Miscellaneous Tech News
-
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
-
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
-
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
-
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
-
@jaredbusch said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
Sure. But "not a panacea" is never an argument for something.
-
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
-
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
-
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
That's a problem. No other OS does that. Other OSes, like Ubuntu, Fedora, etc. verify any drivers that are automated in this way. They don't blinding allow any vendor to create an ID and automate the installation of just anything.
The problem is not from Razor, it's that there is a gaping hole in Microsoft's security strategy that allows any vendor to put code inline for automatic deployment by Microsoft as part of the OS, without security checks.
-
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
-
@obsolesce said in Miscellaneous Tech News:
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
It makes MY point. It doesn't go through Microsoft's installation system, and doesn't have the flaw. It in no way supports your point.
-
@obsolesce said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
How the heck does Razer being willing to bandaid Microsoft's problem suggest it is not an MS issue? I'm confused. Does this fix the issue with Asus and other drivers? Does it close the security hole?
No, it does not, At all.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.
But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.
But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.
Exactly. I'm not saying that Razer shouldn't fix their stuff TOO. However, Razer should never have to worry about the situation as if the OS was working properly, their driver (nor any software) should have to worry about presenting a dialogue as an admin, to a non-admin user. Razer isn't the one creating the escalation. They are trusting that the OS is checking if it is an admin before executing the installer.
If you were the developer and wrote this software, you'd be like "how the hell am I supposed to write an admin protection system when the operating system is giving my program admin rights without verifying the user is the admin and agreed to it.... that's not my responsibility, I can only go to the OS for that!"
In this case, it's an installer (not a driver) with the issue. And likely not even an installer that Razer is making, but one that they are buying (just guessing.) Because it's a standard thing. And I bet 99% of installers have this issue, because it's an agreement between apps and the OS that the OS will not give this permission in this way, ever.
Imagine if you wrote a video game and the OS escalated to admin without you requesting it once in a while. You'd be pretty shocked that your software which was trusting the OS, was suddenly blamed for admin rights you didn't create or allow.
It's a weird situation, and one that other OSes get around by not having this kind of installation process as a normal thing. DNF / YUM / APT all avoid this by having a standard (and open source) installer that everyone shares. And never is a third party app installer ever automated by the OS.
Microsoft chooses not to include an installer in that way AND chooses to allow third party installers AND to allow unverified closed source ones, to run as admin automatically. It's a pretty massive shortcoming that isn't really excusable since the late 1990s.
-
@dustinb3403 said in Miscellaneous Tech News:
@jaredbusch said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.
No, this issue, specifically requires that a user be logged in to the GUI in order to be able to exploit it.
Other than Mr. Microsoft ( @Obsolesce ), no one is trying to say MS doesn't have a shit ass flaw that needs fixed. But the flaw 100% requires the GUI.
-
@jaredbusch said in Miscellaneous Tech News:
Other than Mr. Microsoft ( @Obsolesce )
I acknowledged the flaw in their process.
-
https://www.the-sun.com/tech/3525714/microsoft-power-apps-exposed-data-leaks/
Kind of click-baity title but power apps automatically makes a database public when you enable an API to interact with the database.
