Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Vista's Security Rendered Completely Useless 415

Posted by kdawson
from the bypassing-memory-protection-safeguards dept.
scribbles89 sends in a story that originally ran in SearchSecurity; it sounds like it could be a game-changer. "While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi..., 'the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.'" Update: 08/08 14:23 GMT by KD : Changed the link, as the story first linked had been lifted without attribution.
This discussion has been archived. No new comments can be posted.

Vista's Security Rendered Completely Useless

Comments Filter:
  • Details... (Score:5, Insightful)

    by EvanED (569694) <evaned@ g m ail.com> on Friday August 08, 2008 @07:11AM (#24523001)

    Too bad it doesn't explain what they actually did and just says "ooo, this is really bad". It'd be interesting to see a description, and see if other systems with similar protections are vulnerable.

    • Re:Details... (Score:5, Insightful)

      by Anonymous Coward on Friday August 08, 2008 @07:18AM (#24523053)

      These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

      From this paragraph it sure sounds like the author of the article hasn't got a clue.

      • Re:Details... (Score:5, Insightful)

        by encoderer (1060616) on Friday August 08, 2008 @08:12AM (#24523629)

        Exactly. It's saber rattling. Sounds like nothing more.

        Furthermore, I love how silly some people here can be. The article says:

        far-reaching implications not only for Microsoft

        But somehow this is a Vista security issue?

        Please. Many here on this site, and many articles posted here, have a bias. There's nothing wrong with that, most things in life have a bias in some way.

        But there's a difference between "bias" and "intellectual dishonesty."

        This is the latter.

        • by An anonymous Frank (559486) <frank@har r y s t o t l e .com> on Friday August 08, 2008 @09:19AM (#24524627) Homepage

          Perhaps now that breaking security for Vista will become such a trivial matter, all those evil malware coders will focus on other, more challenging OSes...

          Mind you, a lot of people consider a product's solidity by the number of patches released, so, Vista is about to start looking real good, nah?

        • Re:Details... (Score:5, Informative)

          by MeNeXT (200840) on Friday August 08, 2008 @09:55AM (#24525267)

          This is a security Vista issue because it concerns how .NET was implemented on Vista. The method "may" be used on "possibly" other systems but as of yet it does not affect XP or OS X, as per the article. RTFM please.

          The fact of the matter is that no OS is completely safe but MS and Apple like people believe so since it's their marketing that dictates the direction of the OS. ... and yet there is not much more in the article to be ale to say anything for sure.

          The bias that most have is due to the marketing. If I am told I can do such and such with such, I better be able to. If I am told it's about security don't hide behind the marketing be upfront about the issues. Unfortunately form MS and Apple the only true fact is that they will try to milk as much as we are willing to give them.

        • Re:Details... (Score:5, Insightful)

          by hey! (33014) on Friday August 08, 2008 @10:21AM (#24525837) Homepage Journal

          Well, take stack smashing.

          It wasn't on anybody's security radar screen until, if I recall, the Morris Worm. So you could have an app that passes all the items on the best security checklist in existence, but if it read input into a local variable without checking the length (as nearly all of us C programmers did, back in the day, and some apparently still do), then your app was wide open.

          The discovery of a new class of attack vector can indeed have far-reaching implications, beyond the vendor that's the target of the first practical demonstration.

          But it' not an everyday occurrence. It ain't easy to to think up something that is truly new in an area where there is a lot talent working. Mostly, you come up with refinements and insights on what is already known. Richard Feynman discussed this in one of his books, that there was only one point in his entire career where, for a few hours, he knew something about the laws of physics that nobody else did.

          So it's probably still just saber rattling, but such a thing could exist.

      • Re:Details... (Score:5, Informative)

        by thePowerOfGrayskull (905905) <marc.paradise@gma i l . c om> on Friday August 08, 2008 @08:26AM (#24523793) Homepage Journal
        Not to mention this one(emphasis added):

        variety of scripting languages, such as Java, ActiveX and even .NET objects.

        None of those things listed is a scripting language...

        • Re:Details... (Score:5, Informative)

          by bestinshow (985111) on Friday August 08, 2008 @09:15AM (#24524561)

          It clearly means any environment which results in a compilation stage within the browser:

          * Java - JIT
          * .NET - JIT
          * JavaScript - JIT on some browsers now

          Why? Because they compile into executable code within a browser. Clearly the compiler/JIT/browser should sandbox these. But to compile code into memory, you need to disabled the NX bit check... that's one security mechanism bypassed. And I presume that address randomisation doesn't work for these JITs either. Yet.

