This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, “the genius of this is that it’s completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.“
this news is pure .FUD.
Why exactly is it FUD, what makes it FUD. Seems perfectly valid to me if you actually read it all the way through and not skim the article.
How so. I understand exactly what they’re talking about, and while it’s not presented very well, it’s basically correct. It basically just makes an end-run around ASLR and uses the kernel to overwrite blocks of memory (including the kernel itself) and execute whatever it is. The exploit is really one of the fundamental model of the kernel’s operation rather than any particular application or system.
I suppose it could be FUD if you thought that the exploit wasn’t an intentional design decision. I’m not sure it is.
Either way, I suppose it’s not so important as Vista’s probably not going to gain sufficient traction for it to matter. They either fix it in Win7, or it will be irrelevant post-Win7 (which I’m guessing is the end of the line for NT-based kernels, if not the “Windows” brand).
Sorry to steal the thread, but would be nice if OSNews links the original story from Techtarget/SearchSecurity as it seems like Neowin stole the story without attribution.
Neowin also removed the comments on the story which gave them away, as if the Internet could be fooled that easily!
Original:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gc…
Edit:
Link to PDF with more details:
http://taossa.com/archive/bh08sotirovdowd.pdf
( taken this from /. )
Edited 2008-08-08 14:47 UTC
Not so much FUD as a demonstration of Fudd’s First Law of Opposition (“If you push something hard enough, it will fall over”).
Windows is fundamentally a single-user, “I own the computer” operating system with multiple layers of kludges piled on top of this core. Unix-based OS’s are fundamentally multi-user operating systems where “I only own my home directory”. Any layers built on top of Unix-like OS’s fundamentally secure core are “tightening” and “strengthening” measures. The layers built on top of Windows’ insecure core are mere prayers.
It is time to do what Mac did, and bite the bullet and replace the insecure core.
All else is FUD and Flame.
EDIT: Punctuation
Edited 2008-08-08 13:59 UTC
The problem with Windows security has nothing to do with the core of the OS. It has to do with the core of MS themselves. MS has trained ISVs and their users to rely on having admin rights even when those rights are not necessary and are actually a detriment to the stability of their system. Windows has a more fine grained permission system than the *nixes but no one uses them. MS tried to rectify the issue with the AUC thing but because of the type of access most application are asking due to laziness, it fails in so many ways. It becomes annoying and instead of helping security it actually hurts because now the OS has trained users to ignore warnings. I think Ubuntu and OSX handle this much better.
I’m a linux and Mac, this is just my preference. However I do think that Windows gets a lot of flack for MS lack of balls when it comes to telling 3rd party developers to get their damn act together and also for not training uses properly from the get go. Something that Apple and Linux distros have been doing for years.
For those who believe Windows to be a multi-user system at the core, log into you Windows box twice as the same user – i.e., run two simultaneous sessions as the same user. Are you there yet? Even different users being logged in at the same time is done with “fast-user switching”. The multi-user OS is an illusion. It is a hobby OS meant to keep track of your CD’s and home checkbook. The current web-connected computer was not envisioned when it was created. Meanwhile, Unix was serving 1000’s of simultaneous user sessions on a single box. Security was paramount from early on. I agree that Microsoft has done a pretty good job of bolting on fine-grained permissions, etc. with the NT kernel. But no matter how you spin it, processes in the Windows world “long to be free” and by nature tend to take over the computer. Only a massive harness-and-strap framework like we see in the Vista OS can try to prevent these processes from running wild. But just like “life” in the first Jurassic Park movie, they always find a way.
Now lets quit arguing, grab a nice BSD kernel, toss a few bucks at the kernel devs, close it all up for profit, and get to crackin’ on that shiny new Winders!
It’s an intentional limitation in the customer versions of Windows. Windows Server can easily host multiple sessions with Terminal Services.
The multi-user architecture is definitely there. It’s quite misused though.
I am looking for the day when that single box hosts so many connections with fully-featured GUIs. Joe Sixpack doesn’t want to work with consoles.
Sorry to disappoint you, man… but this is pretty old news: http://linuxgazette.net/124/smith.html
Actually if you remote access a Unix or Linux server you can then use X (You can use x11vnc)
So yes if your Linux server or Unix server can handle it you could run 1000 copies of Gnome or KDE as users. Its how the Linux terminal server project works.
