Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Windows

Latest EMET Bypass Targets WoW64 Windows Subsystem (threatpost.com) 125

msm1267 writes: Backwards compatibility, a necessary evil for Microsoft and its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits. Specifically in this case, researchers slid past Microsoft's Enhanced Mitigation Experience Toolkit, or EMET, a suite of more than a dozen freely available mitigations against memory attacks. The soft spot, the researchers said, is the Windows on Windows, or WoW64, Windows subsystem that allows 32-bit software to run on 64-bit Windows machines. The researchers said 80 percent of browsers in their sample size were 32-bit processes executing on a 64-bit host running WOW64, meaning they're all vulnerable to this attack.
This discussion has been archived. No new comments can be posted.

Latest EMET Bypass Targets WoW64 Windows Subsystem

Comments Filter:
  • by Anonymous Coward

    by constantly breaking the ABI.

    • by aberglas ( 991072 ) on Thursday November 05, 2015 @02:59AM (#50869129)

      Windows did something far weirder than focus on the ABI.

      The WoW64 folder holds the 32 bit DLLs while the System32 folder holds the 64bit DLLs. There is then black magic that usually redirects 32 bit applications to the different Wow64 folder.

      The idea was not binary compatibility but source compatibility. Someone in the hierarchy must have dictated that C programs must be able to be recompiled in 64bit with zero code changes. Only an MBA with zero programming background could think that this largely impossible mandate justifies permanently twisting the system with weird rules.

      Don't get me started on Program Files (X64) ...

      • by Dog-Cow ( 21281 )

        The fun with the System and System32 folders was not done for source compatibility. It was done for programs that hardcoded the path/folder name instead of querying the system for it.

        • Um, yes, that is what source compatibility is all about. Some source would have needed to be change for programs that hard coded the System32 folder name, among other things. I have never seen a non-trivial 32 bit program that could be run 64 bit without changes.

          OTOH, what about a 32 bit program that is expected to remain 32 bit. It might also have hard coded System32. And that is where weird and dangerous hacks refer some, but not other, file references to WoW64!!! One thing that is for sure is that 32

      • by lgw ( 121541 )

        The idea was not binary compatibility but source compatibility. Someone in the hierarchy must have dictated that C programs must be able to be recompiled in 64bit with zero code changes. Only an MBA with zero programming background could think that this largely impossible mandate justifies permanently twisting the system with weird rules.

        Remember Windows95? The OS that took MS from a bit player to world domination? Yeah, the entire focus of Win95, including the reason it was so unreliable, was this exact sort of compatibility between the 16-bit and 32-bit worlds. Win95 could run 16-bit shared-memory drivers in a 32-bit, protected-memory OS (not safely, but they would work).

        Backwards compatibility with 0 code changes is the entire reason anyone today has even heard of MS. Their decline started about the time they abandoned backwards comp

  • ...for legacy applications, especially true in the closed source world where simple recompiles are not possible to do lack of source. Still one would think that Microsoft would have provided protection against holes that exist in its legacy systems. Perhaps even a simple walled chroot would suffice? Very few if any honest user applications really need access to system level permissions.

    • by DrXym ( 126579 )
      Well the protection in this case is for browsers to stop shipping 32-bit only binaries when the OS is predominantly 64-bit. During the download / upgrade process, detect if the OS is 64-bit and install the 64-bit binary or at least ask the user to stop using the 32-bit binary and manually upgrade.

      I expect the main reason 32-bit has been around for so long is the extra support effort of building two binaries and some issues with plugins and suchlike. Plugins are effectively deprecated these days (and besid

  • The sandboxed web browser will keep this from happening as it will only occur virtually. Close the browser and - poof - its normal again.
    • The sandboxed web browser will keep this from happening as it will only occur virtually. Close the browser and - poof - its normal again.

      ... until a vulnerability is also found in the sandbox, which will probably be 32-bit if it's a wrapper for a 32-bit browser.