          • Re:Details... (Score:5, Informative)

            by owlstead (636356) on Friday August 08, 2008 @10:56AM (#24526527)

            Well guessed. Now we have the link to the real article, we can confirm this to be the case. You still need another vulnerability to execute the code though. Having executable code on a well placed position in the process is step one, actually executing it is step two. They use a well known vulnerability to do so.

      • by elrous0 (869638) * on Friday August 08, 2008 @08:30AM (#24523847)
        Asked to comment on the new vague allegations of a super-threat with absolutely no details provided, a Microsoft spokesman responded "What the Hell are you talking about?"
      • Re: (Score:3, Funny)

        by nizo (81281) *

        Call me when my server is also covered it hot grits and petrified.

      • Re:Details... (Score:5, Insightful)

        by Opportunist (166417) on Friday August 08, 2008 @10:52AM (#24526441)

        That's even likely. He's not the one that found the exploit. He's a journalist.

        It's even likely that all he got was the paper (if that) and that it went waaaaaay over his head, so he most likely asked a few people who he deemed more clued and they nodded their head and confirmed that yes, that's hot stuff.

        So he wrote as best as he can.

        Just because the article doesn't really tell anything doesn't mean the threat doesn't exist. It only means the author didn't understand it too well and wanted to have a lurid tale.

    • Re:Details... (Score:5, Insightful)

      by rsmith-mac (639075) on Friday August 08, 2008 @07:20AM (#24523071)
      They also don't point out whether this breaks out of the IE sandbox or not. This makes a big difference, as if they can't break out of the sandbox, it makes any attack fairly useless on a correctly configured machine using IE. More details would have been nice.
      • Re:Details... (Score:4, Interesting)

        by mr_mischief (456295) on Friday August 08, 2008 @07:29AM (#24523153) Journal

        Well, if they can really get past "all memory protection safeguards", that means the code can just overwrite your running kernel. I doubt that sentence was really intended to say that, though. it probably means specifically the ones new to Vista over XP that were listed.

      • Re:Details... (Score:5, Insightful)

        by archeopterix (594938) on Friday August 08, 2008 @07:36AM (#24523217) Journal

        if they can't break out of the sandbox, it makes any attack fairly useless on a correctly configured machine using IE.

        Every time an exploit occurs, people start blabbering about "correctly configured" machines, completely missing the point. What is really important is this: does it work on an out-of-the-box Vista or not?

        • Re:Details... (Score:5, Informative)

          by Blakey Rat (99501) on Friday August 08, 2008 @07:54AM (#24523379)

          While you have a point, I'd just like to point out that out-of-the-box IE is in a sandbox in Vista. Frankly, I don't even know how to run it otherwise.

          • Re:Details... (Score:5, Insightful)

            by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Friday August 08, 2008 @11:34AM (#24527347) Journal
            Well it does say "By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine." Since we know Vista ships with IE7 and the sandbox enabled we can guess from TFA that they have found a way out of the sandbox.
        • Re:Details... (Score:5, Insightful)

          by Cid Highwind (9258) on Friday August 08, 2008 @07:59AM (#24523449) Homepage

          "Properly configured" in the case of IE's sandbox means "I didn't turn off UAC". So, no, an attack that's stopped by IE sandboxing does not work on out-of-the-box Vista. It would only work on the sort of Neowin-reading "power users" who turn off security features to gain (perceived) speed and convenience.

          • Re:Details... (Score:5, Insightful)

            by sabt-pestnu (967671) on Friday August 08, 2008 @10:21AM (#24525833)

            All security measures have to account for ID-10-T errors, and "error 60" (cm in front of the screen).

            UAC might be a good theory, but it fails dramatically by either a) causing users to turn it off, or b) training them to automatically punch "accept". If the warning was exceptional, or infrequent, it would be much more effective.

            It would only work on the sort of Neowin-reading "power users" who turn off security features to gain (perceived) speed and (actual) convenience.

            There, fixed it for you.