Oh and you don’t have to pay for a ton of licenses to do that (Unlike you do in Windows)
Another designed-in limitation of Windows … you can’t have more than one user simultaneously logged-in, even though the OS is designed to support it, because … Microsoft wants to charge you a bootload more money for the same code if you want multiple users logged in?
Typical.
What a rip-off.
Most OSes have been true multi-user for forty years or more.
http://en.wikipedia.org/wiki/Multics
Uh?
I’ve got ~10 active VNC sessions and ~10-20 active X connections on a single 2×2 Opteron machine.
The VNC desktops are running KDE and GNOME. (Depending on user preference).
Oh… and the sessions are being used for software development – read: people write code, compile and debug on this machine simultaneously.
We tried the same on the same machine with 2K3 terminal and the results were abysmal.
– Gilboa
Edited 2008-08-09 12:55 UTC
For those who believe Windows to be a multi-user system at the core, log into you Windows box twice as the same user – i.e., run two simultaneous sessions as the same user. Are you there yet?
No problem. Log into the workstation and hit the Run command off the start menu, use RunAs to launch any program you want with the same account. Done.
Even different users being logged in at the same time is done with “fast-user switching”.
fast-user switching is only used for multiple logins at the local console. You can connect multiple users remotely including the loading of their entire user profile and desktop without fast user switching. On XP you’ll need to hack a DLL as MS imposed an artificial limitation to protect terminal services licenses but the OS is otherwise fully capable of it.
The multi-user OS is an illusion.
Really? Sure seems to work with thousands of users at the company I work for.
It is a hobby OS meant to keep track of your CD’s and home checkbook. The current web-connected computer was not envisioned when it was created.
The current web connected computer was not envisioned when any of our operating systems in use today were created. NONE of them. They have all had to undergo changes in order to handle todays connected world.
I agree that Microsoft has done a pretty good job of bolting on fine-grained permissions, etc. with the NT kernel.
They’ve been there since the first release of NT, included as part of the original design. It was the home user market moving to NT largely with XP and Microsoft touting the mindset that the user is the administrator that has created a large part of the mess we experience on windows.
Just to address the fine grained security you mentioned; there is also the obvious issue of complexity. Its all very nice having things incredibly fine grained, but through this complexity there are the obvious possibility of accidental misconfiguration. There is a line where one can be too flexible to the point that it can be detrimental to the health of the system
Regarding the BSD; I’d love to see a BSD Core + Amiga GUI, then I would be a happy camper. I’d move to it immediately. Too bad its a pipe dream given the lack of backbone Microsoft has when making decisions. Rather then being decisive like Steve Jobs, they remind me of my grandma as to whether she should buy loose leaf tea now or wait next week to see whether it is on special the following week.
Someone needs to have the backbone to stand up, make a grand vision for the whole company, and push it towards that goal – and those who stand in the way because of internal politics are given some cash, a pat on the bum, shown the door and told “best of luck in an economic down turn”.
Edited 2008-08-09 04:05 UTC
WRONG!
Windows security is built-in the kernel.
And I assume you have read the Windows kernel source code to verify this? Oh wait…
I’m not calling you a liar by any means, but saying stuff like these is pointless as nobody here can prove it.
Ummm? How can security be -outside- the kernel?
I’d really suggest you read the -available- documentation on the Windows kernel (E.g. DDK, MSDN, etc) before making such clueless comment.
– Gilboa
“Windows has a more fine grained permission system than the *nixes but no one uses them.”
No one?
I don’t think so.
Almost all IT and system administrators apply them.
If you apply Read Write and Execute Permissions to a root folder and a user deletes it you would understand why it should be done.
There are 2 different types of permissions:
1. Share Permissions
2. NTFS (or file system) permissions
Windows has more permissions control than Unix, which is true and windows is better in this regard but windows is vulnerable (and buggy recently).
The simple problem is this; when Microsoft don’t even code to the standards, how can things improve? I remember when Windows Terminal Services was released and the number of Microsoft applications that broke because they were never designed to run in that way.
