Every week users are presented with new security bulletins for Windows 7, reminded of attacks via the internet, downloaded malware and many more of the various attacks users use to access someones computer. What is rarely talked about and of no less importance, are the physical attacks a user has to face when someone will try to attack his/her computer.
Take for instance – you have a computer at work and one at home and you sometimes need to bring your work home with you and have very important files stored on your home computer, or you really just don’t want someone accessing your computer. The average user has one line of defense to keep people from logging into your computer and doing what they will to your files and that is setting a user password. More advanced users know other methods such as setting a password via BIOS, but face it, most users have no idea you can do this.
Two weeks ago I wrote a program that allows a user to replace the Ease Of Access Button on the Logon Screen. This was meant as a means to give users more flexibility, as some users do not use the Ease Of Access button.
While putting this application together I came across something purely by accident. A little modification of the code to my application, and not only could a user replace the Ease Of Access Button, but the user could use this as a means of accessing someone’s computer via the Logon Screen. All one had to do was replace the Ease Of Access Button with “a particular in-built native Windows tool“!
This would potentially allow a user to bypass all users passwords and would allow the user to attach a flash drive … and remove anything from the computer that they wished. Not only would this allow the user to remove files, but a user could delete, modify or move any file on the computer essentially destroying the operating system, in which case you would need to reinstall.
Following is screenshots of my modified application at work:
Test user account, password protected.
My thumb drive inserted. Shows there are no files on the drive.
Browsing the Test account select and copy three files I created to test with.
Copied over to the thumbdrive.
Logged in, showing the files I copied to the thumbdrive.
I have been in contact with Microsoft through several emails explaining the issue, I have also supplied Microsoft with the complete details and the code I used, and so far the response has not been very positive, as it seems the particular employee I have spoken to does not believe this to be an issue. I am still waiting on their next response to see what steps Microsoft may take to remedy this and hopefully they will take the issue seriously.
This was the Microsoft representatives response:
There are a couple of behaviors that make this an issue that we would not consider a security vulnerability from my understanding of your report.
- To run a different executable as admin, the file to be changed has to be changed by an admin. The changed utility may then be available to even standard users at logon, but the change must be done by an admin user.
- Physical access to the system is necessary in order to carry out this behavior. There are many malicious things a user can do with physical access to a system and while we do publish best practices for physical security of computing resources, we cannot protect against physical access in it entirety.
The following link was provided by Microsoft stating that the issue ranked (2)#3 and (1)#6 on this list: 10 Immutable Laws of Security
What the Microsoft representative failed to understand was a user does not have to be an administrator to run the code. It can be run by anyone with enough knowledge.
My point to Microsoft is simple. Replacing the Ease Of Access Button should not be so simple. Better steps should have been taken to insure that something this critical could not be modified as it is a core element of the Logon Screen. If they cannot ensure this, then there should be an option, to not display this button.
If others feel this to be a serious issue as I believe it is, please contact security (at) microsoft (dot) com and voice your concerns.