        • Re: (Score:3, Interesting)

          by bcwright (871193)
          While this is true as far as it goes, the article claims that the exploit has "no workaround". If that's really true (and the details are too sketchy to make any kind of judgment about that), then it would appear that even a "correctly configured" machine still has some degree of vulnerability.
        • Re:Details... (Score:4, Insightful)

          by encoderer (1060616) on Friday August 08, 2008 @08:24AM (#24523767)

          I think that's the GP's point. Vista's IE settings are "correctly configured" "out-of-the-box."

          I know, I know, you have some story about how Vista totally sucks and it's personally responsible for killing 300 people in march, 1968 in the Mekong Delta....

          But, as a professional software developer, I think Vista security is actually quite good. It's easy to blast UAC if you don't care about or understand the social-engineering behind it.

      • Re:Details... (Score:5, Informative)

        by Anonymous Coward on Friday August 08, 2008 @08:31AM (#24523861)

        More details would have been nice.

        Well, ok.

        http://taossa.com/archive/bh08sotirovdowd.pdf [taossa.com]

        Here's some code for ya too

        http://taossa.com/archive/bh08sotirovdowdcode.zip [taossa.com]

        Enjoy!

        • Re:Details... (Score:5, Informative)

          by ericlondaits (32714) on Friday August 08, 2008 @08:48AM (#24524119) Homepage

          Parent's linked PDF is:

          Bypassing Browser Memory Protections
          Setting back browser security by 10 years
          Alexander Sotirov
          Mark Dowd

          it apparently is the discussed paper. Mod parent up please, it's +1 very interesting.

        • Re:Details... (Score:5, Interesting)

          by Anonymous Coward on Friday August 08, 2008 @09:45AM (#24525099)

          From reading this, it seems to me that what they published is code that, one by one, bypasses every memory protection feature on Vista. This means a process that is allowed to start, using these techniques, can get full system privileges.

          However it does still require that code be run in the first place. The document does include apparently recent exploits, for JavaScript, Flash, .NET, for recent versions of IE and Vista.

          The question is, do they work on other browsers? For example, the .NET code probably wouldn't. The JavaScript exploit relies on filling the IE heap with 100mb of code, which I'm not sure would work on Firefox.

          So the bottom line is that before, if an exploit broke through IE, it landed with user-based privileges on the system. Using this code, an exploit that breaks out of IE lands with Admin access.

      • Re:Details... (Score:5, Informative)

        by ArcherB (796902) on Friday August 08, 2008 @08:48AM (#24524129) Journal

        They also don't point out whether this breaks out of the IE sandbox or not. This makes a big difference, as if they can't break out of the sandbox, it makes any attack fairly useless on a correctly configured machine using IE. More details would have been nice.

        From TFA:

        By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

        From /. Summary:

        They have attacks that let them load chosen content to a chosen location with chosen permissions.

        I think it's pretty clear that it is out of the sandbox and has full access to the backyard and house, regardless of how Vista is configured.

      • Re:Details... (Score:4, Insightful)

        by hey! (33014) on Friday August 08, 2008 @10:27AM (#24525961) Homepage Journal

        I dunno. How many times have we heard, during the discusions of sub $500 laptops, about the archetypal user who "just needs to browse the web"?

        Restricting an attack to a sandbox is, of course, a good thing, but it's not much comfort for the users for whom the sandbox is their whole world.

    • Re:Details... (Score:5, Interesting)

      by Zeinfeld (263942) on Friday August 08, 2008 @07:21AM (#24523091) Homepage
      Too bad it doesn't explain what they actually did and just says "ooo, this is really bad"

      In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.

      CF all those 'studies' that 'prove' porn is bad or watching TV turns kids into Martians or whatever. Every time that stuff hits the press the paper is 'to be published' which is a good way to prevent opponents getting in a response.

      • Re:Details... (Score:5, Insightful)

        by ShieldW0lf (601553) on Friday August 08, 2008 @07:39AM (#24523249) Journal
        Too bad it doesn't explain what they actually did and just says "ooo, this is really bad"

        In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.


        They're presenting their findings at a black hat conference this week. What makes you think they have any motivation to help MS fix it beforehand? Did it ever occur to you, as people who break security systems they think impede their own and other peoples freedom, they might, just might, have a strong motive to punish anyone who installed it and drive them off Vista?
      • by Anonymous Coward on Friday August 08, 2008 @07:58AM (#24523421)

        From TFA:
        "While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public."

        So, Microsoft is
        a.) Not currently aware of the details of the exploit and
        b.) Doesn't plan (or, apparently, want) to GET the details until the details are PUBLISHED.