Office 2003 on Vista being a recent example of when the licence ‘accept/decline’ keeps coming up because the settings aren’t saved to a global location – why wasn’t the installer right at the beginning put into administration mode so that all the necessary system wide things are set – such as accepting the licence?
But this goes beyond just mere security. Windows Vista, for example, not a single application bundled with it uses the new API’s like WPF. Heck, there is still the font dialogue using widgets from circa Win 3.x; not a single bundled application are using the new and safe API calls that have been known about when Microsoft did the bit Windows XP SP2 development.
Microsoft needs to lead by example and start ensuring their own products actually work properly instead of getting up and lecturing the world on how ‘third parties’ were ‘slow to release drivers/software’. It looks pretty stupid when an operating system vendor who has the operating system at their disposal, that they can’t get their middleware functioning right on it. If they can’t get it right, with the Windows source code and documentation in front of them – how on earth can the third parties get it correct?
Your post is very inaccurate. Windows (NT based versions) are inherently multi-user. Each user has their own home directory in windows as well. And security is also very tight because the user can only write to their home directory.
The problem is that most people are habitual of running windows as Administrator. This was the decision made by Microsoft to make Administrator as the default users for people migrating from Windows 9x.
These problems are due to business decisions as Microsoft doesn’t want to alienate users by forcing them to run as limited user which would mean educating users on the difference between normal user account and administrator etc etc.
It is a tough problem to solve. You either bite the bullet and let users complain or you do something like UAC and still users complain or you do nothing and then users complain about security (or lack of it).
Users aren’t just running as administrator out of habit; many programs just won’t run correctly otherwise.
We usually run Linux on occasion, but once in a rare while I’ll boot up Windows to do something or other. For example, my daughter was given a game for her birthday, so I booted up Windows to try it out. Turns out that I had to make my six-year-old girl an administrator if she wanted to play the game!
So while the architects did a good job on the core system, common practices force users to turn off the security.
A nice workaround to giving someone admin rights just to run a game is using Sandboxie (http://sandboxie.com) to sandbox the game.
I recently used this to run Return to castle Wolfenstein with a regular user account as it wanted to change some files for which admin rights were needed.
Get a registered version and you can sandbox each program seperately and an added bonus might be that each player has their own savegames.
Well installing anything, even a game should require an admin account. There are dll files that get installed sometimes and sometimes changes to the registry. The same applies to most Linux and OSX apps. The issue I see with windows is when Ix install an app and log in as a non-admin user and get all these errors when I log in about not having permission to run my apps because they need admin rights. There shouldn’t be any apps requiring admin rights unless they are making system wide changes.
people are always installing and trying out new software. They won’t like to switch in and out of admin, even if everything works in limited user mode. So take the sudo approach and enter your password every time you want to change the system.
Unfortunately not quite true…
Windows has permissions on several directories including the root of the disk that allow anyone to create files and folders, these are done with the so-called owner account.
I have to remove these permissions on terminal servers because they still allow users to install programs that don’t use the Windows installers.
Only after this is done can users forget about writing anywhere but their own profile directory.
Windows has permissions on several directories including the root of the disk that allow anyone to create files and folders, these are done with the so-called owner account.
please check it again
on my pc (no permissions changed) root is only writeable by the administrator and the system itself. normal users can only read from it, and guests can’t even see it’s content.
Exactly how is Windows (or NT) considered multi-user when all it takes is Power User permissions (maybe less) to be able to access anyone else’s home folder on the PC?
Because that’s how the permissions and ACLs in Windows are set up by default.
Look, just because German car manufacturers have a gentlemen’s agreement to limit their cars at 250kph doesn’t mean German cars can’t go faster than 250kph.
The comments to this story make it abundantly clear – once again – just how much Microsoft has completely squandered the NT design, completely ignoring all the potential it had. My god Dave Cutler must be SO pissed off about all this.
ACL’s in Windows are powerful but complicated and also not used often or proper.
Linux permissions are pretty straight forward and easy to use. Maybe not as encompassing as in Windows but pretty easy to figure out and use.
