Is this game over for Vista security (Including Server 08)?

Permabanned
Joined
13 Apr 2007
Posts
138
There is a certain conference taking place at the moment regarding security issues and vulnerabilities.

Neowin said:
"Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. "

Neowin said:
"This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

Whilst full disclosure has not been made, this cannot be validated. Regardless, it is always wise to run as a non-admin account and keep UAC switched on. I cannot imagine this exploit being able to elevate to admin-privelages. I also suggest running IE in protected mode. Note: IE7 on Vista does not have DEP on by default, so you may wish to consider changing this.

My apologies for the rather sensationalist title. Seems to be all the rage these days though. It isn't actually game over as such, but it certainly does raise some serious issues that MS must address.

Here is the paper (It does not disclose the techniques - so don't think you will be able to become a haxxor by reading this).
 
Why does it make you feel more leet?

MS will probably patch this issue before full disclosure is made anyway.

Burnsy

Have you even read the paper? This is full disclosure. ASLR, DEP, Stack cookies etc are features not bugs - they were designed by MS to work this way, the paper just exposes design faults in this. The fix in general means significant changes in kernel/compiler architecture - which can break existing software. There is no silver bullet though. Security is a cat and mouse game. Microsoft's adoptation of SDL has certaintly made a lot of good changes for the company recently. When previously it lagged behind other OS's on the security front.

Its a very cool paper indeed - just finished reading it myself. Much respect to the authors.. Exploiting vista/08 is still very hard, it takes much skill to develop a reliable exploit which works constantly and in different enviroments - not to mention the skill required to find the vuln in the first place. Its really not game over .. it just makes it slightly easier.

http://blogs.zdnet.com/Bott/?p=512 has a much better non sentationalist summary of what it was about.

Whilst full disclosure has not been made, this cannot be validated. Regardless, it is always wise to run as a non-admin account and keep UAC switched on. I cannot imagine this exploit being able to elevate to admin-privelages. I also suggest running IE in protected mode. Note: IE7 on Vista does not have DEP on by default, so you may wish to consider changing this.

As I mentioned above its not about one specific vunerability, its about developing reliable exploits/bypassing security features which were added to make exploitation harder in the first place. Some of this stuff has been around a while, dowd and sotirov just pushed the boundaries further and pioneered a few new (cool) techniques. Fwiw if you search NtRaiseHardError exploit you will find just one of the public privilege esclilation exploits (now patched) which could quite easily break you out of IE7 sandbox. Who knows what is non public.. =)
 
Last edited:
So, worst case scenario, it'll make Vista as insecure as Windows XP. No big loss there.

Somehow I sense this story has been blown out of proportion as usual though.
 
So, worst case scenario, it'll make Vista as insecure as Windows XP. No big loss there.

Somehow I sense this story has been blown out of proportion as usual though.

Just the goal posts have moved slightly so new methods need to be used/invented (like this paper for example). Vista aims for to be more secure and most people would agree it is, myself included =)

The media always blows security news out of proportion. The DNS vulnerabiltity discovered recently (also talked about at the same conf that paper was at) - http://www.theregister.co.uk/2008/08/06/kaminsky_black_hat/ could have been (stiil is perhaps..) far worse.
 
this is one reason i think ms should be allowed to force install some windows updates, if they trickle fed the updates at say 5kb/s and installed in low priority, you wouldn't even notice
 
this is one reason i think ms should be allowed to force install some windows updates, if they trickle fed the updates at say 5kb/s and installed in low priority, you wouldn't even notice
That could be potentially catastrophic. We have had several issues in the past where patches have broken other components - we picked these up because we have a staggered deployment cycle (development followed by test followed by live) and could work around/fix/wait accordingly - much like pretty much all large enterprises. If MS deployed patches at their discretion, then it would render the testing process pointless, as our production boxes would have been broken at the same time as our dev boxes.

Not to mention the reboots that are required post deployment, which have to be performed in a controlled manner in our environments.

Anyway, I'm off to read the doc... I was supposed to be at Black Hat & DefCon but something came up so I ended up going on holiday instead.
 
Cool, im there next year myself. Las vegas rocks :p

Just got back from BH & DefCon....and you are right, Vegas rocks!
Dan Kaminsky (or how ever you spell it) spot at BH was packed out and as ever he was very enthusiastic when explaining the DNS vulnerabilities he found.

DefCon I just found veeeeery strange.....people who, to me, were the typical geeks behind keyboards for 99% of the time and then they bring their white skinned selves to Vegas and 40+ degree heat!!

Saying that, the DefCon badge is quite neat!

M.
 
Back
Top Bottom