Move over, PrintNightmare. Microsoft has another privilege-escalation hole in Windows that can be potentially exploited by rogue users and malware to gain admin-level powers.
Meanwhile, a make-me-root hole was found in recent Linux kernels.
Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
As a result of this blunder, non-administrative users may read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and newer.
The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:
Or, shorter, “a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts.” This can be used to thoroughly infect a system with malware, snoop on other users, and so on.
You may think you’re safe because your Windows PC doesn’t have a suitable VSS shadow copy, yet there are ways to end up quietly creating one and put your machine at risk.
According to the advisory: “Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”
US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.
The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can’t be accessed by a normal user even with the loose ACL. However, if shadow copies available, you’ll find you can open copies of the files for inspection thanks to the sloppy ACL.
Microsoft is aware of the flaw, which is assigned the ID CVE-2021-36934, and said:
Once word of the flaw got out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:
Referring to the VSS requirement for exploitation, Delpy told The Register: “The snapshot is not the real problem, it’s the ACL.” And you don’t need to crack the hashes; it may be possible to use Mimikatz, for instance, to elevate privileges using this extracted data.
Delpy shared a video demonstrating just that, crediting Jonas Lykkegaard for spotting the ACL blunder.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
It’s not a clear-cut issue, as some people claim their Windows 10 installations are not vulnerable when the deployments should be. We await more info from Microsoft. In the meantime, see the above advisory for instructions on mitigating the vulnerability. ®
It’s not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by rogue users and malware already on a system to gain root-level privileges. The vulnerability has been assigned the ID CVE-2021-33909.
Dubbed Sequoia by the Qualys team that found and responsibly reported the flaw, we’re told the bug is present in “default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.” Thus, check for updates and install them as soon as you can as patches should be available by now now or shortly for your distro.
Technical details of the file-system-code-level programming blunder are here. Qualys’ proof-of-concept exploit required 5GB of RAM and a million inodes to succeed.
Qualys also found another security weakness in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Patches are also available so grab those updates, too.
Despite a record number of publicly disclosed security flaws in 2021, Microsoft managed to improve its stats, according to research from BeyondTrust.
Figures from the National Vulnerability Database (NVD) of the US National Institute of Standards and Technology (NIST) show last year broke all records for security vulnerabilities. By December, according to pentester Redscan, 18,439 were recorded. That’s an average of more than 50 flaws a day.
However just 1,212 vulnerabilities were reported in Microsoft products last year, said BeyondTrust, a 5 percent drop on the previous year. In addition, critical vulnerabilities in the software (those with a CVSS score of 9 or more) plunged 47 percent, with the drop in Windows Server specifically down 50 percent. There was bad news for Internet Explorer and Edge vulnerabilities, though: they were up 280 percent on the prior year, with 349 flaws spotted in 2021.
BeyondTrust commented that analysis had been simplified by Microsoft’s move to the Common Vulnerability Scoring System (CVSS), although an unfortunate side effect meant that security gurus can now determine the impact of administrative rights on critical vulnerabilities.
“From 2015 to 2020,” said the report, “removing admin rights could have mitigated, on average, 75 percent of critical vulnerabilities.”
It’s a very good point: keeping permissions to the bare minimum is excellent practice, although difficult to enforce.
The decline in vulnerabilities marks a change for Microsoft. In 2016, the count of vulnerabilities stood at 451, according to the report. By 2020 they had leapt to 1,268. A drop, even if only to 1,212, is a first. It’s just as well since between 2019 and 2020, there was a 48 percent rise in vulnerabilities year on year.
And the trendiest categories are…
The report also drilled into vulnerability categories. Topping the table with 326 and 588 vulnerabilities respectively were Remote Code Execution and Elevation of Privilege flaws, with the latter up from 559 in 2020. RCE was itself down in 2021 from 345 in the prior year.
Explaining the apparent explosion in Edge and Internet Explorer numbers (349 vulnerabilities up from 92 in 2020), BeyondTrust pointed to a consolidation in the browser market and a renewed focus on browser attacks as exploited plugins (such as Flash) were dropped and bug bounties made reporting vulnerabilities more financially attractive. It also pointed out that only six were critical (a record low).
The decline in Windows vulnerabilities was attributed to Microsoft’s efforts to improve the security architecture of its supported products, as was the fall in Windows Server holes. The move from security as an afterthought to something front and center is also a factor, even if it has taken a few iterations of operating systems.