Basic Linux permissions are indeed simpler and not as encompassing as Windows permissions … but you can very easily extend Linux beyond the basic security.
http://en.wikipedia.org/wiki/SELinux
http://en.wikipedia.org/wiki/AppArmor
A number of popular Linux distributions now include these added levels of security. RedHat uses SELinux, and SuSe and Ubuntu include AppArmor.
The most important aspect here is however that userland applications in Linux are designed to be run at low levels of permissions.
Charge $1500 for $400 worth of hardware?
No, charge 400 for 50 dollars worth of hardware and a $75 Windows license. LOL!
Mr. Sucks,
I regret to inform you that your screenname is pure slander, as everyone knows that Windows does not “sucks”. As such, you are in violation of AOL’s Terms of Service agreement and, which has forced me to report you to AOL(tm)’s TOS(tm) enforcement department.
HTH!
Pure crap
I’m going to say it as much a penguin as I am.
Let it be true, once and for all so that Microsoft may say ” Okay, we give up, it’s shyte, use XP till we are out with Midori or Windows 7″.
They are wasting energies on a project that NOBODY wants.
Companies does not use it ( The one for which I work sent a memorandum in which they , in short , say that they would prefer to be castrated by mean of a duster)
User refuse to even install cracked copies and start smuggling XPs instead.
And Microsoft? Instead of listening to the moans tries to force people to install saying it will stop XP ( which they never do and Dell says they are positive they will still have XP till 2010)and starts campaigns like Mojave.
This is absolutely ridiculous coming from a company that has enough estimated cash amount that it could live on at least five years without doing nothing.
I do not like Microsoft, I do fight them as much as I can, but this is beyond being funny and is getting embarassing.
take an advice from a trusted enemy of yours Bill.
Sometimes you have to admit errors.
Go there, do it, lose a couple of million dollars on the NASDAQ and then get all the guys that waste time in fixing the dog and go full steam on Windows 7 or Midori.
Honestly yours
You fail at English.
I for one welcome our spelling-police overlords
You surely fail miserably at Swedish, French, Spanish or whatever the mother language of the original poster was. You might even fail at English too, come to think of it, if you ever chose to blind us with your science.
Maybe so – but I don’t choose to attempt posting poorly thought out rants in a language other than my own. Futhermore, I highly doubt the original poster’s post would have made any sense in their native language.
From my parent’s basement, I stab at thee!
Güindous and security can not be placed in a single sentence… unless you’re saying Güindous security is crap, of course.
This article forgot to say explicitely that there need to be a known flaw in the browser (or any other software) that is ready to be exploited : what these hackers just discovered is a way to make sure the flaw is exploited “successfully” even under vista which was supposed to prevent every buffer overflows exploits with the help of DEP and ASLR. (as opposite to windows xp where these kind of flaw could always be successfully exploited)
Edited 2008-08-08 14:26 UTC
Explain to us how it’s completely normal for a browser to be able to bypass all the security of an OS.
Edited 2008-08-08 16:41 UTC
1. you need to find an unpatched flaw in your browser
2. you need to use a 3rd party plug-in such as flash and java which are not compiled with ASLR memory protections.
But the OS security is not compromized because you have the UAC enabled by default and so the malicious code will run with fewer privileges, it can’t damage the OS (as opposite to xp where the malicious code will run with administrator privileges by default)
Edited 2008-08-09 08:47 UTC
I’m not going to pretend that I know what a FUD is, but I do know that the more Microsoft screws up, the more momentum Linux and MacOS gain. I honestly think that Microsoft is digging themselves a hole that they wont be able to get out of unless they start doing something now. With the promises of Snow Leopard, and the success of Ubuntu, Suse, Red Hat, and with the recent push from IBM to eliminate windows in the corporate work place, Microsoft is going to need to take drastic measures. I’m not talking about trying to fix what they have already made, I am talking a rebuild from the ground up like they intended to do with Vista from the get go.
http://en.wikipedia.org/wiki/Fear%2C_uncertainty_and_doubt
(…et facta est lux)
1. They indicate that this works in browsers other than IE, but don’t say if this expoit is a drive-by install or do you have to give it permission to run something?
2. Does this thing work on Vista if you’re not running as Aministrator?
As far as I can tell…
1. Vista was marketed as having lots of shiny new security features that meant if someone found a vulnerability, they wouldn’t be able to use it as a working exploit.
