This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of objects, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."
These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.
Link: Black Hat Security Conference Link: How To Impress Girls With Browser Memory Protection Bypasses
Download: Example Code and Tech Paper
Since for the standard vulnerabilities Vista has shown to be the most secure.
Unfortunatley this is a breakthrough.
hahahahahahaha cute
Will need more information before you can say one way or another how serious it is or isn't.
Will need more information before you can say one way or another how serious it is or isn't.
It's unclear whether they've really "defeated" ASLR or DEP. Those technologies only help protected against a very specific class of attack, and it sounds like maybe they're just talking about a different class of attack (which isn't really a huge deal in of itself, there are tons of different kinds of attacks and vulnerabilities).
Then again, it's all speculation until they actually reveal what the heck they're talking about.
im sure av/firewall software will help
im not gonna sweat this
1. Disable UAC
2. User intervention
to work in the first place.
IBM and VMware - not closest friends of MS anyway.
Nope. For the .dll to run within internet explorer, it has to be marked as safe to run...otherwise you get that nice little yellow window.
Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.
1. Disable UAC
2. User intervention
to work in the first place.
IBM and VMware - not closest friends of MS anyway.
You are probably right. The article is very carefully written to hide the fact that you probably have to disable browser isolation (diabale UAC and whatnot) to enable this type of exploit.
What i know is DEP is basically disabled for .NET and Java, this is because Java and .NET need to be able to compile and execute code. Of course for .net or Java to work on XP (or any other OS) they also have to also enable code compiliation and excution.
The exploit: Therefore if you can compromise the .net or java runtime then you can generate any code you want and excute that in the context of that runtime.
Of course this does not enable you to get around 1. UAC or 2. IE protected mode (the default).
However if you use Firefox and have disabled UAC....
However if you use Firefox and have disabled UAC....
Firefox doesn't use Active Scripting, that's an IE thing.
However if you use Firefox and have disabled UAC....
Firefox doesn't use Active Scripting, that's an IE thing.
The problem is with java and .net nothing to do with scripting ...
Just like post number 6 says.
And I'll also worry if the system administrator uses a server to surf porn and download warez.
There, fixed.
There, fixed.
Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?
There, fixed.
Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?
Yeah, He has to be doing sonethign strange to get prompts very often... I can go weeks without getting one. And OSX and *Nix do the SAME THING.
Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?
Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?
It's called Admin approval mode. It causes all code under an Admin account to be executed with "Limited" privileges unless it explicitly asks for Administrative privileges at process launch.
It's proven to be a pretty good exploit mitigator thus far, for both Microsoft and 3rd party security issues.
2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.
2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.
Nope. For the .dll to run within internet explorer, it has to be marked as safe to run by the user or at least has to be installed by the user...otherwise you get that nice little yellow window.
Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.
(Waits for response that says the world is going to end)
(Waits for response that says the world is going to end)
The world IS going to end now.
(Waits for response that says the world is going to end)
I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.
The future isn't bright, it's quite dim. No shades needed.
(Waits for response that says the world is going to end)
I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.
The future isn't bright, it's quite dim. No shades needed.
And that's why I got Transitions™
ROFLMAO
Funniest thing I've read all day.
They are supposed to find problems, and responsibly disclose them to the vendor. If they announce that they have found "something", then it also gets them attention, and they can still be in the vendor's good graces, by not releasing the details in a nasty "full disclosure" type situation.
Provides good job security though.
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html
It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.
"lame", indeed.
he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html
It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.
"lame", indeed.
"Tu Quoque" <-- It works, especially when mixed with sarcasm!
I said my view..and i asked how it will be if MS starts to run into others product and show there bugs!?
You are free to post whatever you like. But your post was only slightly more relevant than saying "pickles are green".
In fact, it is far to be as serious as it sounds like. It's not a 0day flaw!
This article forgot to say explicitely that there need to be a known flaw in the browser (or any other software) that is ready to be exploited : what these hackers just discovered is a way to make sure the flaw is exploited "successfully" even under vista which was supposed to prevent every buffer overflows exploits with the help of DEP and ASLR. (as opposite to windows xp where these kind of flaw could always be successfully exploited)
So, what does this mean?
if you use vista as an administrator with UAC disabled (no protected mode in IE), if there is a flaw in IE or Firefox, the flaw will be as successfully exploited as under Windows XP
So, Windows Vista with UAC enabled and IE protected mode enabled is still more secure than Windows XP, and users are not more at risk than before.
UAC and Protected mode are still efficient, so these hackers are clearly lying when they say that vista security systems are now completely useless since UAC and protected mode are the two best protection features in vista. Those who have been defeated were only minor protection features.
+1
Last edited by UAC on 08 Aug 2008 - 17:48
I reckon this is a CPU bug they're utilising. I vaguely recall an article recently about people trying to use scripting languages in the browser to do just this (sorry, I can't remember exactly where - still looking).
