, 14 tweets, 3 min read
My Authors
Read all threads
Everyone has moments that cement their decision to take their career in a certain direction. This is one of those. In 2004 my team was responsible for administering the Final Security Review on Microsoft products. The FSR was the check that all security requirements had been met.
I was the reviewer for a product from the server division first released in the 1990s. The team knew their product well and were incredibly responsive. This team didn’t just want the FSR to be done. They wanted it to be right.
Four years into Microsoft, I was no security expert and their product was a deep work in itself--hundreds of thousands of lines of code. I was determined to match their expectations for quality with tenacity. One area I dug into was its handling of elevated software installs.
There was a scenario where the download was done under the context of the user because in customer environments the file share hosting the software was permissioned based on user groups (e.g. Engineering can install the app, but not Sales).
They performed several steps to prevent tampering. At 7pm on Thursday night, with the FSR wrapping up the next day, I found myself poking at their validation. Could a user tamper with this process to run code of their choosing with SYSTEM rights?
I asked if a user could write to any of the files after they were downloaded. I asked about attacks involving holding open file handles to bypass hash checks. I asked about denying SYSTEM the ability to re-ACL the files. Strike out each time. The team had considered all of them.
I sat in front of my keyboard, midnight approaching, grasping at straws. A memory stirred. A couple years earlier in a meeting about malware, filesystems engineer David Golds made a side comment about a malware technique for evading anti-virus by using section objects.
Anti-virus checked for file infector viruses by inspecting changes to files. After a program closed a file, AV could check it for malware. A sneaky technique was to use a section object (aka File Mapping). Sections required a dance between the memory manager and the filesystem.
At 10:00pm, recalling only the words ‘write through a section,’ I opened Visual Studio to try to recreate this technique and construct a proof of concept.
I sent it over at 12:30 am. I expected to hear from the team the next day. 12 minutes later an engineer replied. He was online and looking into it. At 1:18 am he recompiled my program and adapted it for his environment.
At 2:10 am I got an email with the words: “Yep, that’s a vulnerability! It allows modification of files by a low rights user, after a hash check. I was able to repro and apply the attack on a real environment.” 👍
A few days later I got to meet the legendary Mark Zbikowski (‘MZ’ in the executable header). Mark worked in the filesystems group and helped the team with ideas to get out of the jam.
For me, this was the thrill of the job. Digging into complex products, applying things you’ve learned, and finding issues. Working with teams that barely knew you, and yet hung with you every step of the way to solve their security issues.
Our SDL work had many moments like this. Each time it recommitted you to the job. Not many roles let you touch product teams across the company, focus on value v. rules lawyering, and create moments that reinforce why we're doing something to everyone involved. 🙏
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with John Lambert

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!