This research shows that once a vulnerability has been found, the extra protections offered by Vista/XPsp3 etc.. can be disabled.
2. Yes
According to everything I have read it does not depend on a vulnerability
“It currently isn’t known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.”
So it looks as if all you have to do is get a user to run something like a rouge active X control or other scripting function and you are good!
This is BAD, real BAD!
(Edit for spelling)
Edited 2008-08-09 01:15 UTC
older operating systems have NOT these extra memory protections, in XP every flaw is always exploitable!
Edited 2008-08-09 08:25 UTC
This is not true. XP SP2 introduced Data Execution Prevention although it is only enabled on a few applications by default.
Is this a COM thing? The article was sort of vague
More information is still needed to understand how serious this new exploit is and could be to fix.
Anyway, basically this is nothing new and I guess other new kind of security threats, exploits and holes will be revealed again and again in the future too.
These kind of continuous security problems that many operating systems have make me admire and like the approach that OpenBSD has for security. Maybe they are (even too?) extreme in it, but most other operating systems would do wisely to learn from them anyway.
We are living in a connected network world nowadays and network security should be a first priority to all operating systems (that aren’t used offline only), and to the software they use. An operating system that is not secure is simply not good enough and not worth supporting or using in today’s networked world. Don’t we have enough spambots and zombie machines sending us spam etc. in the world already?
As to good enough operating systems, I think many (but not all) Linux distributions are good enough in their security practices, and most Unix operating systems (BSD, Solaris) too. Nobody is perfect, of course, but it is at least worth trying anyway.
What I have often been wondering is how will new alternative operating systems like Haiku or Syllable do in security department (if they ever get popular enough that it really starts to matter). They seem to have many fine features and design goals – but I have read very little about their security goals so far.
Edited 2008-08-08 20:32 UTC
Active scripting has always been a huge security problem in Windows. Active X it’s self has been a problem with IE for ever and a day.
I wish people would just get used to the fact that Windows is nothing more then a toy and go on with life!
The Original article points out that its not IE or Vista flaw but basic design flaw! this indeed is a serious issue…!
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gc…
Hey MS better use Linux in backend and build u r own propriotary GUI on top of it… to stop all this crap windows design flaws.
What little I can gather from the article is that if you just load that certain malicious content in the web browser it can circumvent any and all protection system built in to Vista _by using them the intended way_, ie. not taking advantage of any security hole. That’s not possible to fix unless they completely revamp the whole security subsystem.
That aside, this has some other interesting repercussions: Vista’s most trumpeted features has now been proven to be beatable and if this exploit works only in Vista and not XP then a heck load of companies that have switched to Vista will get quite pissed. That could mean some serious trouble.
I am waiting for more information about this whole thing since the article is a bit sparse on the details, but I am keeping my thumbs up for Microsoft just having to eventually scrap Vista altogether. Why? That might force them to produce a completely new, more secure, more robust OS. That would benefit atleast all of their customers. And, it just might make Linux gain a bit more market share
No, as far as I can see, the exploits require the presence of an unpatched vulnerability.
But once that vulnerability is found, each and every one of MSs shiny new anti-exploit features can be bypassed to allow you to easily and reliably own the box.
They’ll push out a PR droid to say “We believe that Vista’s security is not compromised”.
Then they’ll just carry on as usual.
If this is indeed a genuine and serious flaw, it’s great news! It might actually force PHBs to look around (for once) to check out more secure OSs.
( Then again, knowing PHBs, I won’t hold my breath….
)
I have recently clean installed windows vista with SP1 for a customer and after 20 days she returned it to me saying it does not work!
I said in my mind what? Did she infect the system in that short time? Did I forget to secure her system? so I returned to the work order and found that I didn’t forget anything at all.
What she did is simply install Norton 360, and then her browser and her start button search and anything releated to the browser stopped working, I even could not uninstall norton except in real mode and MS doesnot offer console uninstallation services; so I decided to wipe/Reinstall windows again from a restoration Disk.
So, who’s this problem fault?
1. the customer who didn’t allow me (the professional) to install Antivirus software?