      What are the architectural reasons why Windows doesn't behave more like multi-lib on Linux? Is it just the fact that recompilation is not an option because most Windows software is closed-source? Or are these business/design decisions getting in the way, once again? Specifically I would like to know what the significant differences are between WoW64 and the implementation of mul

      • Windows does not just provide 32-bit libraries for older applications. There is a larger compatibility framework, and some of it is black box and/or unconfigurable. E.g., it transparently redirects registry and folder access to several locations for all 32-bit processes.

        Unlike multi-lib, this particular functionality is automatically included in all Windows installations, enabled by default for all executables, and configured to allow maximum backward compatibility. Microsoft's old 32-bit DLLs are there, ap

  • I assume that if you run a native 64 bit web browser, it will avoid this vulnerability. For chrome, on https://www.google.com/chrome/... [google.com] you can select "Download Chrome for another platform" to get the 64 bit version.
  • by unixisc ( 2429386 ) on Wednesday November 04, 2015 @10:51PM (#50868521)

    As it is, Windows 8 broke a lot of compatibility w/ Windows 7. There really was no reason to have a 32-bit version of either Windows 8 or 10. All win32 applications were XP applications, so all that could have simply been run on XP-Mode or Hyper-V on Windows 10 platforms.

    WoW64 should really be deleted, and only 64-bit Windows programs should be developed. VirtualPC should be brought back to Windows 10, and all win32 applications should be run only under that, and not under native win64 systems like Windows 10 or 8.

    • by Mal-2 ( 675116 ) on Wednesday November 04, 2015 @11:15PM (#50868615) Homepage Journal

      This would kill the usefulness of Windows 10 for existing games, practically all of which are 32-bit. Without remaining a strong platform for gaming, it would be difficult (to say the least) to upsell a large portion of the existing user base. I suppose you can argue that native 32-bit versions should be discontinued, but that's a totally different argument from saying that WoW64 should be discontinued.

      • Would it now? I agree with OP here. Vista should not have had 32-bit support. 32-bit should be the XP support. And as we see now, the decision to not do this is still haunting them, when there is legacy for 4 different 32-bit supported OS.

        • by Mal-2 ( 675116 )

          Then what happens to people with perfectly functional machines lacking x64 support -- run an unsupported and vulnerable XP forever? I'm personally quite glad there's a 32-bit Windows 7, or my mother's laptop would be scrap.

          • There's no reason to limp along with 32-bit hardware in late 2015. Core 2 came out in 2006 and signalled the "fast enough" era we still live in today... anything older is just wasting electricity and time.

            Schools and businesses sell off Core 2 hardware for next to nothing. Craigslist will also yield good deals.

            Your mother deserves better.

            • by Mal-2 ( 675116 )

              Thing is, she likes it. It's a ThinkPad, so I can't say I blame her for that. If there had been no replacement for 32-bit XP at the EOL for XP, she would have just gone on using it anyhow, in a defiant "why should I replace a working computer" stance. For the netbook I bought in 2009, I could deal with a switch to some flavor of Linux, but she would not.

        • Microsoft has always been big on backward compatibility. When Windows 95 was being programmed, Raymond Chen made it a personal quest to make sure every program that ran on 3.1 would run on 95.

          Had Vista been 64-bit only, with no 32-bit support, a very large amount of software would have ceased to work. As Chen put it, if you get a new OS and your old stuff fails to run, you blame the OS. If the 32-bit support was limited to running XP, the computer would need to have two full OSes loaded, and XP would

          • Somewhat apples & oranges. When Microsoft introduced Windows 95, it was an immediate migration from Windows 3.1, and there were no existing 32-bit applications (other than win32s apps like Freecell). Also, at the time, hardware was more expensive, and virtual machines hadn't caught on as a major concept: VMware was still new, and working to establish the proof of concept.

            It's very different now. I don't recall whether Vista had VirtualPC or not, but in Windows 7, the way to run native XP apps that

    • How about NO (Score:5, Insightful)

      by Sycraft-fu ( 314770 ) on Wednesday November 04, 2015 @11:52PM (#50868701)

      If you want a platform that breaks older shit, well then go ahead and find one. However many of us would like our software to keep working. WoW64 has been a great success because 32-bit apps run seamlessly and very fast. So you can just use whatever software you want. This has made widespread 64-bit adoption possible. If suddenly 80+% of your programs stop working because there's no compatibility layer, people just won't want to use it. Many, many programs these days are still 32-bit. You may not like that or agree with the choice, but it is what it is. I want to be able to run my software, I don't care about ideological purity.

