Vista's Security Rendered Completely Useless by New Exploit

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of objects, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

Link: Black Hat Security Conference
Link: How To Impress Girls With Browser Memory Protection Bypasses
Download: Example Code and Tech Paper

Report a problem with article
Previous Story

Samsung and Microsoft work to speed up SSDs

Next Story

Nehalem to become Core i7 processor

105 Comments

Commenting is disabled on this article.

This is a very interesting article. A fair amount goes over my head, but for those who have judged without reading the paper (LTD for example - although no suprise there) you may be interested in a summary:

The paper outlines a number of application defenses in Windows XP and Windows Vista. Some of the defenses Windows uses are ones that I am aware of (DEP/NX, ASLR), and others I'm not (SafeSEH, GS).

The author is describing how these systems work and limitations of them. For example, for Vista to use ASLR the application must be compiled using Visual Studio 2005 SP1 and have a flag set during the compile process - otherwise it's treated in the same way as Windows XP. Microsoft have been careful to ensure that the binaries shipped with Vista, as well as the majority of other MS products are set this way - thus they work with ASLR which in turn makes the system much safer. There is no bug in ASLR - just ISV's have been slow in compiling their code in this manner, so attackers can go for 3rd pary applications with a reasonable chance of success in comparision to Microsoft products. This doesn't make ASLR a failure or insecure, rather ISV's needs to take advantage of it.
Additionally Windows XP doesn't have this feature thus putting Vista ahead by default - if only for randomising the location of system files and services (and MS apps) in memory. The reasoning behind not having ASLR on by default for all applications is for application compatibility reasons.

The same for DEP/NX. By default all system services and "opt-in" applications use DEP. However if the developer hasn't set any DEP options when compiling then DEP will not be used. This again is for compatibility reasons. This isn't a bug in DEP, but rather an effect from having an open platform where anyone can develop for it.

Again, Heap Spraying can be done to circumvent DEP as well through Java applications as when allocating memory for Java objects and other data, the page permissions for the allocation are specified as readable, writable, and executable. Therefore, it is possible to perform heap spraying attacks using Java applets in a simiar fashion to the standard JavaScript heap spraying technique, with the added bonus that all of the data being sprayed over memory will be executable. This isn't a failure of DEP, Vista or Windows - but an application framework flaw instead.


The example code given shows how to circumvent the technologies in Windows (XP and Vista - although Vista less so) through web technologies. For example, Flash and Java are NOT compatible with DEP or ASLR. As such, if a user access a Java or Flash applet then they can circumvent the DEP and ASLR technologies.

It's also worth pointing out that at UAC WILL PREVENT SYSTEM PWNING - attacking memory is all well and good, but if you are overwriting memory areas that only have the permission of IEUser (IE Sandbox with very, very few permissions - e.g. 3 folders) then the code that is trying to execute will execute with those permissions.

Additionally, the author acknowledges that some of the attacks/security circumventions cannot be done or are much, much harder to do on Vista. And as I mentioned above, the author doesn't mention UAC - but does say that the browser attacks will run in the context of the browser process.

Using Firefox? Disabled UAC? Think your a "power user"?
Think again.

Whilst very interesting, this paper only highlights the increased security measures in Windows Vista compared to XP and re-enforces that using UAC (ideally with IE7/8) is the best way to secure your Windows system from attack.

After reading over the original research (http://taossa.com/index.php/2008/08/07/imp...ction-bypasses/) it seems that the problem lies NOT within the operating system (sorry, Vista h8ers) but within the browser.

Modern browsers are falling all over themselves to provide more and more functionality, and all these additional capabilities are opening up the browsers to attack. I'm not sure if we can have it both ways - a secure web browser AND a browser that supports all the latest cool plug-ins, bells & whistles.

Pushing the responsibility of security onto the end-user with UAC and other schemes is NOT the answer. That just leads to user confusion.

The answer, I believe, involves de-integrating the browser from the operating system. Since the browser is the weakest link, it needs to be put in a virtual operating environment that's separate from the OS. The virtual operating environment should get ERASED every time the browser is closed. ALL add-ons (Java, ActiveX, .NET, Flash, Shockwave, etc.) should be kept inside the virtual operating environment. The OS should treat EVERY request from the browser's virtual environment as suspect - and analyze it BEFORE allowing it to execute. Code that tries to do ANYTHING outside of the protected environment should trigger an automatic purge of the environment.

We now have dual, triple and quad-core processors available to mainstream users - there's no reason we can't dedicate one of those processors to code analysis while the browser is running and another to the browser operating environment.