2. The Antivirus software company who produces bad software
3. Microsoft who does not protect their OS core services and lack less invasive powerful recovery solutions?
4. Bad Luck
Pick one!!!
Quite honestly, anyone who goes and uses Symantec products deserves all the pain and suffering that they inflict upon themselves. Why didn’t she ring up and ask you a question relating to security software? I’ve worked with end users, and most of the time when I get rung up there is a question relating to what they should run.
Getting back to Windows Vista and Symantec, quite honestly she should look at something like OneCare or Kaspersky – or better yet, just don’t visit websites that are dodgy, and install updates when they come through. The number of end users who don’t install updates is frustrating – there is NO excuse for not installing updates. They are free of charge to download, only take a few seconds to install. Those who don’t do the regular maintenance are lazy.
Agreed but the reason is depressing – if you go to your local magazine store and find a PC mag with reviews of AVs Norton will always be recommended if not be given as the top product, even though its vile and possibly worse than most malware. Pity the poor punter, advised by idle Journalists.
Vista and Norton ughh
I remember years ago Norton used to be like the ‘gold standard’ must have application suite on a computer. Ever since Norton for Windows 95, its been a steady downhill slide ever since. I’ve consistently seen these rave reviews of Norton these days and I wonder whether they’re using the same product that is out there in the marketplace – because what these so-called ‘reviews’ go on about, and what the reality is, are two different things.
I gave up years ago trusting any reviews of products by magazine writers – its almost a certainty that these people never actually test it and simply give the marketing blurb for a few bucks passed under the table. The only true ‘review’ I find is to go into a forum and ask questions to be quite honest – and then weigh up the feedback from other end users.
“Getting back to Windows Vista and Symantec, quite honestly she should look at something like OneCare or Kaspersky”
One time I advised a customer to install Windows Live one care or eset so he bought Windows Live One care and then he called me after 3 days telling me that the software refuses to install and that that this software had a horrible reputation on the forums and that MS had a special program to deal with bug.
So Long time ago I stopped recommending AntiVirus Software to any customer and I started to tell them not to disable what I have configured for them ie Autoupdate; and then recite to them the list of the most common Antivirus in the market and tell them at the same time that I cannot be hold accountable or responsible for any antivirus software that they decide to go with.
Just yesterday I have installed Norton 360 v2 downloaded from the internet freshly and installed on a freshly installed vista x64 and after it installed successfully it refused to uninstall at all.
So I wondered why is this? the system is not infected and the code of both software are clean (OS and Norton) so why it refused to uninstall? Is is a virus itself? or what?
So, I went to norton web site and discovered that there is an uninstallation tool if that happed!!
So this is a common thing in that kind of cheap pooly coded and designed software.
When that happen customers ask me, what can I do to protect myself? Then I answer either install Ubuntu or Buy a Mac if you don’t want headaches. that’s it.
Then they would say what did you say Ubuntuuuuu? what is this? Sir forget about it just go and buy a mac….But I cannot run my programs then! No, you can. Then I would explain how that for every windows program there is an alternative in Mac and if all fails you still can run it emulated with different software (parallels, fusion,…)
Then they get it. Then you say how much for a Mac?
I say laptops 1200$ and up if desktop 600$ and up.
Oh dear that is expensive!
Well think about it….Ok thanks…bye bye
Based on the BlackHat talk roster synopsis, Dowd and Sotirov have developed a library of techniques to bypass the defense-in-depth measures taken by the Vista compiler, heap, and kernel. It’s not a specific attack, but their techniques could be used to make any hole that is found in the browser wider and more likely to be exploitable.
We don’t treat any vulnerabilities that are found as ‘unexploitable’ and therefore not worthy of being fixed, so it’s not like Vista’s added protections were meant to be an excuse to get lazy and allow more bugs to slip into the product. I’m really interested now in seeing what they have found and how complete the break is.
They bassicly say that using activex and .net through their browser is a security risk.
I kinda thought that was already common knowledge.
Ok, there is a lot of confusion what this “exploit” actually entails, despite the paper actually being reasonably clear. I’ll summarize the paper though:
Vista introduced several new protections against memory corruption attacks. Notice that this is not the whole of Vista security, it is just one aspect that it intended to trip up exploit makers as much as possible. The following are the ones considered in the paper:
* DEP. Making stack/heap pages non-executable. Classic page-table approach, makes executable pages non-writable by default, and writable pages non-executable by default.
