Windows Vista security 'rendered useless' by researchers

[Bouncing Zabaglione Bros.]

Windows Vista blown wide open:

LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

 

[chavvdarrr]

any OS can be broken with enough effort.

 

[Skrying]

any OS can be broken with enough effort.

Exactly. No piece of software is completely safe, hasn't this been proven enough for it to become obvious? Microsoft targets are simply a big deal because everyone runs their OS.

 

[Humus]

There wasn't much info in that article though to give a sense of what they did to work around it and what assumptions they are working on or if it could easily be fixed with an update.

 

[Npl]

Sounds more like an IE-Vulnerability to me.

 

[Bouncing Zabaglione Bros.]

any OS can be broken with enough effort.

There's a bit of a difference between "I have a boot disk full of hacking tools and physical access to the machine" and "you visit my web page and I can blow right though your much vaunted Vista "security" from anywhere on the internet to do whatever I like".

 

[BRiT]

There's also a big difference between "you visit my web page as ROOT" and "you visit my web page as a restricted user"

 

[Davros]

since we are talking about security if you go to any websites that show tv shows ect and you get a message saying you need a new version of flash to view content, be carefull there is a rogue flash installer going around it caught me out

 

[I.S.T.]

It sounds like if you use something other than I.E., the exploit won't properly work. Or did I misunderstand the article?

 

[aaaaa00]

Read the paper guys. The headline is pretty sensationalist IMHO.

http://taossa.com/archive/bh08sotirovdowd.pdf

Basically they've found techniques to bypass various buffer overflow, heap corruption, no-execute, randomization, and exception-chain protections built into Vista by taking advantage of browser plugins that aren't compiled properly or that contain security bugs.

Using these techniques allows you to exploit some security holes that were previously made unusable by these protections.

The basic observation IMHO is that since the OS and browser these days are getting pretty hardened against attacks, hackers are finding it fruitful to search popular 3rd party plugins (Quicktime, Flash, Java, .NET, etc) for vulnerabilities.

BTW these techniques would most likely work on any platform and browser that allows plugins like Java or Flash to run.

 

[suryad]

I have to agree as much as I dont like vista but that headline is a bit too sensationalist IMHO.

 

[hoom]

So its a plugin hack?
Once the compromised plugin is installed, they can do what they want because the plugin is allowed to execute whatever code?

Would NoScript prevent it (assuming you have the scipt blocked)?

 

[Davros]

with me the exe was loaded from the winlogon section of the registry

 

[hoom]

I've now read the paper (OK skipped the techy cody bits) & the issue as I understand it is indeed browser plugins like Flash/Java/.NET.
Not 'Vista now, maybe XP later' but 'definitely XP & to a lesser extent Vista too'.

Specifically:

• Most plugins load automatically & start running code without questioning the user.
• Some plugins may not be compiled to use OS level protection that needs to be opted-in at compile & so are vulnerable.
• Plugins are not only able to execute code from the internet but ones like Flash/Java/.NET are designed/able to load code from the internet to executable memory & so bypass OS level security despite running in a 'sandbox'.

In summary: MS OS security OK, (Browser/OS handling of) plugins Bad.