Vista's Security Rendered Completely Useless by New Exploit

[iinfi]

Vista's Security Rendered Completely Useless by New Exploit

Quote:

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

--------------------------------------------
These kinda stuff wows me !!
can someone let me know where to start to become a security expert. Sud i be good at networking for this. Will CCNA help?
i m an OCA looking for a DBA job n want to get into database security in the long run.
where do i start to get into security line??

[chandru.in]

Quote:

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

All this for the supposedly most secure Windows version ever made and the managed runtime claimed to be the cure for all illness. I seriously hope MS finds a way to patch this difficult vulnerability. If not we may face even more malwares than any previous version of Windows (not that Vista doesn't have any) as the article claims,

Quote:

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems

Quote:

Originally Posted by iinfi

These kinda stuff wows me !!
can someone let me know where to start to become a security expert. Sud i be good at networking for this. Will CCNA help?
i m an OCA looking for a DBA job n want to get into database security in the long run.
where do i start to get into security line??

Security skills do not come from certifications. Just networking knowledge is not enough too. You have to understand plenty of things and it is a continuously moving target as technology evolves. Few things necessary for such abilities may be,

1. Knowledge of general architecture of computers (how instructions are stroed and processed etc)
2. Strong understanding of how the particular OS (and managed runtimes like .Net Java etc.) manages memory and processes. Stuff like how it stores the stack, heap and code parts of a process.
3. And of course the TCP/IP and the underlying low-level protocols like ethernet including the TCP/IP stack implementation of the OS.

[MetalheadGautham]

Do we need yet another thread to point out another one of the holes in vista ?

[iinfi]

Quote:

Originally Posted by chandru.in

Security skills do not come from certifications. Just networking knowledge is not enough too. You have to understand plenty of things and it is a continuously moving target as technology evolves. Few things necessary for such abilities may be,

1. Knowledge of general architecture of computers (how instructions are stroed and processed etc)
2. Strong understanding of how the particular OS (and managed runtimes like .Net Java etc.) manages memory and processes. Stuff like how it stores the stack, heap and code parts of a process.
3. And of course the TCP/IP and the underlying low-level protocols like ethernet including the TCP/IP stack implementation of the OS.

thanks...
yea i know jus certifications will get me nowhere. jus wanted to tell you my background.
hmmm....
general architecture of computers .... Stuff like how it stores the stack, heap and code parts of a process....
normal java or .net books dont have such info...
sud i get a book on data structures?

[chesss]

Quote:

This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

Opera wld be immune to this (in all probability)

[MetalheadGautham]

Quote:

Originally Posted by chesss

Opera wld be immune to this (in all probability)

Firefox too

[k6153r]

This something every much expected, just like how you're damn sure that the sun is going to set, if it rises.

OFFTOPIC:
Opera is more secure than Firefox.

[naveen_reloaded]

Its always been he ie the weakest link in the armor of windows... I still dont understand why windows still integrate ie to the os...

I heard that in vista ie is separate and doesn integrate with os....

[chandru.in]

Quote:

Originally Posted by iinfi

normal java or .net books dont have such info...

Java and .Net are platforms created with hiding computer internals as their primary aim. Of course they have their uses (I love Java for developing large apps which would maintained for at least more than 5 years). But they have little value in security research and computer internals. There are few vulnerabilities which can be exploited with these but such vulnerabilities are very rare in modern software.

The right kind of books would be, C/C++ books (ones giving deep details about platform dependent quirks, pointers (esp function pointers)), Computer organization (as deep as possible), OS internals (preferably OS specific ones as they give more details than ones covering all OSes), Ethical Hacking, books with low-level details of TCP/IP and Ethernet, etc.

Good luck with your security research. Hope you can help fix complex vulnerabilities like the one in this topic soon.

[iinfi]

Quote:

Originally Posted by chandru.in

Good luck with your security research. Hope you can help fix complex vulnerabilities like the one in this topic soon.

thanks