1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Potential security issue

Discussion in 'GPU-Z' started by hexaae, May 9, 2013.

  1. hexaae

    Joined:
    May 9, 2013
    Messages:
    8 (0.01/day)
    Thanks Received:
    0
    Since the tool runs elevated with admin rights, clicking on the Validation tab links may lead to security issues because the opening browser will inherit and go on the net with the same privileges (disabling also Protected mode for example with IE...). The same happens when new versions are found and you're asked to update through a web link...

    Please make sure the links are launched with current user privileges, not with the same inherited by GPU-z.
     
  2. Aquinus

    Aquinus Resident Wat-man

    Joined:
    Jan 28, 2012
    Messages:
    7,435 (6.10/day)
    Thanks Received:
    2,848
    Location:
    Concord, NH
    I don't think you can do that. An application runs as only one users and when the application launches another one it will always be as the current user. I don't see many easy ways to get around this. It is only a security hole if you use that browser after it opens for other things, but I don't think what you asking is easily achievable.

    I'm sure W1zz will comment on the matter.
     
  3. hexaae

    Joined:
    May 9, 2013
    Messages:
    8 (0.01/day)
    Thanks Received:
    0
    No.
    You can test this yourself:
    0. enable UAC if you don't have it enabled, and enable Protected mode in IE 9/10.
    1. close all IE9/10 windows.
    3. run GPU-z and go to the tab Validation
    4. click on the link in blue 'here'. It will open a new IE instance and go to that URL.
    5. on an empty page area right-click and choose "Properties":
    Area: Protected mode disabled

    It's a potential issue as no-one will notice you're running the web "unprotected" after visiting that link (and the web page may be hacked or something else...). I'm sure there's a way to force current user privileges for a launched application, not inherited by parent task, at least I hope so...

    http://stackoverflow.com/questions/...-current-user-privilege-from-an-admin-process
     
    Last edited: May 9, 2013
  4. Aquinus

    Aquinus Resident Wat-man

    Joined:
    Jan 28, 2012
    Messages:
    7,435 (6.10/day)
    Thanks Received:
    2,848
    Location:
    Concord, NH
    You clearly didn't read my post.

    First of all, what you're asking very well might not be possible.

    What's you're describe also (protected mode disabled under UAC admin,) is the default behavior for IE under the admin account. You can't change the settings because this is hard coded into IE. If IE starts was elevated privileges protected mode will be disabled and there is no way to enable it with elevated permissions since nothing is restricting it.

    So if you can't start IE as another user and this is default behavior for MSIE, this isn't correctable so you can complain about how bad it is as much as you want, but you're complaining to the wrong people because this is all Microsoft and Windows that is doing that and GPU-Z only shows it because it is required to be run with elevated permissions.

    My advice would be: If this really bothers you, then don't use IE, but no one here will be able to fix that for you since it's expected behavior of Windows (not even GPU-Z.)

    Your link looks neat, but W1zz still has to implement it which may or may not work. It's a work around for the shortcomings of IE though and I'm not sure if it's worth the time versus just informing people. He'll make that call though, not me.
     
  5. hexaae

    Joined:
    May 9, 2013
    Messages:
    8 (0.01/day)
    Thanks Received:
    0
    What about a launcher task that runs with current-user privileges to start the GPU-z elevated child process, AND handle external links?
     
    Last edited: May 9, 2013
  6. RCoon

    RCoon Gaming Moderator Staff Member

    Joined:
    Apr 19, 2012
    Messages:
    9,160 (8.06/day)
    Thanks Received:
    5,507
    Location:
    Gypsyland, UK
    People use IE other than for downloading a new browser?
    Dont use IE?
     
  7. hexaae

    Joined:
    May 9, 2013
    Messages:
    8 (0.01/day)
    Thanks Received:
    0
    Please let's not start another boring flame VS IE... FFox for example does not even have a sandbox like IE and Chrome and has many cirtical vulnerabilities (as for all browsers): http://www.mozilla.org/security/known-vulnerabilities/firefox.html

    I don't think it's a IE-only issue: all tasks and browsers launched within GPU-z will inherit its privileges resulting in a security potential risk on the web...
    Other interesting links:
    http://www.codeproject.com/Articles/90713/Run-an-application-under-current-logon-user-s-priv
    http://support.microsoft.com/kb/2278183
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx
    http://msdn.microsoft.com/en-us/library/bb625960.aspx
     
    Last edited: May 9, 2013
  8. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    15,371 (3.81/day)
    Thanks Received:
    12,567
    couldn't find one.

    the most promising solution seems to add a task to task scheduler that runs a program as currently logged in user, now. clearly not a solution
     
  9. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,755 (4.41/day)
    Thanks Received:
    3,573
    good lord. this is a browser/OS security problem. w1z can't be asked to fix something that is Microsoft's problem. i would argue the best course of action is to use an alternative browser and make people aware of the inherent flaws in IE/Windows security design.
     
    Mindweaver says thanks.
  10. Mindweaver

    Mindweaver Moderato®™ Staff Member

    Joined:
    Apr 16, 2009
    Messages:
    5,642 (2.52/day)
    Thanks Received:
    3,215
    Location:
    Statesville, NC
    If you are worried about your browsing habits after you have updated, then why not close the browser and re-open? Why click the link to open your browser to obtain the new update if you are worried? I would just become a active member at TPU and grab the new GPU-Z when btarunr posts it in the news section... Err wait I already do that.. ;) Honestly you're worried about your browsing habits after GPU-Z launches your browser for the new update.. I don't see that as being a GPU-Z flaw. ;)
     
    Crunching for Team TPU
  11. hexaae

    Joined:
    May 9, 2013
    Messages:
    8 (0.01/day)
    Thanks Received:
    0
    Yes, it's something MS should add to the OS. The "potential problem" is obviously not limited to GPU-z only but to all programs with admin rights able to open a link. There should be an easy way to launch a task with a lower privilege level with Windows, and MS should provide a documented solution.

    Happens the same with FFox and other browsers since they'll run with Admin privileges. It's not a IE specific flaw.

    Of course I know how to avoid that with a workaround solution :laugh: but many users won't notice this and will be exposed to more potential security risks once their browser will have the highest privileges.

    Thank you for your replies...
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page