* GS. Stack protection, inserts “canaries” in the stack frame, so that if a memory overrun occurs the canary is destroyed before the overrun can get to a return address (the return address being the classical overrun target; just overwrite the return with wherever the exploit wants to go).
* SafeSEH. Exception handler validation. Makes the compiler generate a list of allowed exception handlers for each executable. Whenever an exception is thrown the runtime checks that the handler is one of the allowed ones. Prevents exploits from overwriting the handler addresses with a location it wants to go to.
* ASLR. Address space layout randomization. Places the stack/heap/code sections at slightly random locations to make it hard to the attackers to know where they need to get exploits to jump. Since the exploits are often only able to jump to one arbitrary memory location the attacker wants to know how to get there.
Several of these are also available on Linux and OSX (in varying degrees), and everything in the paper applies equally to them (more greatly if anything as they do not have the benefit of sandboxed IE in Vista).
The exploit needs to do two things to be effective, it needs to upload a lump of code into an executable section in the system, and it needs to jump to it. ASLR and DEP tries to make it harder to upload the code in a useful place, GS and SafeSEH protects against two ways to try to fool the system to jump there. The paper outlines the following methods to defeat these:
The most interesting part is how they defeat ASLR; a very large NOP slide (http://en.wikipedia.org/wiki/NOP_slide). Simply write several megabytes of exploit code which one can jump into at just about any position and get to run. This multimegabyte lump of code can be written in JavaScript, a Java applet, a flash movie or a .NET applet. Then the exploit jumps to the roughly right region, and as it doesn’t matter that ASLR has moved the target around one can still hit it.
Core IE and .NET runs with DEP though, so this will not work immediately. As it happens though, Flash and Java both leave data pages executable, so DEP is circumvented thanks to those plugins. The paper also outlines a way to fool .NET binaries to load without DEP (through a special combination of PE header flags), which is quite interesting. That is the only real bug/mistake noted in the paper, and I would suspect that it will get fixed.
Finally, getting the jump to go into such a set up section means circumventing either GS or SafeSEH. SafeSEH is trivial in IE, as it has to be disabled as soon as a plugin without SafeSEH is loaded, and both Flash and Java take care of that. GS is not strictly speaking defeated in the paper, but rather they look for holes in the heuristics. GS is after all not absolute, just a tricky filter to get exploits through.
With all that said: All techniques in this paper apply equally to all browsers and operating systems. The fact that it mentions Vista specifically is only because it has such a comprehensive set of techniques to consider. The paper does correctly and interestingly note that due to browsers being such extensible and dynamic programs it is hard to make protections work well, as the chain is only as strong as the weakest link. Which rings true on all systems.
The real short summary though: Flash/Java plugins can be used to circumvent Microsoft protection techniques as they don’t use them. This still need a critical exploit to be useful, and those are still made harder by GS and friends. Even then the IE UAC sandbox is not breached by anything listed in this paper.
Thanks for the summary. Is the actual paper publicly available?
It was linked above as http://taossa.com/archive/bh08sotirovdowd.pdf
At the time I could fetch it and read it, but now it seems inaccessible. In fact, it appeared inaccessible again when I wrote the post, so I might have missed some details typing out of memory. I think the summary should be a reasonably accurate reflection of the content however.
The whole thing is pretty interesting all told, as it sheds some light on the hurdles of adding extra security layers to such an as sprawling application platform as a web-browser. It doesn’t really invalidate any of the techniques that Microsoft employs in Vista (ASLR seems rather damaged by it, but the NOP slide really needs the DEP circumvention to be practical, and ASLR after all prevents attempts to jump to pre-existing code), but it does illustrate what may be a wider problem for applications of this nature.
A bit unfortunate really that the article is so vague and sensationalistic, as it could have been an interesting topic of discussion but ended up a bit flamebaitish.
Thanks for pointing out the link (I totally missed it when looking through the article).
It looks like the IE team needs to take a stand and make a ‘secure mode’ option which has Permanent DEP. Also the .NET header flags validation needs to be improved a bit.