The price for all of this security? Reduced browser functionality and headaches for legitimate programmers. A small price to pay, in my opinion, to stop all of this madness.

I do agree that browser vendors and going above and beyond what browser's baseline functionality is, but thats the price we pay for the way the internet has evolved (in regards to popularity, functionality, and threats).

Microsft try and mitigate a lot of the problems by running IE in protected mode (i.e. a Sandbox [not unlike your virtual os idea] that does its best to seal any potentially malicous scripts and actions away from the OS).

(Magallanes said @ #43)

Lol, so the first reason to change from xp to vista is being debunked *again*.

ROFLMFAO !!!!

barrow your picture:


I'm using vista x64 but I've my belove xp another partition. But all the vista ass kissing "vista is more secure than xp blah blah" now is render useless...

Actually Vista is still more secure because this article fails to mention a few points....

1. UAC has to be disabled
2. User has to accept and run the file.

So still without user stupidity your post is rendered useless

(mel00 said @ #43.1)

ROFLMFAO !!!!

barrow your picture:


I'm using vista x64 but I've my belove xp another partition. But all the vista ass kissing "vista is more secure than xp blah blah" now is render useless...

Right... I really want some of what you are smoking.

Java, ActiveX, and .NET objects aren't scripting languages. So what's used? Java, ActiveX, .NET objects? Or scripting languages?

You have to realize that the majority of news articles and headlines aren't about conveying truth and knowledge but rather about gathering hits/clicks/views/diggs.

These headlines are sensationalized in order to get this very reaction from people. This article isn't about some massive flaw that we all need to know about so much as it's about making you click on links to earn them ad revenue.

i tend to agree with that.

I came to read the article but i found that the headline have nothing to with the news about these exploits. The "hackers" said that they have found a way to exploit Vista but they haven't made public any proof. Yet, the poster choose the sensationalist title even when is not clear at all if Vista's security would be compromised.

We all believe what the article and title said, but there is still no proof.

Hopefully, it what they reveal is dangerous, a fix will be issued. This is the modern software days.

I plan on reporting on this over at my blog. If it is all it says it is, then so be it. If it is a very conditional situation (i.e. requiring UAC to be turned off) or overblown in any other way, then I will rub this in everyone's faces until they stfu about Windows security. Its been fixed since XP SP2. Get over it.

Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

The attack described has nothing to do with servers, and only mentions the browser as an entry-point for malicious scripting. By default, Server 2008 removes all trust from the Internet zone and will not run any scripts at all.

And as many people have already mentioned, they don't say that the attacks beat UAC or browser isolation, so basically all the regular users will still be protected, while the "power users" that disable UAC and use FireFox will be the ones at risk. Sort of ironic...

how does the saying go? if it's code, it can be hacked, or something like that?

Just shows how targeted Windows is compared to Linux or Mac, because of the number of people using it...

Yea, security issue for MS. But MS is quick to make patches and updates and has been proven to be the quickest. Expect an update soon. :-)

And its funny how all the morons come out of the woodwork and say Vista sucks because of this security flaw. If you say something sucks just because of an issue that came up, then you are really ignorant. I hope all you ignorant people do go out and by a Mac and get rid of Vista since Apple is only concerned about looks of their products. Then Apple will get more market share, will be attacked more, and all of their flaws will be revealed.

Besides, its good that people mess with Vista and discover these flaws. Once discovered, they can be fixed which will make the OS stronger and more secure. So I hope another flaw comes out tomorrow!!

All I really saw were ActiveX, Java, .Net mentioned- not exactly new holes in Windows, and Java is just bad IMO, but ActiveX and .Net strike me as more IE technologies.

wtf. could this article be any more sensationalist? it appears to have been written by someone who's been waiting for the day that someone breaks into vista.

It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.

Exploit/Fix/Exploit/Fix x infinity

Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac

(ZombieFly said @ #26)
wtf. could this article be any more sensationalist? it appears to have been written by someone who's been waiting for the day that someone breaks into vista.

It's software, therefore it can always be broken. It's a constant game of cat and mouse and if anyone thought differently of ANY OS out there then basically they are an idiot.

Exploit/Fix/Exploit/Fix x infinity

Bottom line is that vista is the most secure that Windows has ever been. This discovery does not mean everyone should immediately run out and buy a Mac

It's definitely a crap article. It'll be interesting to see what the 'hackers' actually reveal. I'd like to see how they're going to bypass DEP, which is built into the processor. If they can do that, OSX and Linux aren't safe either.

(ZombieFly said @ #26)
Bottom line is that vista is the most secure that Windows has ever been.
Agreed.

