Miscellaneous Tech News
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
Razor and Asus Windows 10 security bypass...
https://www.pcgamer.com/razer-windows-10-security-flaw-admin/
Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
All these employees just sitting at locked computers, not allowed to use them.
That is 100% not what he said.
-
@scottalanmiller said in Miscellaneous Tech News:
Razor and Asus Windows 10 security bypass...
https://www.pcgamer.com/razer-windows-10-security-flaw-admin/
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Maybe I'm not considering something, but the article even provides examples of other non Razor devices being able to exploit this process.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
Razor and Asus Windows 10 security bypass...
https://www.pcgamer.com/razer-windows-10-security-flaw-admin/
Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
All these employees just sitting at locked computers, not allowed to use them.
A locked computer screen wouldn't prevent this elevation from occurring.
-
@dustinb3403 said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
Razor and Asus Windows 10 security bypass...
https://www.pcgamer.com/razer-windows-10-security-flaw-admin/
Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
All these employees just sitting at locked computers, not allowed to use them.
A locked computer screen wouldn't prevent this elevation from occurring.
-
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
-
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
-
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
-
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
-
@jaredbusch said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.
Plugging an device in while locked will still have the same issue, no matter what.
The issue also clearly involves interaction with the GUI.
Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?
Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.
That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.
Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.
Sure. But "not a panacea" is never an argument for something.
-
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
-
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
-
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
-
@obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?
Ultimately, yes, MS is definitely the one at fault here.
It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.
The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.
That's a problem. No other OS does that. Other OSes, like Ubuntu, Fedora, etc. verify any drivers that are automated in this way. They don't blinding allow any vendor to create an ID and automate the installation of just anything.
The problem is not from Razor, it's that there is a gaping hole in Microsoft's security strategy that allows any vendor to put code inline for automatic deployment by Microsoft as part of the OS, without security checks.
-
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
-
@obsolesce said in Miscellaneous Tech News:
For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.
Not a total comparison because it's not installing drivers, but still makes my point.
It makes MY point. It doesn't go through Microsoft's installation system, and doesn't have the flaw. It in no way supports your point.
-
@obsolesce said in Miscellaneous Tech News:
@dustinb3403 said in Miscellaneous Tech News:
This 100% sounds more like an issue for Windows rather than the hardware manufacturers.
Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.
How the heck does Razer being willing to bandaid Microsoft's problem suggest it is not an MS issue? I'm confused. Does this fix the issue with Asus and other drivers? Does it close the security hole?
No, it does not, At all.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
The problem is that the installer (made by razer)
Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.
That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.
I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.
But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.