That said, there were some spectacular holes in the company’s products during 2021. Last year’s Exchange Server vulnerabilities, for example, left many administrators scrambling to patch systems. 2021’s stability, from the standpoint of Microsoft’s vulnerabilities, must be considered alongside the rapid rises of previous years.
As the report authors note, simply patching the problems might not deal with the underlying issues. Removing admin rights and privileges also play a part in reducing the attack surface. ®
The new Ford Geofencing Speed Limit Control system alerts a driver when the car breaks a speed limit – then slows down the vehicle.
Speed limit signs may soon be a thing of the past as Ford is now trialling connected vehicle technology that can automatically reduce a car’s speed in certain zones to improve road safety.
Up to 29pc of all road fatalities in Europe, depending on the country, are pedestrians and cyclists, according to a 2020 report by the European Transport Safety Council. Setting up speed limits in certain areas is one of the frontline measures to minimise road accidents.
Now, US carmaker Ford is testing its new Geofencing Speed Limit Control system across two German cities, Cologne and Aachen, to see if the technology can help in making roads safer, preventing fines for drivers and improving the appearance of roadsides.
A geofence is a virtual parameter in a real-world area. It is often used by mobility companies and start-ups, such as Ireland’s Zipp Mobility, to identify and enforce low-speed zones in cities.
How does it work?
Ford’s new system uses geofencing technology to alert a driver through the dashboard when the vehicle enters an area with a designated speed limit. It then lowers the vehicle speed to match the limit automatically.
However, the driver can override the automated system and deactivate speed limit control at any time. They can also use the technology to set their own geofencing zones at speed as low as 20kmph.
“Connected vehicle technology has the proven potential to help make everyday driving easier and safer to benefit everyone, not just the person behind the wheel,” said Michael Huynh, manager of City Engagement Germany at Ford Europe.
“Geofencing can ensure speeds are reduced where – and even when – necessary to help improve safety and create a more pleasant environment.”
Ford already has in-built assistance technologies that help drivers ensure they are abiding by speed limits. However, the new geofencing speed limit control system is the first that can automatically reduce a vehicle’s speed without the driver’s intervention.
Eyes on the road
The year-long trial that runs until March 2023 is collaboration between the Ford City Engagement team, city officials in Cologne and Aachen, and Ford software engineers in Palo Alto, California.
Together with colleagues in Aachen, the Palo Alto engineers developed technology that connects the vehicle to the geofencing system for GPS tracking and data exchange.
Germany has more than 1,000 types of road signs, which can often confuse drivers and distract them from the road ahead. Geofencing technologies such as the new Ford system can help drivers stay focused.
“Our drivers should benefit from the latest technical support, including geofencing based assistant systems that enable them to keep to the speed limits and fully concentrate on the road,” said Dr Bert Schröer of AWB, a Cologne waste disposal company involved in the trial.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Welcome to Pushing Buttons, the Guardian’s gaming newsletter. If you’d like to receive it in your inbox every week, just pop your email in below – and check your inbox (and spam) for the confirmation email.
Remember how, in the wake of yet more awful shootings in the US this month, Fox News decided to blame video games rather than, you know, the almost total absence of meaningful gun control? Remember how I said last week that the video-games-cause-violence “argument” was so mendacious and nakedly manipulative that I wasn’t going to dignify it with a response?
Well, here I am, responding, because the supposed link between video games and real-life violence is one of the most persistent myths that I’ve encountered over the course of my career, and it has an interesting (if also infuriating) history.
Many video games have violent content, just as many films and TV series have violent content (and of course many books, as anyone who has endured a Bret Easton Ellis novel will attest). And it makes intuitive sense that the interactivity of games – especially shooting games – might appear more troubling, from the outside, than passive media such as film. (I gotta say, though, that in 25 years of playing video games I have never seen a scene as violent or upsetting as, say, a Quentin Tarantino movie.)
But the idea that exposure to these violent games turns people into killers in real life is comprehensively false – and it deflects attention from the actual drivers of real-world violence, from inequality to access to firearms to online radicalisation. It is a very politically motivated argument, and one that makes me instantly suspicious of the person wielding it. The NRA, for instance, trots it out on the regular. Donald Trump, inciter of actual real-life violent riots, was fond of it too. Why might that be, I wonder?
First, the facts: there is no scientifically credible link between video games and real-life violence. A lot of the studies around this issue are, in a word, bad – small sample sizes, lab conditions that have no relation to how people engage with games in the real world – but the best we have show either no link at all between violent games and violent thoughts or behaviour, or a positive correlation so minuscule as to be meaningless. A review of the science in 2020, which looked at and re-evaluated 28 global studies of video games and violence, found no cumulative harm, no long-term effect, and barely even any short-term effect on aggression in the real world. It concluded that the “long-term impacts of violent games on youth aggression are near zero”.
