At 04:18 PM 10/7/2004 -0600, Bartlett,James D wrote:
>Well, the default user of a basic XP installation always has admin
>rights. Every distressed CWS victim that I have ever dealt with was a
>low-level user running a single account on a non-domain personal
>machine. Being the only user on their machines, they were all admins.
Since you're the second or third person to reply with something like
this, I obviously wasn't clear enough with my previous statement. My
point wasn't that AppInit_DLLs is safe because nobody should run as
admin, anyway. Obviously that's a nice fantasy, but of course it's
only the reality in well-administered networks. The real point was
that given all of the other ways a person running as Administrator has
to mess up the security of his machine, AppInit_DLLs is rather trivial.
If you're the local administrator on a non-networked machine, you have
the ability to install a device driver that runs at system startup,
well before even WinLogon runs, and hooks the kernel's implementation
of the RegXxx functions. And of course, when you have that ability,
the lowlife cretin who wrote any spyware you may run also has that
ability. This blows away anything you can do with AppInit_DLLs; at
least the AppInit_DLLs method can be bypassed and detected by user-level
code.
Andrew Aronoff seems to have gotten the point; he mentions a whitelist
managed by a central authority. However, I believe that down that
road lies madness: eventually, because some users are too computer-
illiterate to be trusted to administer their own machines, all of us
will have to delegate administration authority to Big Brother. There
is a compromise, of course, and it's one we've already accepted.
Windows should treat anything loading in AppInit_DLLs as it currently
treats a device driver or other plugin and have settings that allow
the user to only run DLLs that are signed by trusted publishers.
Of course, that just assumes all over again that users are competent
to administer their own computers. There's just no getting around
that assumption without taking administrative power entirely out of
the hands of "unqualified" users.
If we're going to demonize Microsoft for something, let's not demonize
them for one of the hundreds of ways a user with administrative privileges
can destroy his own computer. Let's demonize them for the real problem:
that so many people are running untrusted code as Administrator without
having been told about the security implications thereof.
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
--