(ZombieFly said @ #26)
This discovery does not mean everyone should immediately run out and buy a Mac
No one even mentioned "Apple" or "Mac" until you did.

the more i read this article the more it is scaremongering, and reading this part specifically:

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

leads to me to believe its a flaw in the way windows handles .net objects ? or a flaw in the .net framework ? why cant you disable .net for internet zone but leave it enabled for trusted sites and local intranet ? that way if you come across a website which uses .net and you trust the website add it to the safe zone ?

(RAID 0 said @ #24.1)
Source?
Aww, c'mon! This is the internet.

We don't need no steenkin' sources!

Not when people can state items totally outside their realm of knowledge and try to pass it off as fact.

just stop using the internet, cut your internet off and it wont be a problem, can i get neowin delivered by post please ? :nuts:

Microsoft will look at the patch and fix it and also they say there a lots of security holes is all OSs but how many people have ever been affected by them If you have all the necessary security software your pretty much safe.

So the claims of the article are:

  • Multi-browser
  • Works with various scripting technologies
  • Could be reused on other Operating Systems
  • "load chosen content to a chosen location with chosen permissions"

I reckon this is a CPU bug they're utilising. I vaguely recall an article recently about people trying to use scripting languages in the browser to do just this (sorry, I can't remember exactly where - still looking).

EDIT: Found the article at Researcher to demonstrate attack code for Intel chips

Wow... this news would fit perfectly in a tabloid!


In fact, it is far to be as serious as it sounds like. It's not a 0day flaw!

This article forgot to say explicitely that there need to be a known flaw in the browser (or any other software) that is ready to be exploited : what these hackers just discovered is a way to make sure the flaw is exploited "successfully" even under vista which was supposed to prevent every buffer overflows exploits with the help of DEP and ASLR. (as opposite to windows xp where these kind of flaw could always be successfully exploited)

So, what does this mean?

if you use vista as an administrator with UAC disabled (no protected mode in IE), if there is a flaw in IE or Firefox, the flaw will be as successfully exploited as under Windows XP

So, Windows Vista with UAC enabled and IE protected mode enabled is still more secure than Windows XP, and users are not more at risk than before.

UAC and Protected mode are still efficient, so these hackers are clearly lying when they say that vista security systems are now completely useless since UAC and protected mode are the two best protection features in vista. Those who have been defeated were only minor protection features.

(link8506 said @ #18)
as opposite to windows xp where these kind of flaw could always be successfully exploited


+1

(markjensen said @ #17.1)
Ah, yes... The "you, too" logical fallacy. If there is a point made, avoid the issue by saying "but so-and-so has problems, too!".

he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer

(ZombieFly said @ #17.2)

he wasn't avoiding the issue, he was asking a question. albeit a lame one, but your retort was lamer

Are you not familiar with "Tu Quoque" or other logical fallacies?
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html

It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.

"lame", indeed.

(markjensen said @ #17.3)
Are you not familiar with "Tu Quoque" or other logical fallacies?
Reference: http://www.nizkor.org/features/fallacies/a...-tu-quoque.html

It would be like if there were a news article about an Apple flaw, and an Apple fanboy posted "well Windows has lots of flaws, too!". It is a deflection of the issue, serving only to avoid discussion.

"lame", indeed. :laugh:

"Tu Quoque" <-- It works, especially when mixed with sarcasm!

(markjensen said @ #17.1)
Ah, yes... The "you, too" logical fallacy. If there is a point made, avoid the issue by saying "but so-and-so has problems, too!".

I said my view..and i asked how it will be if MS starts to run into others product and show there bugs!?

(guruparan said @ #17.5)
I said my view..and i asked how it will be if MS starts to run into others product and show there bugs!?
Your "view" was just to point to someone else. What a discussion we can have on THAT!

You are free to post whatever you like. But your post was only slightly more relevant than saying "pickles are green".

What kind of security expert even thinks the phrase "That's completely game over"? It's never over.

Provides good job security though.

What are these highly reputable companies doing writing code to hack into Windows security features? Now they'll post their findings and how they did it, and truly bad people will start using it.

What are they doing??? Their jobs.

They are supposed to find problems, and responsibly disclose them to the vendor. If they announce that they have found "something", then it also gets them attention, and they can still be in the vendor's good graces, by not releasing the details in a nasty "full disclosure" type situation.

Wow, they almost make it sound like the world is going to end.

(Waits for response that says the world is going to end)

(Tikitiki said @ #11)
Wow, they almost make it sound like the world is going to end.

(Waits for response that says the world is going to end)


The world IS going to end now.

(Tikitiki said @ #11)
Wow, they almost make it sound like the world is going to end.