      Also you might want to do your research a bit better, VirtualPC -IS- back. It's called Hyper-V now and it is MS's all encompassing virtualization solution. You can have it on the desktop all the way up to big clusters of servers.

      • Compatibility is important. But there was no need to put the 32 bit binaries in WoW64! They should have stayed in System32, and a new folder (or folders!) created for the 64bit, and then no magic registry hacks etc.

        • by Dog-Cow ( 21281 )

          Or you could do some research and find out that it was done for backwards compatibility with binary-only programs.

        • This comment doesn't seem to make much sense. It's not about where the files are placed on disk. Wow64 is a Windows subsystem to let you run 32-bit apps on 64-bit Windows. Every major OS has some layer to do this (except maybe Linux, I don't now). HP-Itanium can run HP-RISC binaries. Many AIX systems can run binaries from architectures that went out of existence before I was born. Microsoft also provides a toolkit to help you harden third-party apps if the developers of those apps haven't done so them
      • There will always be a point of discontinuity. Even at a CPU level, Intel no longer supports 16 bit compatibility for its current CPUs. Similarly, Windows too no longer runs ancient native win16 apps. It's been a while that XP has been dead, and there have been 2 OSs since before Windows 8 came in w/ the new Metro paradigm. So that was the point where 32-bit support could have been moved to sandboxes, rather than overload the code w/ all that legacy support.

        Also, 32-bit apps don't run seamlessly: I co

        • Another point I forgot to mention - resource requirements of Windows 10 have grown to 4GB, which 32-bit can't address anyway. So it makes sense to make Windows a 64-bit only OS, and define 4GB as the minimum requirement
        • Intel CPUs fully support 16-bit mode still. Look it up. What they don't support is going to VM86 while in Long Mode which leads to the old WoW system not working for 16-bit support.

          There is just no need to sandbox 32-bit support, since it works great how it is. If you are interested, go and read about how WoW64 works and how Compatibility Mode inside Long Mode (on the CPUs) works. It allows for 32-bit software to execute in a 64-bit system with no fuss, and it is something people highly value.

          Also again, do

          • 32 bit compatibility layer is a massive problem in terms of the lack of backwards compatibility w/ older 32-bit programs. Or else, I should have had no problems running an old XP based version of Adobe Acrobat on a Windows 7 system w/o bringing in XP mode.

            For win64, the market is still relatively new, so there ain't much backwards compatibility for Microsoft to worry about, so it can pretty much write what it likes. But in 32-bit, the bulk of it is the old win32 based XP compatible software, as opposed

    • uhh, please get a reality check..... For windows 10 to succeed it needs 'native' support of legacy applications, otherwise there would be no business that would adopt Windows 10..
      A LOT of business applications being used are still 32-bit (because they were developed in older languages), and porting a lot of those applications doesn't make real sense if the actual port isn't performing as good, or doesn't do anything different.. If it ain't broke, don't fix it..
      It's all to easy to just say, 'oh they should j

      • And the support would remain w/ sandboxes under VirtualPC, based on what I suggested
        • sandboxes isn't like native, it has it's limitations and especially it's another performance hit.. I buy a new computer to have the current software run faster, not to have it run slower due to sandboxing and emulation/virtualisation..
          There is nothing wrong with most 32bit applications as most applications won't need to address 64bit memoryspace anyway..
          Which doesn't mean a new application should be developed for 32bit when all your customers are running 64bit, but that's not the case, a lot of customers st

