[Infowarrior] - Vista security 'rendered useless' by researchers
Richard Forno
rforno at infowarrior.org
Sat Aug 9 02:56:53 UTC 2008
Windows Vista security 'rendered useless' by researchers
By Dennis Fisher, Executive Editor
07 Aug 2008 | SearchSecurity.com
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html
LAS VEGAS -- Two security researchers have developed a new technique
that essentially bypasses all of the memory protection safeguards in
the Windows Vista operating system, an advance that many in the
security community say will have far-reaching implications not only
for Microsoft, but also on how the entire technology industry thinks
about attacks.
In a presentation at the Black Hat briefings, Mark Dowd of IBM
Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc.
will discuss the new methods they've found to get around Vista
protections such as Address Space Layout Randomization(ASLR), Data
Execution Prevention (DEP) and others by using Java, ActiveX controls
and .NET objects to load arbitrary content into Web browsers.
By taking advantage of the way that browsers, specifically Internet
Explorer, handle active scripting and .NET objects, the pair have been
able to load essentially whatever content they want into a location of
their choice on a user's machine.
Researchers who have read the paper that Dowd and Sotirov wrote on the
techniques say their work is a major breakthrough and there is little
that Microsoft can do to address the problems. The attacks themselves
are not based on any new vulnerabilities in IE or Vista, but instead
take advantage of Vista's fundamental architecture and the ways in
which Microsoft chose to protect it.
"The genius of this is that it's completely reusable," said Dino Dai
Zovi, a well-known security researcher and author. "They have attacks
that let them load chosen content to a chosen location with chosen
permissions. That's completely game over.
"What this means is that almost any vulnerability in the browser is
trivially exploitable," Dai Zovi added. "A lot of exploit defenses are
rendered useless by browsers. ASLR and hardware DEP are completely
useless against these attacks."
Researchers develop lightweight Cisco IOS rootkit Black Hat: Building
on previous research against IOS, Core Security researchers have
theoretically shown the plausibility of an IOS rootkit attack.
Mozilla to release Firefox threat-modeling data: The Mozilla
Foundation's security chief says it will soon publicly release threat-
modeling data for the next version of the Firefox Web browser.
Valuable lesson emerges from DNS flaw handling Any effort to prevent
others in the legitimate security community from working out the
problem is a waste of time.
Many of the defenses that Microsoft added to Vista and Windows Server
2008 are designed to stop host-based attacks. ASLR, for example, is
meant to prevent attackers from predicting target memory addresses by
randomly moving things such as a process's stack, heap and libraries.
That technique is useful against memory-corruption attacks, but Dai
Zovi said that against Dowd's and Sotirov's methods, it would be of no
use.
"This stuff just takes a knife to a large part of the security mesh
Microsoft built into Vista," Dai Zovi said. "If you think about the
fact that .NET loads DLLs into the browser itself and then Microsoft
assumes they're safe because they're .NET objects, you see that
Microsoft didn't think about the idea that these could be used as
stepping stones for other attacks. This is a real tour de force."
Microsoft officials have not responded to Dowd's and Sotirov's
findings, but Mike Reavey, group manager of the Microsoft Security
Response Center, said Wednesday that the company is aware of the
research and is interested to see it once it becomes public.
Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely
on specific vulnerabilities. As a result, he said, there may soon be
similar techniques applied to other platforms or environments.
"This is not insanely technical. These two guys are capable of the
really low-level technical attacks, but this is simple and reusable,"
Dai Zovi said. "I definitely think this will get reused soon, sort of
like heap spraying was."
More information about the Infowarrior
mailing list