EDIT: Found the article at Researcher to demonstrate attack code for Intel chips
Last edited by DonC on 08 Aug 2008 - 10:19
Vista can't force its user to grow a brain.
We don't need no steenkin' sources!
Not when people can state items totally outside their realm of knowledge and try to pass it off as fact.
E.g http://www.geek.com/images/geeknews/2006Ja...01_21__full.gif
Last edited by ManMountain on 08 Aug 2008 - 23:32
"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
leads to me to believe its a flaw in the way windows handles .net objects ? or a flaw in the .net framework ? why cant you disable .net for internet zone but leave it enabled for trusted sites and local intranet ? that way if you come across a website which uses .net and you trust the website add it to the safe zone ?
It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.
Exploit/Fix/Exploit/Fix x infinity
Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac
It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.
Exploit/Fix/Exploit/Fix x infinity
Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac
It's definitely a crap article. It'll be interesting to see what the 'hackers' actually reveal. I'd like to see how they're going to bypass DEP, which is built into the processor. If they can do that, OSX and Linux aren't safe either.
Last edited by Fanon on 08 Aug 2008 - 21:50
And its funny how all the morons come out of the woodwork and say Vista sucks because of this security flaw. If you say something sucks just because of an issue that came up, then you are really ignorant. I hope all you ignorant people do go out and by a Mac and get rid of Vista since Apple is only concerned about looks of their products. Then Apple will get more market share, will be attacked more, and all of their flaws will be revealed.
Besides, its good that people mess with Vista and discover these flaws. Once discovered, they can be fixed which will make the OS stronger and more secure. So I hope another flaw comes out tomorrow!!
0.
You were saying?
Just shows how targeted Windows is compared to Linux or Mac, because of the number of people using it...
Just keep the UAC enabled
Last edited by UAC on 08 Aug 2008 - 17:46
The attack described has nothing to do with servers, and only mentions the browser as an entry-point for malicious scripting. By default, Server 2008 removes all trust from the Internet zone and will not run any scripts at all.
And as many people have already mentioned, they don't say that the attacks beat UAC or browser isolation, so basically all the regular users will still be protected, while the "power users" that disable UAC and use FireFox will be the ones at risk. Sort of ironic...
These headlines are sensationalized in order to get this very reaction from people. This article isn't about some massive flaw that we all need to know about so much as it's about making you click on links to earn them ad revenue.
I came to read the article but i found that the headline have nothing to with the news about these exploits. The "hackers" said that they have found a way to exploit Vista but they haven't made public any proof. Yet, the poster choose the sensationalist title even when is not clear at all if Vista's security would be compromised.
We all believe what the article and title said, but there is still no proof.
Hopefully, it what they reveal is dangerous, a fix will be issued. This is the modern software days.
http://en.wikipedia.org/wiki/Blue_Pill_(malware)
Last edited by LTD on 09 Aug 2008 - 13:38
I can't pass judgment until there are more details revealed. One must be thankful that not all Mac users are evangelical trolls however.
Windows needs reworking. Brand new architecture. Meaning little to no backwards-compatibility, like the OS-9 to OS X transition.
If a system isn't simple enough for a "brain-dead" person to use it's poorly engineered. Everything should be obvious, simple, elegant, uncluttered.
Windows needs reworking. Brand new architecture. Meaning little to no backwards-compatibility, like the OS-9 to OS X transition.
If a system isn't simple enough for a "brain-dead" person to use it's poorly engineered. Everything should be obvious, simple, elegant, uncluttered.
Why are you trying to make Windows like OS X? You should be happy they're so different.
*sigh*
They already did that, a while ago with their switch from 9x to NT.
Microsoft's current position with Windows is nothing like Apple's was. NT has a lot of life left in it. OS Classic was a primitive operating system, actually quite comparable to 9x in terms of what it was lacking (Protected memory, security concepts, decent multitasking, etc.)
NT is a very solid foundation for an OS, comparable to the *nix's in terms of many ways (Not architecturally, but more of a qualitative "how modern/nice is it"). Most people don't seem to realize that the vast majority of the problems encountered with Windows have very little, if anything, to do with the underpinnings of the OS itself. More often then not, any complaints given by people who think that they should make such a radical (And unnecessary!) change can't comprehend how many layers of 'stuff' there is in a modern OS.
And Vista further cements that by having replaced some of the more 'dated' systems in Windows. Architecturally, however, it's still NT, and running rock solid.
Last edited by MioTheGreat on 10 Aug 2008 - 03:45
Actually, I appreciate Mio's answer, it's food for thought.
Windows needs reworking. Brand new architecture. Meaning little to no backwards-compatibility, like the OS-9 to OS X transition.
If a system isn't simple enough for a "brain-dead" person to use it's poorly engineered. Everything should be obvious, simple, elegant, uncluttered.
IF a system is simple enough for a "brain-dead" person to use and if Everything is obvious, simple, elegant, uncluttered then it is not window or Microsoft.
