How Secure is LUA with SuRun?

Hey folks, after reading the excellent threads here on using a Limited User Account in Windows XP in conjunction with SuRun, decided to give it a try, and I have to say, I was VERY impressed.

My question is, how secure exactly is the LUA/SuRun combo? Or how secure exactly is LUA itself in XP SP2? What are the possible exploits and vulnerabilities that can render such a system in state of compromise? eg. Possible ways for a malicious process to get around the access restrictions or gain administrator priveleges.

Any help would be greatly appreciated!

 

There are 4 attack vectors that can defeat lua-surun

1. web-script based privelidge escalation
2. web-script based buffer overflow attack
3. web-script exploits a bug in a browser plugin
4. trusted application downloads an update, you give it admin rights, but it turns out that the update is malicious

Some of these attacks can be blocked by enabing DEP

All vectors can be blocked by tools like comodo firewall with defence+

The 4th attack vector will be blocked by an upcoming version of comodo (might take some time though (months/years))

 

From your post, it seems that only vulnerabilities of an LUA involve web scripting (except no. 4). In that case, I'm assuming that script blocking systems like NoScript for Firefox would solve these three. Is this correct?

 

Noscript would do the trick for 99% of those attacks.

However as soon as you allow 1 site to use scripts you're open to attack again. (Sites you trust can be comprimised after all)

 

There are a number of ways the system could be compromised when running LUA and SuRun on XP. Here are some:

a) buffer overflow in highly privileged code, such as an antivirus program
b) alteration of files, registry, or other objects from 3rd-party programs that have poorly configured security permissions - see The Case of the Insecure Security Software.
c) malware hooks or modifies the memory of a process that has been given admin rights by SuRun, which allows the malware to do anything the modified process with admins rights can do

The thread Is Limited User Account enough? Not really is relevant reading.

 

That sounds fairly ominous, if you ask me!

A classical HIPS (or perhaps even a behaviour based one) would make dealing with these problems a breeze, but one of the reasons i ventured into the whole LUA/SuRun method was to get rid of some of my security apps (HIPS being one).

Is there some other workaround? I currently run an LUA account on WinXP SP2 with SuRun and Avira AntiVir Personal in realtime.

 

If you are running Avira Free consider adding Defender in Spynet mode which makes it into a real time HIPS and when combined with DEP for all and LUA+SuRun its a formidable combo. In case you are running an x64 OS you are even more secure due to patch guard.

 

I've seen a limited user account breached on XP Home SP2. Given how that happened I concluded:

1) If you keep software updated and take reasonable care, a limited user account by itself will protect the OS from most remote drive-by downloads (but not the limited account itself).

2) But, if a user is very careless (clicking on anything), or if there is another user on the system intent on gaining admin access, LUA can be breached eventually with some work. An example would be a user unknowingly allowing the download of a file which includes a local privilege escalation exploit (it can't be executed remotely). The user negligently executes the file.

3) Adding a software restriction policy to XP Home is safer than using LUA alone, and the restricted account is then protected from most remote drive-bys as well. For a little extra inconvenience, changing some autostart registry entries would make the account even more secure.