(Waits for response that says the world is going to end)

I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.

The future isn't bright, it's quite dim. No shades needed.

(Mike Frett said @ #11.2)

I don't know that the world will end, however, Humans will face an uphill battle in the years to come, if they are going to survive.

The future isn't bright, it's quite dim. No shades needed.

And that's why I got Transitions™

1. Nothing in the article states that it requires UAC to be disabled. That's an assumption on your part.

2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.

(A Clockwork Lime said @ #10)
1. Nothing in the article states that it requires UAC to be disabled. That's an assumption on your part.

2. Even if it does, it's a basic principle of security: If you make the security features too restricting, annoying, or unweildly, people -will- disable it. And that makes it a flaw in that security feature, not the people disabling it.

Nope. For the .dll to run within internet explorer, it has to be marked as safe to run by the user or at least has to be installed by the user...otherwise you get that nice little yellow window.

Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.

No worries here. I'm running with UAC enabled, and I don't give Admin access to strange code. I think most people don't realize just how powerful UAC is (if used properly).

(Chugworth said @ #1)
No worries here. I'm running with UAC enabled, and I don't give Admin access to strange code. I think most people realized just how annoying UAC is (if activated).

There, fixed.

(m-p{3} said @ #9.1)

There, fixed.

Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?

(MioTheGreat said @ #9.2)

Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?


Yeah, He has to be doing sonethign strange to get prompts very often... I can go weeks without getting one. And OSX and *Nix do the SAME THING.

(MioTheGreat said @ #9.2)
Oh. I get it. You're one of those people who think that they're cool 'power users' because they run as Admins all the time, right?

Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?

(tiagosilva29 said @ #9.4)

Admin accounts get UACed? Is this for real? Aren't admins supposed to do stuff without getting bitched by the system, because were assuming that they are competent?

It's called Admin approval mode. It causes all code under an Admin account to be executed with "Limited" privileges unless it explicitly asks for Administrative privileges at process launch.

It's proven to be a pretty good exploit mitigator thus far, for both Microsoft and 3rd party security issues.

I'll worry if the server gets compromised just by being switched on.

And I'll also worry if the system administrator uses a server to surf porn and download warez.

Why do I think that it requires
1. Disable UAC
2. User intervention
to work in the first place.

IBM and VMware - not closest friends of MS anyway.

I'm not so sure about that, since it said "since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments." So whatever this is, it might be very, very bad.

(FlishFun said @ #6.1)
I'm not so sure about that, since it said "since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments." So whatever this is, it might be very, very bad.

Nope. For the .dll to run within internet explorer, it has to be marked as safe to run...otherwise you get that nice little yellow window.

Also IE runs by default in protected mode, hence no dll can access anything but IE. If UAC is disabled you won't get that yellow window, and nor will you get IE protected mode.

(dhan said @ #6)
Why do I think that it requires
1. Disable UAC
2. User intervention
to work in the first place.

IBM and VMware - not closest friends of MS anyway.

You are probably right. The article is very carefully written to hide the fact that you probably have to disable browser isolation (diabale UAC and whatnot) to enable this type of exploit.

What i know is DEP is basically disabled for .NET and Java, this is because Java and .NET need to be able to compile and execute code. Of course for .net or Java to work on XP (or any other OS) they also have to also enable code compiliation and excution.

The exploit: Therefore if you can compromise the .net or java runtime then you can generate any code you want and excute that in the context of that runtime.

Of course this does not enable you to get around 1. UAC or 2. IE protected mode (the default).

However if you use Firefox and have disabled UAC....


Can I just say the ISS guy is a plank and should not be entitled to an opinion because of him they have scrapped blackICE and screwed thousands of us others, thanks lamer.

(The_Decryptor said @ #6.5)

Firefox doesn't use Active Scripting, that's an IE thing.

The problem is with java and .net nothing to do with scripting ... :suspicious:

If true, defeating ASLR and DEP are significant. Don't know what steps must be taken to exploit, like what pre-conditions or user actions.

Will need more information before you can say one way or another how serious it is or isn't.

(markjensen said @ #4.2)
If true, defeating ASLR and DEP are significant. Don't know what steps must be taken to exploit, like what pre-conditions or user actions.

Will need more information before you can say one way or another how serious it is or isn't.

It's unclear whether they've really "defeated" ASLR or DEP. Those technologies only help protected against a very specific class of attack, and it sounds like maybe they're just talking about a different class of attack (which isn't really a huge deal in of itself, there are tons of different kinds of attacks and vulnerabilities).

Then again, it's all speculation until they actually reveal what the heck they're talking about.