        Apparently, Microsoft's "Security Response Center" has no idea that they have a window of opportunity to fix the problem BEFORE the details are in the wild. Why would we want that? Nah, we don't need to be pressing for details. We'll figure it out when our customers start screaming about exploits.

        I've thought MS was somewhat incompetent on security, but this is mind boggling.

    • Re:Details... (Score:5, Insightful)

      by adpsimpson (956630) on Friday August 08, 2008 @07:22AM (#24523099)

      I'm sure I'm not the only one who remembers running some little script [slashdot.org] with normal user privileges, and suddenly seeing the prompt change from
      user@computer:~$
      to
      root@computer:~#

      And, well, that had been around forever, apparently. And, well, it was fixed the next day.

      The moral? Horrendous, gaping security holes do exist, and are found from time to time. And they get fixed (faster in FOSS than Windows, but they still get fixed). Of course, some OSs are more equal than others when it comes to general security and user-centric design, but I just can't believe for a minute that this is some life-shattering, end of the world event for Microsoft.

    • by Concern (819622) * on Friday August 08, 2008 @07:28AM (#24523145) Journal

      Something about "Big Claims" needing "Big Evidence"?

      The "rah rah" quotes from the reporter make it sound like bullshit, even if it weren't. Without even the barest sensible explanation about what was done here, this is a non-story.

      • by KillerBob (217953) on Friday August 08, 2008 @08:02AM (#24523511)

        TFA does imply that the exploit takes advantage of an assumption at the OS level that .NET objects are automatically safe, and gives them the same privileges as the browser itself. It also says that the exploit takes advantage of a multi-homed attack using different scripting methods. Given that information, I'd venture a wild-assed guess that the exploit most likely uses JAVA and/or ActiveX to load a downloaded/forged .NET object which in turn loads arbitrary code as described.

        If there's truth to the assumption about .NET objects, then it's a monumentally stupid decision on Microsoft's behalf. But there is a (temporary) fix that can be patched into the OS by requiring a signature. Yes, those can be forged. Yes, it's a stop-gap measure. But if you require authentication from online servers (remember, this is a drive-by online exploit, so it's safe to assume that anybody who needs to validate a signature like this has Internet access), then it is an improvement until it can be fixed properly.

    • Re: (Score:3, Insightful)

      Yeah sure, they'll just publish a super-exploit so it can get posted to slashdot... that sounds like a great idea!

    • Re:Details... (Score:4, Informative)

      by lseltzer (311306) on Friday August 08, 2008 @08:44AM (#24524063)

      Go here for the actual paper and code samples. [taossa.com]

      It's a very cool paper, worth reading, but the neowin article greatly overstates matters.

  • by Anonymous Coward on Friday August 08, 2008 @07:15AM (#24523035)

    It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.

    Although I have a nagging feeling that this isn't as groundbreaking as Neowin.net makes it to be.

    • by something_wicked_thi (918168) on Friday August 08, 2008 @07:21AM (#24523095)

      I suspect you're right. Reading the article, it sounds like they have a way of using browser plugins as a way to get around the address space randomization features in Vista. That's a big deal, and it really might be as hard to patch as they claim. But address space randomization was never a silver bullet and even without it, all they've done is put is back to a Windows XP world.

      What would be interesting is if they can extend the attack to Linux, which also does a certain amount of randomization. If they can do that, then they've got a reusable, general purpose attack. But, as it stands, it certainly doesn't sound like anything too new. People have been attacking Flash, ActiveX, Java applets, and other plugins for years.

  • by VGPowerlord (621254) on Friday August 08, 2008 @07:17AM (#24523045)

    "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

    So in other words, like 80+% of the other exploits on web, the exploit only works if you use Internet Explorer?

    • by kingramon0 (411815) on Friday August 08, 2008 @07:21AM (#24523089) Homepage

      "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

      So in other words, like 80+% of the other exploits on web, the exploit only works if you use Internet Explorer?

      From TFA:

      This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System. (emphasis added)

      • by VGPowerlord (621254) on Friday August 08, 2008 @07:40AM (#24523259)

        As far as I'm aware, other browsers* don't allow "active scripting" to access the operating system unless a plug-in has been installed to do so (such as Java or Flash, and those have their own built-in restrictions).

        * "other browsers" meaning ones that aren't IE or re-branded versions of IE.

