Escalation Privilege threats – What’s the big deal?

Mitre has a nice article on how thin client technology with Secure Remote Peripheral Encryption Tunnels (SeRPEnT).

Their image shows how a thin client can have a trusted connection to the server and thus have a trusted connection to the server.

secure encryptionremotetunnel

 

 

The article pushes thin clients and as we all know thin clients can run ontop of standard computers – like Windows 8 Machines (thin client becomes another app).

Unfortunately another part of MITRE  has a technical paper of Windows 8 privilege escalation.

Specifically in the Abstract: ” The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined “Runtime Service” interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode.”

So in essence you may think you have a trusted connection, but if malware is sitting in the Runtime Service interface – it can control or run while the user think everything is ok.

So escalation Privilege threats are a big deal when they are placed in the right places running evil malware messing with our computers and potentially our bank processing. As usual it always comes down to how much money the criminals can obtain.  So thanks Mitre for waking us up to this potential vector attack. MITRE is a not for profit working with government and educational institutions on federal funding projects.

This brings another point, should MITRE have released this kind of general potential vector attack to the public before it could be fixed? Since it is general in nature it was wiser to just release it and thus we can all think about how to combat this potential vector.  if it was a specific attack then the researchers usually contact the manufacturer ( in this case Microsoft) and tell them what it is, so Microsoft can have a heads up into patching it.  We all know that Zero-day exploits with minimal “in-the-wild” time have lower value. All about the money $$ remember.

This is a general structural deficit of a major Operating System so I do not think saving it’s release would have had the same effect.