This seems self-evident: video games have been a part of popular culture for at least 50 years, since Pong, and violent games have existed in some form since Space Invaders, though they’ve gotten more visually realistic over time. If video games were in some way dangerous – if they significantly affected our behaviour, our emotional responses – you would expect to have seen widespread, cross-cultural changes in how we act. That is demonstrably not the case. Indeed, overall, violent crime has been decreasing for more than 20 years, the exact period of time during which games have become ubiquitous. Though it would be unscientific to credit video games with that effect, you would think that if the generations of people who’ve now played Doom or Call of Duty or Grand Theft Auto were warped by it, we might be seeing some evidence of that by now.
It is true that some perpetrators of mass murders – such as the Columbine shooters – were fans of video games. But given that the great majority of teenagers are fans of video games, that doesn’t mean much. More often than a fixation on violent media – of all kinds – mass shooters display an obsession with weapons or explosives or real-life killers, an interest in extremist views, social ostracisation. These are not otherwise well-adjusted people suddenly compelled to real-world violence by a game, or a film, or a Marilyn Manson album.
The history of the “video games cause violence” argument goes back even further than video games themselves: it’s an extension of the panic that flares up whenever a new and supposedly morally abject form of youth culture emerges. In the 1940s, when New York’s mayor ordered 2,000 pinball machines to be seized so that he could performatively smash them up, it was arcades; during the satanic panic of the 1980s and beyond, it was metal music. Since the mid to late 90s, it’s been video games, and no amount of studies debunking any link between them and real-world violence seems to make a difference.
So why does this argument keep showing up? In short: because it’s an easy scapegoat that ties into older generations’ instinctive wariness of technology, screen time and youth culture, and it greatly benefits institutions like the NRA and pro-gun politicians to have a scapegoat. Whenever video games are implicated in a violent event, there is usually stunning hypocrisy on display. After the El Paso shooting in 2019, Walmart removed violent video game displays from its stores – but continued to sell actual guns. Fox News, the TV network that platforms Tucker Carlson and the great replacement theory with him, is happy to point out that the perpetrator of a mass shooting played video games, while remaining oddly quiet on the racist ideas that show up in these shooters’ manifestos.
I’m not saying that we shouldn’t examine video game violence at all, or question it. Does every game that involves sneaking up on enemies need a gratuitous neck-breaking animation when you succeed in overpowering a guard? Why do games so often resort to violence as the primary method of interaction with a virtual world? Do we really need more violent media – couldn’t we be playing something more interesting than another military shooter? These are valid and interesting questions. But they have nothing to do with real-world violence.
What to play
Back in 1994, video game magazine Edge ended its review of Doom with this infamous line: “If only you could talk to these creatures, then perhaps you could try and make friends with them, form alliances… Now that would be interesting.” Nearly 30 years later, “talk to the monsters” jokes and memes still crop up, even if nobody remembers where it originally came from.
Turns out that reviewer had a point, though, as proved by 2015’s Undertale, probably the most interesting anti-violent video game I’ve played. In this lo-fi role-playing game, you get into fights with plenty of monsters, but instead of battering them into submission you can win them over by talking them down and showing them mercy, which is often the more difficult option. In most games, there’s no question about what you do when a monster turns up in your path: this one makes you interrogate yourself. I interpreted it at the time as social commentary on pacifism and community, and looking back, I don’t think that was too much of an overreach.
Available on: PC, PlayStation 4, Xbox One, Nintendo Switch Approximate play time: 6-10 hours
What to read
I’m going to start with a book this time: Lost in a Good Game: Why We Play Video Games and What They Can Do For Us, by Pete Etchells. A researcher and lecturer in biological psychology, Etchells’ perspective on video games is both relatable and extremely well-informed. He looks at the evidence (or lack of evidence) behind all the most pervasive beliefs about video games, and in the end he makes the case that most of the effects that they have on individuals and society are actually positive. It’s a reassuring read that I often recommend to worried parents who don’t play games themselves.
Grand Theft Auto V, perhaps the poster child for morally bankrupt video games that supposedly corrupt the youth, has now sold 165 million copies, following its launch on PS5 and Xbox Series X earlier this year. This makes it one of the most popular entertainment products of all time in any medium, and yet strangely, in the nine years since it was released, we have not seen the emergence of roving gangs of teenagers looking to act out their chaotic GTA Online shootouts in real life. Funny that.