      • Re: (Score:3, Informative)

        This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System. (emphasis added)

        What kind of "active scripting" is this? I can guarantee you that Firefox's JavaScript interpreter doesn't use OS-provided libraries to run the code - that would make cross-platform consistency impossible.

        I'm sure that by "other browsers," the author of the article means browsers like Maxthon [maxthon.com] that are simply wrappers around IE. It's the same thing as saying that a bug in the Gecko rendering engine affects Galeon as well as Firefox. Many people (the article author included, apparently) can't distinguish betw

  • by dalesc (66212) on Friday August 08, 2008 @07:18AM (#24523059)

    Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.

    • Re: (Score:3, Funny)

      by BitterOldGUy (1330491)

      Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.

      Then Vista would really suck.

    • Re: (Score:3, Insightful)

      by spoonist (32012)
      The Microsoft Vacuum will be the very first Microsoft product that doesn't suck. Thank you. I'll be here all week.
  • by Lord Byron II (671689) on Friday August 08, 2008 @07:23AM (#24523101)

    First of all, the hack takes advantage of the way Internet Explorer handles scripting languages, implying that Firefox/Safari/Opera users are safe. Second, I can run most Windows code on my Linux machine via Wine. If Wine doesn't have this security hole (or even XP for that matter) then its perfectly reasonable to assume that a rewrite of the affected portions of Vista will provide the fix.

    To say that it's broken and can't be fixed is as much of a sure thing as saying it's secure and can't be hacked.

  • Article Text (Score:5, Informative)

    by Anonymous Coward on Friday August 08, 2008 @07:23AM (#24523107)

    This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

    Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

    While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

    According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

    While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

    These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

  • by wild_quinine (998562) on Friday August 08, 2008 @07:27AM (#24523131) Homepage
    I would treat this 'news' with a healthy dose of scepticism for now. It looks like the standard shit-talking that goes ahead of all major black-hat conferences.

    Save your Microsoft bashing for the unlikely possibility that this is even half the exploit as Dowd and Sotirov are claiming.

  • by Sir_Real (179104) on Friday August 08, 2008 @07:27AM (#24523135)

    of GRC's sensationalist "ZOMG teh Windoze is going to eat yer babies!" shatter attack nonsense?

    Yeah. That totally crippled MS...

    It's software people. SOFT. ware.

    • Re: (Score:3, Informative)

      by Sir_Real (179104)

      After reading the first paragraph of the neowin article.... Turn scripting off in your browser. It's all browser based.

  • by Dekortage (697532) on Friday August 08, 2008 @07:30AM (#24523163) Homepage

    How To Impress Girls With Browser Memory Protection Bypasses [blackhat.com].

    Game over? Sounds more like "Gentlemen, start your engines."

    • Thanks for the link.

      The abstract actually tells much more than the linked article, primarily what has been researched and found.

      The important bit is that this is not a new exploit, it's a way to make your memory corruption (stack or heap overflow, etc) exploit, if you find one, be able to work despite Vista's additional security measures.

      Similar security enhancements are present in the Linux kernel under slightly different names: Address space randomization, non-executable stack, etc. And similar tact

  • by smchris (464899) on Friday August 08, 2008 @07:35AM (#24523207)

    But what about all the _other_ great things about Vista? Like......ummm, you know.

  • by Anung_Un_Rama (929302) on Friday August 08, 2008 @07:40AM (#24523265)
    Ok, they have found an exploit that can lead to any malicious code being run on a host machine. That is pretty bad. The fact that this hole can be exploited using something as simple as JavaScript, even worse. However, I don't think this is exploit is something that cannot be defended against. Anything run on the client side must be loaded on the client first, which means you do have a chance to catch it before it is loaded. Granted, on pre-compiled objects this does present more of a challenge, but scripting exploits should be easily filtered out. It would certainly slow down page rendering, but I am sure most browsers will come up with a message allowing you to bypass any pre-rendering checks... "The page you requested contains code which, when loaded, may prove to bring your Vista operating system to it's knees. Do you wish to continue?"
  • Not surprised (Score:5, Insightful)

    by unity100 (970058) on Friday August 08, 2008 @07:42AM (#24523275) Homepage Journal
    this is what happens when you implement an extreme layer of security that can totally take over a computer, but DONT trust the computer's owners, users enough to give all power over it to them, and allow for privileged access to outside sources - be it microsoft's update servers, be it certified tech support etc.