We should understand it
http://artofhacking.com/files/phrack/phrack59/P59-0X09.TXT
Lol, so the first reason to change from xp to vista is being debunked *again*.
Lol, so the first reason to change from xp to vista is being debunked *again*.
ROFLMFAO !!!!
barrow your picture:
I'm using vista x64 but I've my belove xp another partition. But all the vista ass kissing "vista is more secure than xp blah blah" now is render useless...
1. UAC has to be disabled
2. User has to accept and run the file.
So still without user stupidity your post is rendered useless
Lol, so the first reason to change from xp to vista is being debunked *again*.
ROFLMFAO !!!!
barrow your picture:
I'm using vista x64 but I've my belove xp another partition. But all the vista ass kissing "vista is more secure than xp blah blah" now is render useless...
Right... I really want some of what you are smoking.
Modern browsers are falling all over themselves to provide more and more functionality, and all these additional capabilities are opening up the browsers to attack. I'm not sure if we can have it both ways - a secure web browser AND a browser that supports all the latest cool plug-ins, bells & whistles.
Pushing the responsibility of security onto the end-user with UAC and other schemes is NOT the answer. That just leads to user confusion.
The answer, I believe, involves de-integrating the browser from the operating system. Since the browser is the weakest link, it needs to be put in a virtual operating environment that's separate from the OS. The virtual operating environment should get ERASED every time the browser is closed. ALL add-ons (Java, ActiveX, .NET, Flash, Shockwave, etc.) should be kept inside the virtual operating environment. The OS should treat EVERY request from the browser's virtual environment as suspect - and analyze it BEFORE allowing it to execute. Code that tries to do ANYTHING outside of the protected environment should trigger an automatic purge of the environment.
We now have dual, triple and quad-core processors available to mainstream users - there's no reason we can't dedicate one of those processors to code analysis while the browser is running and another to the browser operating environment.
The price for all of this security? Reduced browser functionality and headaches for legitimate programmers. A small price to pay, in my opinion, to stop all of this madness.
Microsft try and mitigate a lot of the problems by running IE in protected mode (i.e. a Sandbox [not unlike your virtual os idea] that does its best to seal any potentially malicous scripts and actions away from the OS).
The paper outlines a number of application defenses in Windows XP and Windows Vista. Some of the defenses Windows uses are ones that I am aware of (DEP/NX, ASLR), and others I'm not (SafeSEH, GS).
The author is describing how these systems work and limitations of them. For example, for Vista to use ASLR the application must be compiled using Visual Studio 2005 SP1 and have a flag set during the compile process - otherwise it's treated in the same way as Windows XP. Microsoft have been careful to ensure that the binaries shipped with Vista, as well as the majority of other MS products are set this way - thus they work with ASLR which in turn makes the system much safer. There is no bug in ASLR - just ISV's have been slow in compiling their code in this manner, so attackers can go for 3rd pary applications with a reasonable chance of success in comparision to Microsoft products. This doesn't make ASLR a failure or insecure, rather ISV's needs to take advantage of it.
Additionally Windows XP doesn't have this feature thus putting Vista ahead by default - if only for randomising the location of system files and services (and MS apps) in memory. The reasoning behind not having ASLR on by default for all applications is for application compatibility reasons.
The same for DEP/NX. By default all system services and "opt-in" applications use DEP. However if the developer hasn't set any DEP options when compiling then DEP will not be used. This again is for compatibility reasons. This isn't a bug in DEP, but rather an effect from having an open platform where anyone can develop for it.
Again, Heap Spraying can be done to circumvent DEP as well through Java applications as when allocating memory for Java objects and other data, the page permissions for the allocation are specified as readable, writable, and executable. Therefore, it is possible to perform heap spraying attacks using Java applets in a simiar fashion to the standard JavaScript heap spraying technique, with the added bonus that all of the data being sprayed over memory will be executable. This isn't a failure of DEP, Vista or Windows - but an application framework flaw instead.
The example code given shows how to circumvent the technologies in Windows (XP and Vista - although Vista less so) through web technologies. For example, Flash and Java are NOT compatible with DEP or ASLR. As such, if a user access a Java or Flash applet then they can circumvent the DEP and ASLR technologies.
It's also worth pointing out that at UAC WILL PREVENT SYSTEM PWNING - attacking memory is all well and good, but if you are overwriting memory areas that only have the permission of IEUser (IE Sandbox with very, very few permissions - e.g. 3 folders) then the code that is trying to execute will execute with those permissions.
Additionally, the author acknowledges that some of the attacks/security circumventions cannot be done or are much, much harder to do on Vista. And as I mentioned above, the author doesn't mention UAC - but does say that the browser attacks will run in the context of the browser process.
Using Firefox? Disabled UAC? Think your a "power user"?
Think again.
Whilst very interesting, this paper only highlights the increased security measures in Windows Vista compared to XP and re-enforces that using UAC (ideally with IE7/
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.