Miscellaneous Tech News
-
@jaredbusch said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
Sure. But "not a panacea" is never an argument for something.
-
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
-
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
-
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
That's a problem. No other OS does that. Other OSes, like Ubuntu, Fedora, etc. verify any drivers that are automated in this way. They don't blinding allow any vendor to create an ID and automate the installation of just anything.
The problem is not from Razor, it's that there is a gaping hole in Microsoft's security strategy that allows any vendor to put code inline for automatic deployment by Microsoft as part of the OS, without security checks.
-
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
-
@obsolesce said in Miscellaneous Tech News:
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
It makes MY point. It doesn't go through Microsoft's installation system, and doesn't have the flaw. It in no way supports your point.
-
@obsolesce said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
How the heck does Razer being willing to bandaid Microsoft's problem suggest it is not an MS issue? I'm confused. Does this fix the issue with Asus and other drivers? Does it close the security hole?
No, it does not, At all.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.
But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.
But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.
Exactly. I'm not saying that Razer shouldn't fix their stuff TOO. However, Razer should never have to worry about the situation as if the OS was working properly, their driver (nor any software) should have to worry about presenting a dialogue as an admin, to a non-admin user. Razer isn't the one creating the escalation. They are trusting that the OS is checking if it is an admin before executing the installer.
If you were the developer and wrote this software, you'd be like "how the hell am I supposed to write an admin protection system when the operating system is giving my program admin rights without verifying the user is the admin and agreed to it.... that's not my responsibility, I can only go to the OS for that!"
In this case, it's an installer (not a driver) with the issue. And likely not even an installer that Razer is making, but one that they are buying (just guessing.) Because it's a standard thing. And I bet 99% of installers have this issue, because it's an agreement between apps and the OS that the OS will not give this permission in this way, ever.
Imagine if you wrote a video game and the OS escalated to admin without you requesting it once in a while. You'd be pretty shocked that your software which was trusting the OS, was suddenly blamed for admin rights you didn't create or allow.
It's a weird situation, and one that other OSes get around by not having this kind of installation process as a normal thing. DNF / YUM / APT all avoid this by having a standard (and open source) installer that everyone shares. And never is a third party app installer ever automated by the OS.
Microsoft chooses not to include an installer in that way AND chooses to allow third party installers AND to allow unverified closed source ones, to run as admin automatically. It's a pretty massive shortcoming that isn't really excusable since the late 1990s.
-
@dustinb3403 said in Miscellaneous Tech News:
@jaredbusch said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.
No, this issue, specifically requires that a user be logged in to the GUI in order to be able to exploit it.
Other than Mr. Microsoft ( @Obsolesce ), no one is trying to say MS doesn't have a shit ass flaw that needs fixed. But the flaw 100% requires the GUI.
-
@jaredbusch said in Miscellaneous Tech News:
Other than Mr. Microsoft ( @Obsolesce )
I acknowledged the flaw in their process.
-
https://www.the-sun.com/tech/3525714/microsoft-power-apps-exposed-data-leaks/
Kind of click-baity title but power apps automatically makes a database public when you enable an API to interact with the database.
-
@stacksofplates said in Miscellaneous Tech News:
https://www.the-sun.com/tech/3525714/microsoft-power-apps-exposed-data-leaks/
Kind of click-baity title but power apps automatically makes a database public when you enable an API to interact with the database.
At what point do we hold people (Microsoft) criminally liable who design and implement these systems with such poor security practices, by default the database was public when using an API....
Um my 3 year old would know better than to use that as a default setting.
-
Google Pay team reportedly in major upheaval after botched app revamp
"Dozens of employees and executives have left" the struggling payments division.
Google Pay is apparently just as much a disaster internally as the app transition has been externally. That's the big takeaway from a recent Business Insider article detailing an exodus of executives from Google's payment division, lower-than-expected app adoption, and employees frustrated with the slow movement of the division. Business Insider spoke with ex-employees and learned that "dozens of employees and executives have left" the Google Payments team in recent months, including "at least seven leaders on the team with roles of director or vice president." The most prominent departure, of payments chief Caesar Sengupta, kicked off the exodus in April, and now employees are worried about another reorganization and even slower progress. Many rank-and-file team members have reportedly departed, too, with the story saying, "One former employee estimated that half the people working on the business-development team for Google Pay—a group of about 40 people—have left the company in recent months." -
-
As expected, another vendor hardware installer exposed critical Windows 10 bug...
-
Need to get root on a Windows box? Plug in a Razer gaming mouse
Razer's automatically downloaded installer exposes a SYSTEM shell to any user.
This weekend, security researcher jonhat disclosed a long-standing security bug in the Synapse software associated with Razer gaming mice. During software installation, the wizard produces a clickable link to the location where the software will be installed. Clicking that link opens a File Explorer window to the proposed location—but that File Explorer spawns with SYSTEM process ID, not with the user's. By itself, this vulnerability in Razer Synapse sounds like a minor issue—after all, in order to launch a software installer with SYSTEM privileges, a user would normally need to have Administrator privileges themselves. Unfortunately, Synapse is a part of the Windows Catalog—which means that an unprivileged user can just plug in a Razer mouse, and Windows Update will cheerfully download and run the exploitable installer automatically.