    it is only a matter of time for any malicious third party to figure out your elaborate access scheme and get control of people's computers. because if you can do it, others can do it too.
  • Hmm... (Score:5, Interesting)

    by bhtooefr (649901) <bhtooefr&bhtooefr,org> on Friday August 08, 2008 @07:44AM (#24523291) Homepage Journal

    Looks to me more like a .NET and IE design flaw that could be easily fixed, than what this article is making it out to be. ABSOLUTE worst case is that it requires better authentication of the system's own code, which... shit, isn't that already part of Vista's security model? Just expand the scope. (Granted, THAT could break stuff.)

    And, there's even a quick and dirty fix Microsoft could do, albeit at a possible extreme performance hit.

    Sandbox .NET apps, don't trust any of the framework.

    It could break OLE horribly, but not if they do it right - and how much is old-school OLE used anyway? And, for ActiveX plugins that are also used as standalone apps (such as Adobe Reader,) just fire up a second copy of the process in the sandbox.

  • by sjonke (457707) on Friday August 08, 2008 @07:59AM (#24523455) Journal

    Hackers will get so frustrated with the repeated, "Are you sure you want root privileges?" dialogs that they'll give up.

  • by awitod (453754) on Friday August 08, 2008 @08:00AM (#24523463)
    From TFA....

    "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

    Internet Explorer (or any Common Language Runtime host) is subject to .NET's Code Access Security model. Assemblies from untrusted locations, like the Internet Zone get a very restricted set of permissions unless there is an explicit CAS policy in place to give said assemblies more permission via some form of evidence (usually a strong name or x.509 certificate).

    Security is applied based on the caller, so you can't load an untrusted assembly and elevate its priviledges by simply calling a method on a trusted component on the local machine. This is not enforced by IE (or any other host) but by the runtime itself. In order to get full trust you have to get a policy in place or somehow trick the host into thinking the source is a trusted location.

    Given his completely false assertion that "Microsoft assumes they're safe because they're .NET objects", you should discount everything else he has to say because he clearly has no reservations about making strong assertions about things he doesn't understand.

  • Neowin Plagiarists? (Score:5, Interesting)

    by awitod (453754) on Friday August 08, 2008 @08:13AM (#24523645)

    Too funny, not on is this article blog spam, it's plagiarised blog spam!

    This comment is at the bottom of their board.

    Guys: I couldn't find the editor contact info, but you've basically reposted our story from SearchSecurity.com without authorization: http://searchsecurity.techtarget.com/news/...1324395,00.html [techtarget.com] We'd like the excerpt removed immediately so we don't have to get the lawyers involved. Thank you. Eric Parizo Editor - SearchSecurity.com eparizo@techtarget.com

    nice

  • by east coast (590680) on Friday August 08, 2008 @08:16AM (#24523679)
    Put it along side the 100% unbreakable DRMs that were defeated with a Sharpie marker.
  • by HangingChad (677530) on Friday August 08, 2008 @08:23AM (#24523761) Homepage

    XP was vaunted as Microsoft's most secure operating system ever. And it was, for about a year. Then it went through several really horrible security incidents. Eventually the holes were patched and, even though XP will never be anyone's idea of a secure operating system, at least we know where XP's weaknesses are and how to mitigate them.

    So now we're finding the Vista security holes. I'm sure there will be a stretch of security horror shows and we'll figure out how to run Vista in a semi-secure fashion. At least we'll know where the vulnerabilities are.

    It's really nice running Linux when things like this come along. You can watch in a detached, slightly amused fashion. Although I'm sure our day will come.

    But not today. :)

  • by JoeD (12073) on Friday August 08, 2008 @08:27AM (#24523807) Homepage

    ... although a large part of the blame does rest with them.

    The real problem with Windows security is that there are LOTS of programs out there that will not run unless the user is an administrator.

    This is a relic of the old MS-DOS mindset, where any program could put anything anywhere on the disk that it wanted to, or mess with anything in memory that it wanted to. This attitude moved along with the coders to the Windows platform, so you have programs that try to put log files in the same directory as the executable instead of in the user's home directory. When the user calls support and asks how to fix this, the fastest way to get them off the phone is to say "run as administrator", so that's what happens.

