[Infowarrior] - Vista security 'rendered useless' by researchers

Richard Forno rforno at infowarrior.org
Sat Aug 9 02:56:53 UTC 2008 

Windows Vista security 'rendered useless' by researchers
By Dennis Fisher, Executive Editor
07 Aug 2008 | SearchSecurity.com

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html

LAS VEGAS -- Two security researchers have developed a new technique  
that essentially bypasses all of the memory protection safeguards in  
the Windows Vista operating system, an advance that many in the  
security community say will have far-reaching implications not only  
for Microsoft, but also on how the entire technology industry thinks  
about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM  
Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc.  
will discuss the new methods they've found to get around Vista  
protections such as Address Space Layout Randomization(ASLR), Data  
Execution Prevention (DEP) and others by using Java, ActiveX controls  
and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet  
Explorer, handle active scripting and .NET objects, the pair have been  
able to load essentially whatever content they want into a location of  
their choice on a user's machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the  
techniques say their work is a major breakthrough and there is little  
that Microsoft can do to address the problems. The attacks themselves  
are not based on any new vulnerabilities in IE or Vista, but instead  
take advantage of Vista's fundamental architecture and the ways in  
which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai  
Zovi, a well-known security researcher and author. "They have attacks  
that let them load chosen content to a chosen location with chosen  
permissions. That's completely game over.

"What this means is that almost any vulnerability in the browser is  
trivially exploitable," Dai Zovi added. "A lot of exploit defenses are  
rendered useless by browsers. ASLR and hardware DEP are completely  
useless against these attacks."

Researchers develop lightweight Cisco IOS rootkit Black Hat: Building  
on previous research against IOS, Core Security researchers have  
theoretically shown the plausibility of an IOS rootkit attack.

Mozilla to release Firefox threat-modeling data: The Mozilla  
Foundation's security chief says it will soon publicly release threat- 
modeling data for the next version of the Firefox Web browser.

Valuable lesson emerges from DNS flaw handling Any effort to prevent  
others in the legitimate security community from working out the  
problem is a waste of time.
	

Many of the defenses that Microsoft added to Vista and Windows Server  
2008 are designed to stop host-based attacks. ASLR, for example, is  
meant to prevent attackers from predicting target memory addresses by  
randomly moving things such as a process's stack, heap and libraries.  
That technique is useful against memory-corruption attacks, but Dai  
Zovi said that against Dowd's and Sotirov's methods, it would be of no  
use.

"This stuff just takes a knife to a large part of the security mesh  
Microsoft built into Vista," Dai Zovi said. "If you think about the  
fact that .NET loads DLLs into the browser itself and then Microsoft  
assumes they're safe because they're .NET objects, you see that  
Microsoft didn't think about the idea that these could be used as  
stepping stones for other attacks. This is a real tour de force."

Microsoft officials have not responded to Dowd's and Sotirov's  
findings, but Mike Reavey, group manager of the Microsoft Security  
Response Center, said Wednesday that the company is aware of the  
research and is interested to see it once it becomes public.

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely  
on specific vulnerabilities. As a result, he said, there may soon be  
similar techniques applied to other platforms or environments.

"This is not insanely technical. These two guys are capable of the  
really low-level technical attacks, but this is simple and reusable,"  
Dai Zovi said. "I definitely think this will get reused soon, sort of  
like heap spraying was."

More information about the Infowarrior mailing list