Slashdot Log In
Vista's Security Rendered Completely Useless
Posted by
kdawson
on Fri Aug 08, 2008 08:08 AM
from the bypassing-memory-protection-safeguards dept.
from the bypassing-memory-protection-safeguards dept.
scribbles89 sends in a story that originally ran in SearchSecurity; it sounds like it could be a game-changer. "While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi..., 'the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.'" Update: 08/08 14:23 GMT by KD : Changed the link, as the story first linked had been lifted without attribution.
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Details... (Score:5, Insightful)
Too bad it doesn't explain what they actually did and just says "ooo, this is really bad". It'd be interesting to see a description, and see if other systems with similar protections are vulnerable.
Re:Details... (Score:5, Insightful)
These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.
From this paragraph it sure sounds like the author of the article hasn't got a clue.
Parent
Re:Details... (Score:5, Insightful)
Parent
Re:Details... (Score:5, Insightful)
Every time an exploit occurs, people start blabbering about "correctly configured" machines, completely missing the point. What is really important is this: does it work on an out-of-the-box Vista or not?
Parent
Re:Details... (Score:5, Informative)
While you have a point, I'd just like to point out that out-of-the-box IE is in a sandbox in Vista. Frankly, I don't even know how to run it otherwise.
Parent
Re:Details... (Score:5, Interesting)
In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.
CF all those 'studies' that 'prove' porn is bad or watching TV turns kids into Martians or whatever. Every time that stuff hits the press the paper is 'to be published' which is a good way to prevent opponents getting in a response.
Parent
Re:Details... (Score:5, Insightful)
In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.
They're presenting their findings at a black hat conference this week. What makes you think they have any motivation to help MS fix it beforehand? Did it ever occur to you, as people who break security systems they think impede their own and other peoples freedom, they might, just might, have a strong motive to punish anyone who installed it and drive them off Vista?
Parent
Re:Details... (Score:5, Insightful)
Parent
An incredibly worrying response from Microsoft (Score:5, Interesting)
From TFA:
"While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public."
So, Microsoft is
a.) Not currently aware of the details of the exploit and
b.) Doesn't plan (or, apparently, want) to GET the details until the details are PUBLISHED.
Apparently, Microsoft's "Security Response Center" has no idea that they have a window of opportunity to fix the problem BEFORE the details are in the wild. Why would we want that? Nah, we don't need to be pressing for details. We'll figure it out when our customers start screaming about exploits.
I've thought MS was somewhat incompetent on security, but this is mind boggling.
Parent
Re:Details... (Score:5, Insightful)
I'm sure I'm not the only one who remembers running some little script [slashdot.org] with normal user privileges, and suddenly seeing the prompt change from
user@computer:~$
to
root@computer:~#
And, well, that had been around forever, apparently. And, well, it was fixed the next day.
The moral? Horrendous, gaping security holes do exist, and are found from time to time. And they get fixed (faster in FOSS than Windows, but they still get fixed). Of course, some OSs are more equal than others when it comes to general security and user-centric design, but I just can't believe for a minute that this is some life-shattering, end of the world event for Microsoft.
Parent
Re:Details... (Score:5, Funny)
PS1="root@computer:~#"
export PS1
# Pwned
Parent
Re:Details... (Score:5, Insightful)
Extraordinary claims require extraordinary proof. The linked article provides... vagueness. It mentions that used a browser (which one?) And that it has something to do with defeating the NX bit. I'm guessing that it's not nearly as severe as this article's hyperbole makes it seem.
Parent
Yeah, wasn't there some important necessity... (Score:5, Insightful)
Something about "Big Claims" needing "Big Evidence"?
The "rah rah" quotes from the reporter make it sound like bullshit, even if it weren't. Without even the barest sensible explanation about what was done here, this is a non-story.
Parent
Marketing opportunity (Score:5, Funny)
Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.
Game Over? I doubt it (Score:5, Insightful)
First of all, the hack takes advantage of the way Internet Explorer handles scripting languages, implying that Firefox/Safari/Opera users are safe. Second, I can run most Windows code on my Linux machine via Wine. If Wine doesn't have this security hole (or even XP for that matter) then its perfectly reasonable to assume that a rewrite of the affected portions of Vista will provide the fix.
To say that it's broken and can't be fixed is as much of a sure thing as saying it's secure and can't be hacked.
Article Text (Score:5, Informative)
This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.
Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."
These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.
Sceptically speaking... (Score:5, Insightful)
Save your Microsoft bashing for the unlikely possibility that this is even half the exploit as Dowd and Sotirov are claiming.
Their Blackhat presentation has a great name... (Score:5, Informative)
How To Impress Girls With Browser Memory Protection Bypasses [blackhat.com].
Game over? Sounds more like "Gentlemen, start your engines."
Well, OK, then. Security (Score:5, Funny)
But what about all the _other_ great things about Vista? Like......ummm, you know.
Not surprised (Score:5, Insightful)
it is only a matter of time for any malicious third party to figure out your elaborate access scheme and get control of people's computers. because if you can do it, others can do it too.
Hmm... (Score:5, Interesting)
Looks to me more like a .NET and IE design flaw that could be easily fixed, than what this article is making it out to be. ABSOLUTE worst case is that it requires better authentication of the system's own code, which... shit, isn't that already part of Vista's security model? Just expand the scope. (Granted, THAT could break stuff.)
And, there's even a quick and dirty fix Microsoft could do, albeit at a possible extreme performance hit.
Sandbox .NET apps, don't trust any of the framework.
It could break OLE horribly, but not if they do it right - and how much is old-school OLE used anyway? And, for ActiveX plugins that are also used as standalone apps (such as Adobe Reader,) just fire up a second copy of the process in the sandbox.
Re:".NET loads DLLs into the browser itself..." (Score:5, Insightful)
So in other words, like 80+% of the other exploits on web, the exploit only works if you use Internet Explorer?
From TFA:
This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System. (emphasis added)
Parent
Re:".NET loads DLLs into the browser itself..." (Score:5, Informative)
As far as I'm aware, other browsers* don't allow "active scripting" to access the operating system unless a plug-in has been installed to do so (such as Java or Flash, and those have their own built-in restrictions).
* "other browsers" meaning ones that aren't IE or re-branded versions of IE.
Parent
Re:Before the Slashdotters rip this article apart. (Score:5, Interesting)
I suspect you're right. Reading the article, it sounds like they have a way of using browser plugins as a way to get around the address space randomization features in Vista. That's a big deal, and it really might be as hard to patch as they claim. But address space randomization was never a silver bullet and even without it, all they've done is put is back to a Windows XP world.
What would be interesting is if they can extend the attack to Linux, which also does a certain amount of randomization. If they can do that, then they've got a reusable, general purpose attack. But, as it stands, it certainly doesn't sound like anything too new. People have been attacking Flash, ActiveX, Java applets, and other plugins for years.
Parent
Re:Vista "Shatter" Attack? (Score:5, Interesting)
It definitely sounds like a shatter attack [wikipedia.org], but I thought that Vista's new security model was supposed to prevent this. (No, not being facetious, I really thought this).
Parent