    Microsoft's part of problem is that rather than saying "Don't do that - fix your program so it can run under a normal user account", they made it so you can run as administrator, and then tried to intercept user actions that might hose things up.

  • by jesser (77961) on Friday August 08, 2008 @08:49AM (#24524153) Homepage Journal

    This presentation was how to get around features that try to prevent exploitation of memory safety bugs [squarefree.com] in applications. The intent of these features is that even if you find a buffer overflow in Notepad, you won't be able to do anything other than make Notepad crash.

    These compiler and OS features try to disrupt the exploitation of memory safety bugs in various ways. Some work by detecting memory corruption (e.g. checking "stack cookies" before returning from a function that uses a string buffer). Others work by making it hard for an attacker to place shell code at a predictable memory address (e.g. DEP [wikipedia.org] or ASLR [wikipedia.org]).

    The presenters demonstrated clever ways to get around many of these protections, but by showing how tricky it was to do so, they actually showed how effective the protections are against applications other than web browsers. To create memory that was both under their control and marked as executable, they had to take advantage of weird behavior of .NET controls (IE-only), Flash, and Java applets. The .NET control behavior looked like a bug Microsoft could fix without breaking any controls, since it involved lying about the .NET version a control was created for. The Flash behavior (a missing compiler flag) is already being fixed. The Java issue is that all Java memory is marked as executable; I don't know how hard that would be to fix, but I imagine most Slashdot users don't have to worry about this because they have already disabled Java applets.

    I don't think this is devastating even to web browsers. I work on Firefox, and I know these protections haven't made us complacent about looking for and fixing memory safety bugs. Meanwhile, not all web browser security holes are memory safety bugs, so most browsers all have automatic update systems in place to ensure users receive new versions quickly.

    (I attended the Black Hat presentation but did not read the full paper [taossa.com].)

    • by m0i (192134) on Friday August 08, 2008 @10:03AM (#24525421) Homepage

      (I attended the Black Hat presentation but did not read the full paper [taossa.com].)

      Their conclusion (debunking the whole FA):
      In this paper we demonstrated that the memory protection mechanisms available in the latest
      versions of Windows are not always effective when it comes to preventing the exploitation of
      memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a
      good chance of being able to bypass them. Two factors contribute to this problem: the degree to
      which the browser state is controlled by the attacker; and the extensible plugin architecture of
      modern browsers.
      The internal state of the browser is determined to a large extent by the untrusted and potentially
      malicious data it processes. The complexity of HTML combined with the power of JavaScript and
      VBscript, DOM scripting, .NET, Java and Flash give the attacker an unprecedented degree of
      control over the browser process and its memory layout.
      The second factor is the open architecture of the browser, which allows third-party extensions
      and plugins to execute in the same process and with the same level of privilege. This not only
      means that any vulnerability in Flash affects the security of the entire browser, but also that a
      missing protection mechanism in a third-party DLL can enable the exploitation of vulnerabilities
      in all other browser components.
      The authors expect these problems to be addressed in future releases of Windows and browser
      plugins shipped by third parties.

  • by ThinkFr33ly (902481) on Friday August 08, 2008 @05:19PM (#24532587)

    Ok, I just read most of the actual white paper (http://taossa.com/archive/bh08sotirovdowd.pdf) and this technique requires:

    1.) A browser exploit that allows for a buffer overflow.

    2.) A .NET control or Java applet loaded into the browser's memory whose PE header has been modified to include the malicious shell code.

    Given these two things (only the 2nd of which is actually a given), you would still be constrained by Protected Mode in IE. In other words, the best you could do would be to crash the browser and maybe generate an error dialog of some sort.

    If, however, the exploit was in a component that used a broker class to facility communications with a browser plugin, and that broker class was running as the current user, then you could at least access that user's files/data. If the broker class was running as system (which none do), you could take over the machine.

    Flash is an example of a BAD, BAD plugin that has a broker class which could be used to facilitate an attack like this.

    But let me reiterate that you first need an exploit, and that exploit must be one in an existing browser plugin (basically just Flash) that has a brokering mechanism that bypasses Protected Mode.

    Without that, this doesn't do jack. Really, this is just a reliable way to defeat DEP/ASLR. Nothing more. It just makes the Flash exploit used in the hacking contest a few months back a bit more interesting. That exploit has since been patched, btw.

    This is bad, but very, very overhyped.

What this country needs is a dime that will buy a good five-cent bagel.

Working...