Vista security, maybe others too

Glenn · Aug 24, 2008, 08:10:13

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of objects, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit

edited the link, now works

madasahatter · Aug 24, 2008, 08:20:02

Certainly doesn't make vista look good

But wait - reading into it:

"It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments."

The headline just has to be vista to suit all the vista bashers doesn't it, but given that there are still many times more XP and server 2003 users out there.....

Inactive · Aug 24, 2008, 08:45:23

Quote from: madasahatter on Aug 24, 2008, 08:20:02

The headline just has to be vista to suit all the vista bashers doesn't it, but given that there are still many times more XP and server 2003 users out there.....

Indeed, I wonder why?.....

madasahatter · Aug 24, 2008, 08:47:22

Quote from: Inactive on Aug 24, 2008, 08:45:23
Indeed, I wonder why?.....

Ted · Aug 24, 2008, 08:48:55

Link not working.
Try this one. http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit

Glenn · Aug 24, 2008, 08:57:31

Mad, I'm not bashing Vista, I use it myself on my laptop, the most used computer in my house.

Steve · Aug 24, 2008, 09:14:23

Certainly alarmist, they have given few details but reading some of the comments which I don't fully understand you have to possibly remove some of the standard security for some of these exploits to run i.e UAC off and run IE in unprotected mode.

It was bound to happen eventually,it will be interesting if the older OS' i.e xp can also be exploited.

There are a lot more older cars on the road than new ones.

Inactive · Aug 24, 2008, 09:17:37

Quote from: stevethegas on Aug 24, 2008, 09:14:23

There are a lot more older cars on the road than new ones.

Which are also generally better made than the new ones, with less to go wrong..

madasahatter · Aug 24, 2008, 09:19:13

Quote from: Glenn on Aug 24, 2008, 08:57:31
Mad, I'm not bashing Vista, I use it myself on my laptop, the most used computer in my house.

I know you weren't Glenn - it was the article that was doing that. Sorry if you thought I was having a go at you

madasahatter · Aug 24, 2008, 09:24:35

Quote from: stevethegas on Aug 24, 2008, 09:14:23
Certainly alarmist, they have given few details

Usual journalist subjective stuff really. We don't know all the details, we don't really understand it, but hey - it's a good headline, and we'll bury the stuff we don't really want to talk about in a single sentence in the middle somewhere.

The standards of journalism in this country, seemingly in all forms of media have gone downhill imo

Rik · Aug 24, 2008, 09:55:33

We seem to be reaching the point where the only safe OS is the one not connected to the 'net. I wonder how long before many of us have a machine for browsing etc that is only used for that purpose?

Glenn · Aug 24, 2008, 10:09:39

I have one already, its my laptop

Rik · Aug 24, 2008, 10:12:52

I can see it becoming the norm, Glenn. We'll probably all become very adept at re-loading the OS.

Glenn · Aug 24, 2008, 10:28:32

You have just justified you birthday present to yourself a copy of Windows Home Server

Rik · Aug 24, 2008, 10:30:58

I tried that suggestion earlier, Sue decided we didn't have anywhere to put another machine.

madasahatter · Aug 24, 2008, 10:32:06

Quote from: Rik on Aug 24, 2008, 10:30:58
I tried that suggestion earlier, Sue decided we didn't have anywhere to put another machine.

I'm sure you could find space Rik - chuck out all the furniture and hey presto - room for loads more kit

Rik · Aug 24, 2008, 10:38:28

I did suggest that, Mad. Turn the lounge into an equipment room, put an air-conditioner in there, keep the temperature down to about 15C, eliminate dust etc.

I think the bruising will fade in two or three days.

Glenn · Aug 24, 2008, 10:40:35

It doesn't need a keyboard monitor or mouse, so a nice corner in the loft/garage/shed would do.

Rik · Aug 24, 2008, 10:45:33

I have room under the bench if I could just get rid of some of my paper stock.

Gary · Aug 24, 2008, 11:06:07

Quote from: Inactive on Aug 24, 2008, 09:17:37
Which are also generally better made than the new ones, with less to go wrong..

That very true In

they also tend to be the ones without the safety features so you tend to die in a crash more easily.

To be honest as the net continues to grow as Rik said it seems the safest pc in one not connected

what was a great tool has just become a minefield and most of us are petty aware of our security so god help the people who have no clue but want to chat to their relatives on webcam and think every pop up is a thing to click, the trouble is I know people who don't patch because of pop up incidents so think Microsoft patches will be the same (sometimes they can be) but a unpatched machine from fear is asking for trouble and my mother for one has no clue about patching and ignores calls from flash player etc as she gets scared. As for getting her to use FF3, no chance, it's these people who will get bitten then we get it next from the shear number of botnets

Gary · Aug 24, 2008, 11:08:51

Quote from: Rik on Aug 24, 2008, 10:38:28
I did suggest that, Mad. Turn the lounge into an equipment room, put an air-conditioner in there, keep the temperature down to about 15C, eliminate dust etc.

I think the bruising will fade in two or three days.

I asked Justina, the answer was similar, we seem it appears to have enough technology already,

I did point out it will keep the house warm though

bad mistake as she pointed to electricity bills from my gadgets now

Inactive · Aug 24, 2008, 11:19:28

Quote from: Killhippie on Aug 24, 2008, 11:06:07
That very true In they also tend to be the ones without the safety features so you tend to die in a crash more easily.

Oh yea, I forgot about all of the " safety features " that make new cars safe Gary, sadly all to no avail if they have a loose nut behind the wheel of course.

Tacitus · Aug 24, 2008, 11:24:23

Quote from: Rik on Aug 24, 2008, 09:55:33
We seem to be reaching the point where the only safe OS is the one not connected to the 'net. I wonder how long before many of us have a machine for browsing etc that is only used for that purpose?

It's not the fact that we're connecting to the 'net as such, it's the increased levels of interaction via Javascript, Active-X, .NET and so on that are causing the problems.

Had it stayed at what it was, simply a means of viewing information, most of the problems wouldn't be there. I suppose it's called progress....

Gary · Aug 24, 2008, 11:27:01

Quote from: Inactive on Aug 24, 2008, 11:19:28
Oh yea, I forgot about all of the " safety features " that make new cars safe Gary, sadly all to no avail if they have a loose nut behind the wheel of course.

The only lose nut behind the steering wheel is the driver, In as you say but if you are hit by the afore mentioned "loose nut" you stand a better chance, they did a test on two popular people carriers, both same make but ten years apart they crashed them into each other head on at 60mph (ish) and the new one with its "safety features" literally went straight through the other and you would have survived in the new one, so in that respect you are safer in a newer vehicle, its just the kids with Daddy who pays for the insurance for a 200bhp Golf GTI for his 18 year old "Nut" you have to watch out for in your older car

Gary · Aug 24, 2008, 11:30:14

Quote from: Tacitus on Aug 24, 2008, 11:24:23
It's not the fact that we're connecting to the 'net as such, it's the increased levels of interaction via Javascript, Active-X, .NET and so on that are causing the problems.

Had it stayed at what it was, simply a means of viewing information, most of the problems wouldn't be there. I suppose it's called progress....

I know a guy on the Kaspersky security forum, he has no flash player, no QT or its alternatives, in fact no media plugins no messenger programs, and uses No Script he considers himself pretty safe, but to my mind you are missing out on the so much by running like that, but maybe in the end we wont have a choice