This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of objects, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."
These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.
Link: Black Hat Security Conference Link: How To Impress Girls With Browser Memory Protection Bypasses
Download: Example Code and Tech Paper
Since for the standard vulnerabilities Vista has shown to be the most secure.
Unfortunatley this is a breakthrough.
hahahahahahaha cute
Will need more information before you can say one way or another how serious it is or isn't.
Will need more information before you can say one way or another how serious it is or isn't.
It's unclear whether they've really "defeated" ASLR or DEP. Those technologies only help protected against a very specific class of attack, and it sounds like maybe they're just talking about a different class of attack (which isn't really a huge deal in of itself, there are tons of different kinds of attacks and vulnerabilities).
Then again, it's all speculation until they actually reveal what the heck they're talking about.
im sure av/firewall software will help
im not gonna sweat this
1. Disable UAC
2. User intervention
to work in the first place.
IBM and VMware - not closest friends of MS anyway.
Nope. For the .dll to run within internet explorer, it has to be marked as safe to run...otherwise you get that nice little yellow window.
Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.
1. Disable UAC
2. User intervention
to work in the first place.
IBM and VMware - not closest friends of MS anyway.
You are probably right. The article is very carefully written to hide the fact that you probably have to disable browser isolation (diabale UAC and whatnot) to enable this type of exploit.
What i know is DEP is basically disabled for .NET and Java, this is because Java and .NET need to be able to compile and execute code. Of course for .net or Java to work on XP (or any other OS) they also have to also enable code compiliation and excution.
The exploit: Therefore if you can compromise the .net or java runtime then you can generate any code you want and excute that in the context of that runtime.
Of course this does not enable you to get around 1. UAC or 2. IE protected mode (the default).
However if you use Firefox and have disabled UAC....
However if you use Firefox and have disabled UAC....
Firefox doesn't use Active Scripting, that's an IE thing.
However if you use Firefox and have disabled UAC....
Firefox doesn't use Active Scripting, that's an IE thing.
The problem is with java and .net nothing to do with scripting ...
Just like post number 6 says.
And I'll also worry if the system administrator uses a server to surf porn and download warez.
There, fixed.
There, fixed.
Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?
There, fixed.
Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?
Yeah, He has to be doing sonethign strange to get prompts very often... I can go weeks without getting one. And OSX and *Nix do the SAME THING.
Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?
Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?
It's called Admin approval mode. It causes all code under an Admin account to be executed with "Limited" privileges unless it explicitly asks for Administrative privileges at process launch.
It's proven to be a pretty good exploit mitigator thus far, for both Microsoft and 3rd party security issues.
2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.
2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.
Nope. For the .dll to run within internet explorer, it has to be marked as safe to run by the user or at least has to be installed by the user...otherwise you get that nice little yellow window.
Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.
(Waits for response that says the world is going to end)
(Waits for response that says the world is going to end)
The world IS going to end now.
(Waits for response that says the world is going to end)
I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.
The future isn't bright, it's quite dim. No shades needed.
(Waits for response that says the world is going to end)
I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.
The future isn't bright, it's quite dim. No shades needed.
And that's why I got Transitions™
ROFLMAO
Funniest thing I've read all day.
They are supposed to find problems, and responsibly disclose them to the vendor. If they announce that they have found "something", then it also gets them attention, and they can still be in the vendor's good graces, by not releasing the details in a nasty "full disclosure" type situation.
Provides good job security though.
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html
It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.
"lame", indeed.
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html
It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.
"lame", indeed.
"Tu Quoque" <-- It works, especially when mixed with sarcasm!
I said my view..and i asked how it will be if MS starts to run into others product and show there bugs!?
You are free to post whatever you like. But your post was only slightly more relevant than saying "pickles are green".
In fact, it is far to be as serious as it sounds like. It's not a 0day flaw!
This article forgot to say explicitely that there need to be a known flaw in the browser (or any other software) that is ready to be exploited : what these hackers just discovered is a way to make sure the flaw is exploited "successfully" even under vista which was supposed to prevent every buffer overflows exploits with the help of DEP and ASLR. (as opposite to windows xp where these kind of flaw could always be successfully exploited)
So, what does this mean?
if you use vista as an administrator with UAC disabled (no protected mode in IE), if there is a flaw in IE or Firefox, the flaw will be as successfully exploited as under Windows XP
So, Windows Vista with UAC enabled and IE protected mode enabled is still more secure than Windows XP, and users are not more at risk than before.
UAC and Protected mode are still efficient, so these hackers are clearly lying when they say that vista security systems are now completely useless since UAC and protected mode are the two best protection features in vista. Those who have been defeated were only minor protection features.
+1
Last edited by UAC on 08 Aug 2008 - 17:48
I reckon this is a CPU bug they're utilising. I vaguely recall an article recently about people trying to use scripting languages in the browser to do just this (sorry, I can't remember exactly where - still looking).
EDIT: Found the article at Researcher to demonstrate attack code for Intel chips
Last edited by DonC on 08 Aug 2008 - 10:19
Vista can't force its user to grow a brain.
We don't need no steenkin' sources!
Not when people can state items totally outside their realm of knowledge and try to pass it off as fact.
E.g http://www.geek.com/images/geeknews/2006Ja...01_21__full.gif
Last edited by ManMountain on 08 Aug 2008 - 23:32
"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
leads to me to believe its a flaw in the way windows handles .net objects ? or a flaw in the .net framework ? why cant you disable .net for internet zone but leave it enabled for trusted sites and local intranet ? that way if you come across a website which uses .net and you trust the website add it to the safe zone ?
It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.
Exploit/Fix/Exploit/Fix x infinity
Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac
It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.
Exploit/Fix/Exploit/Fix x infinity
Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac
It's definitely a crap article. It'll be interesting to see what the 'hackers' actually reveal. I'd like to see how they're going to bypass DEP, which is built into the processor. If they can do that, OSX and Linux aren't safe either.
Last edited by Fanon on 08 Aug 2008 - 21:50