalate credentials to complete various tasks, Fortra said.\u00a0<\/p>\n

Microsoft emailed a short statement to CSO: \u201cWe are aware of Fortra\u2019s report and have investigated its claims. As their report caveats, the method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary.\u201d \u00a0<\/p>\n

From Fortra\u2019s perspective, the problem is not as much the privilege escalation, which can certainly happen within the normal course of business, but that this situation \u201callows higher privilege code execution without any of the checks and balances that are normally in place\u201d and that \u201cthis removes a safety net that many Administrators rely on (User Account Control\/UAC) and introduces the risk of high integrity code execution,\u201d said Tyler Reguly, associate director, security R&D at Fortra. The company provided a detailed technical description<\/a> of the issue in a blog post.<\/p>\n

From that perspective, the issue is mostly about UAC bypasses rather than what is enabled by those bypasses.\u00a0<\/p>\n

This is where things get tricky. Reguly argued that this amounts to a security hole.<\/p>\n

\u201cWith the proof-of-concept provided, we\u2019re performing the action of launching an elevated command prompt. This could be done by an administrator, but they\u2019d get a UAC prompt. Instead, we\u2019re using a malicious technique, and you don\u2019t get a UAC prompt,\u201d Reguly said. \u201cIf UAC is a security feature and we\u2019re running something that would normally require a UAC prompt without one, that sounds to me like a security feature bypass. Microsoft, traditionally, has fixed security feature bypasses, but, in this case, because of the wording of the Microsoft Security Servicing Criteria for Windows, they are not.\u201d<\/p>\n

That last line is indeed the thrust of the Microsoft argument. In their Security Service Criteria for Windows<\/a>, Microsoft says \u201cAdministrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective. This includes actions which require Administrator permissions like registry tampering with HKEY_LOCAL_MACHINE and any attack where the attacker has Local or Domain Administrator access.\u201d<\/p>\n

It is not quite the \u201cit\u2019s a feature, not a bug\u201d argument, but it gets close.\u00a0<\/p>\n

Security specialists generally sided with Microsoft on this one.\u00a0<\/p>\n

Selim Aissi spent six years as the CISO at Ellie Mae, following stints as VP global information security at Visa, and chief security strategist for Intel. Aissi, who reviewed the Fortra documents at CSO\u2019s request, said, \u201cI honestly don\u2019t think it\u2019s a big deal.\u201d<\/p>\n

\u201cThe first stage (UAC bypass) has been reported in the past and is a known issue. The second stage of the theoretical attack is only related to admins, who already have the ability \u2014 if they turned rogue \u2014 to potentially do a lot more damage than reported in this case,\u201d Aissi said. \u201cI don\u2019t see the ease of this claimed privilege escalation If I\u2019m an attacker, I\u2019d rather use a new vulnerability or unpatched zero-day to perform privilege escalation.\u201d<\/p>\n

Steve Zalewski, longtime CISO for Levi Strauss until 2021, when he became a cybersecurity consultant, also reviewed the Fortra material.<\/p>\n

\u201cIt is not a security hole, so I happen to agree with Microsoft on this one. The underlying logic that Fortra uses to justify calling it a hole just does not stand up to my reasonableness sniff test,\u201d Zalewski said. \u201cAt best, it is a feature request that you have UAC provide more granularity in the types of authorization requests that will trigger the second factor of authentication. The downside to doing this is that you will get so many alerts that it effectively prevents you from doing any work.\u201d<\/p>\n

Zalewski said that Fortra \u201cused the phrase \u2018malicious technique,\u2019 which is not accurate. There is nothing malicious about using the functionality as described. They are asserting that, because it can be used for malicious purposes, it must be a security issue that has to be addressed. They confuse the issue by declaring that if you use an alternate method where UAC does require verification, then it must follow that all equivalent functionality must use the same security verification. So their actual argument is that Microsoft erred in only partially implementing the security policy. Those are two different situations, not a logical conclusion between the situations.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security vendor Fortra announced on Friday what it is describing as a Microsoft security hole that would allow an attacker who had stolen low-level access credentials to escalate them to high-level access. Privilege escalation is hardly a new issue, but it is a critical tool in an attacker\u2019s arsenal. Privilege escalation is also a routine […]<\/p>\n","protected":false},"author":0,"featured_media":409,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-408","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/408"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=408"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/408\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/409"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}