Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

MS Word Exploit – Administrator Rights – Oh my…

May 20th 2006 in Uncategorized

Some areas of the net are in a flap about the MS Word exploit that has been the focus of some publicity recently.  Some sites are even advising that we should consider dumping MS Word in preference to OpenOffice.


Come on guys.  We shouldn’t even be thinking about fighting this thing by moving to a different programme.  Why?  Because it does not address a core problem.  The thing about this exploit is that it will only succeed if the user has administrator privileges.  We all know that we shouldn’t be running our machines with administrator privileges, but all of us also have clients that absolutely insist that they must run as admin because a mission critical application will not run without it.


So, what can we do under such circumstances? How do we protect our clients from this exploit and other admin dependant exploits if they have a mission critical application that will not run without administrator privileges? 


Preferred option – reduce their rights anyway, and use RunAs – stick a shortcut on their desktop that grants only the mission critical application administrator privileges:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_runas.mspx?mfr=true


Your user still isn’t happy?  They just don’t like non-admin?  They’re telling you its *their* machine and they want administrator rights?  Well, short of washing your hands of any responsibility and walking out the door never to return, there is another trick you can use.  What if you could let your stubborn client run as admin, but bump down particular applications to limited user rights *at the same time*?  Sound interesting?  Read on… :o)


Michael Howard has posted an article to the Security Developer Centre that is of especial interest to those who are faced with “I must be Admin” users who also wanted to be protected from the Word exploit:
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp


You’ll note that by using Software Restriction Policies you can stop a programme from running at all, or force it to run as a limited (basic) user.  If you want to really lock things down you can use Constrained or Untrusted. 


There is one very important limitation to this trick that we must be aware of.  Software Restriction Policies are path dependent.  That is, you must set a specific target path to the application for this to work.  If, for example, an executable is moved or copied to another directory, the restriction policy will fail.


One comment to...
“MS Word Exploit – Administrator Rights – Oh my…”

Alun Jones

Software restriction policies can also be applied based on the Internet Zone, the hash of the EXE file, and the certificate by which it is signed.


Do you want to refresh all your RSS feeds at the same time? Run the following command (thanks Jean-Marc, a French Windows/Shell User MVP, who discovered it) – I’ve tested it, and it works a treat – wish I’d known about it right from the start.
msfeedssync forcesync

Previous Entry

http://www.viruslist.com/en/weblog?weblogid=187189654
BTW, a matrioshka is a Russian nesting doll.

Next Entry

Archives