Microsoft CEO Satya Nadella praised the company New recall featurewhich Stores the history of your desktop and feed it to AI for analysis, as “image memory” for your PC. Meanwhile, in the cybersecurity community, the concept of a tool that silently takes a screenshot of your desktop every 5 seconds has been hailed as Hacker’s dream come true and the worst product idea in recent memory.
Now, security researchers have shown that even the remaining security protections intended to protect that feature from exploitation can be trivially defeated.
Since Recall was first announced last month, the cybersecurity world has pointed out that if hackers can install malware to gain a foothold on a target machine with the feature enabled, they can You can quickly access the entire user history stored by this function. Apparently, the only barrier to a high-resolution view of a victim’s entire life at the keyboard is that accessing Recall’s data requires administrator privileges on the user’s machine. That means malware without higher-level privileges will trigger permission popups, allowing users to block access, and that malware can also be blocked from accessing data. on most company machines by default.
Then on Wednesday, James Forshaw, a researcher with Google’s Project Zero vulnerability research team, published an update to a blog post indicating that he has found a method to access the Recall data Not available admin privileges—essentially stripping away even that last protective shield. “No admin needed ;-)” the post concluded.
“Fuck,” Forshaw added to Mastodon. “I really think the Recall database security will at least be secure.”
Forshaw’s blog post described two different techniques for bypassing administrator privilege requests, both of which exploit ways of defeating a basic security function in Windows called control lists. access to determine which components on the computer require which privileges to read and change. One of Forshaw’s methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe to be able to access even corrupted databases. limit. Another way is even simpler: Forshaw points out that because the Revocation data stored on the machine is assumed to belong to the user, a hacker with the same privileges as the user can simply rewrite the checklist access control on the target machine to grant itself access to the full database.
That second, simpler bypass technique is “frankly amazing,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacker tool called TotalRecall designed to show that someone has gained access to the victim’s machine using the Revoke feature which can instantly take away all of the user’s history recorded by the feature. However, Hagenah’s tool still requires hackers to find another way to gain administrator privileges through so-called “privilege escalation” techniques before his tool works.
With Forshaw’s technique, “you don’t need any escalation of privileges, no pop-ups, no nothing,” Hagenah said. “This would make a lot of sense to implement in a bad actor tool.”