    • It would be a stupid move. The greatest advantage of Windows over other OS is exactly the ability to continue supporting legacy applications that are fundamental to a lot of people. Virtualization is an option, but it is important to note that not everyone have the computational resources required to use a VM and rarely these VMs have all the features that baremetal offers (as example, running a DirectX 9 game in a VM is currently impossible or very, very slow).
      • Such systems cannot be upgraded in the first place, and would probably remain w/ XP. What if you have an old computer w/ 256MB of RAM? There is no way Windows 10 will run on it - be it 32-bit or 64-bit. Also, the claim of legacy support the way you describe it is false: I was forced to use XP-Mode to run Acrobat 6.0 under Windows 7. Anything that can run Windows 10 can also run VirtualPC, and support 32-bit w/ that.
        • Well, why the user would migrate to Windows 7/8.1/10 in this situation? If he have only 256MB of RAM he could just continue with XP if it keeps working. And the simple fact that you can ask the system to use compatibility mode for a particular application is a valid form of support for legacy, as far as I know this way works and does not need to use a VM. And perhaps I was not clear enough, at any moment I'm saying that everybody has to migrate to Windows 10 (which is a disturbing deviation pattern of ways
          • Dammit. Fucking google translator, I meant that I would not recommend to anyone migrating to Windows 10
          • That's the point. People who have limited computing resources should not migrate. Only people who should migrate are those who have multi-core x64 CPUs w/ at least 4GB of RAM as far as 64-bit goes. For 32-bit, the most your computer can have is 2GB of RAM, and that's fine uptil Windows 7. Also, the compatibility mode you suggested did not work for me in my above example: I was forced to run a VM. Why burden an OS w/ multiple ways of running legacy stuff? Recognize that there is a cutoff point, and
            • Also, the compatibility mode you suggested did not work for me in my above example:

              Well, is well known that not all applications can run in a compatibility mode, especially applications where the really sloppy developer did stupid things like put the path to a system folder in a hardcoded way or worse. Compatibility mode it's also a more efficient way to do the job and works in almost all cases, then why create a entire emulation (the VM) with the costs that this entails?

              The point is that using a VM f
    • WoW64 should really be deleted, and only 64-bit Windows programs should be developed.

      You mean like Microsoft releasing a 64-bit DRIVER FOR ITS OWN 32-BIT ACCESS DATABASES? You can praise MS for their maintaining the ability to run legacy apps, but in some very meaningful instances, they're no different than phone companies refusing to patch Android phones just to cynically move more merch.

  • by Anonymous Coward

    I noticed Visual Studio is only 32 bit only, and defaults to making 32 bit builds. I don't think Microsoft is big on the whole 64 bit thing.

    Fun fact: your 32 bit DLLs are in syswow64 and your 64 bit ones are in system32. Legacy makes such a mess when you don't plan ahead...

    • by tlhIngan ( 30335 )

      I noticed Visual Studio is only 32 bit only, and defaults to making 32 bit builds. I don't think Microsoft is big on the whole 64 bit thing.

      That's because Microsoft believes you should just stick with 32 bit unless there's a really good reason to go 64. And they're not incorrect - there's many good reasons to stick with 32 bit - compatibility with 32 bit systems for starters (yeah, you could provide two builds, but that's two times the QA work) and other things.

      The other thing is - 32 bit has been around fo

    • by Dog-Cow ( 21281 )

      Legacy makes a mess when app developers are idiots. Which is always.

  • WoW64? (Score:3, Funny)

    by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Wednesday November 04, 2015 @11:22PM (#50868629)

    I think World of Warcraft has been a 64-bit application for quite some time now.

    Fight for your bitcoins! [coinbrawl.com]

  • There can't be that many browsers to "sample". Browsers aren't like the population of field mice in the world. You don't use a statistical process to analyze a random sample of them, then declare a ridiculous statistic like "80 percent of them". In the real world there are four or five or eight (some finite quantity). Any declaration should read something like: "five of the seven browsers examined..."

  • by Anonymous Coward

    Linux (and I assume *BSD) can run mixed mode with no problems. What's the deal?

  • "80 percent of browsers in the researchers’ sample size were 32-bit processes executing on a 64-bit host running WOW64, putting them all at risk. ref [threatpost.com]

    What were the names of these browsers with no 64-bit versions?

    "Duo Security, a cloud-based access security provider" ref [duosecurity.com]

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...