The interesting this about this problem is that it seems that IE is the biggest problem, along with .NET and Active X (All Microsoft products)
Does not focus on Java and Flash etc.
So that said, does this mean that MS also does not put the same security on their own products?? As Java, Flash etc does not use the security built in?
IE is not the problem, not only will the same techniques work against Firefox, Opera and Safari, they will if anything work better as those don’t present the additional hurdle of the IE UAC sandbox.
This has nothing to do with ActiveX, any other plugin architecture would be just as problematic. Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough. Still, as Flash and Java never sets up secure page settings it doesn’t really make much difference for now.
Where did you get that info? In the articles that came out IE is the issue. Yes this problem would happen on any other browser and almost any plug in. But they make a point to say IE is a big problem Do you have some info that shows something else. Please provide.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gc…
In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.
“By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.
Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.”
“If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they’re safe because they’re .NET objects, you see that Microsoft didn’t think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.”
According to this you can run a default Windows Vista set up with no third party software and you are wide open. And there is nothing you can do (But use Windows XP)
So no it’s not a problem with the actual plugins but its a major problem with how Windows handles even Microsoft plugins! People will try to blame it on third party developers. Just want to make sure its clear that its MS that made this problem not bad programing developers! Not third parties making bad plugins!
As I noted above the article (and the discussion that follows from it) is pretty awful, vague and bordering on completely incorrect. I got my info from the linked paper above. I think it has been removed at this point however, so you may either need to track down another copy or take my word for it.
While they do use the way that IE handles ActiveX controls, Java- and .NET-applets, the same applies equally to just about any other plugin architecture as long as the plugin runs in-process. Which covers all popular web-browsers.
So, to reiterate:
* There is no exploit, nothing is “wide open”. They use the old (long patched) .ANI exploit to demo the techniques. The talk has been given and all the facts are out, feel free to check Secunia or such for security advisories. Spoiler: there are none.
* This only deals with a handful of the protections in Vista, as a whole IE on Vista remains far more secure than IE on XP (even if all Vista protections were completely knocked down we would still at worst be in the same place we are on XP).
* All other browsers (and, in principle, OS’s) are equally affected by this; if they have similar protections they can be overriden in the same way, if they don’t, well, then they were worse off to start with. The only reason why Vista is the example in the paper is because it has a comprehensive set of protections to consider.
* Indeed .NET header loading bug makes IE in a clean default Vista install susceptible to the DEP-disabling/ASLR-slide part of the trick. This is the most serious part, but will probably get fixed, and doesn’t matter much as 95% of all installs get Flash within minutes of going online.
I realize that the most serious problem with my comments is that the paper doesn’t seem accessible anymore, but please consider the possibility that you are barking up the wrong tree here. You will surely find plenty of other things to complain about in Vista
We will have to see over the next couple of weeks what is actually meant as these issues come to light.
Normally when docs like that “vanish” then ether they are wrong or they are not detailed right.
So we will see if this can be demoed and if they can show it on other OS’s.
The paper is back up, but it is very long and rather technical. These attacks all only apply to the defense-in-depth measures, so you need to combine them with an actual vulnerability in order to break in.
You’ll see that the attacks do require certain preconditions. It so happens that these preconditions are almost always met for a web-browser due to the common third-party plugins (and due to an issue in .NET header validation) and application compatibility conerns. One thing to note, is that running 64-bit apps on Windows will allow you to get away from these problems for various technical reasons (including the presence of table-based exception handling).
This sentence is hard to parse but it seems like you are saying that .NET’s incompatiblity with DEP is a bug but it is not. The same thing happens on Linux with Mono. Memory protections must be disabled for Mono because it takes advantage of runtime code generation that DEP and PaX specifically try to prevent. This is generally OK though because .NET and Mono are not affected by buffer overruns.
This aspect of it does appear to be a bug. Sure VM’s will need to write to pages and then execute for the sake of JIT code generation. However, what they should do, and .NET normally does is at the very least have heap pages non-executable (that is, any page which is not a target of the JIT). Additionally the JIT should not leave its pages writable once done with a round of compilation (which would only mean that there exists readable/executable pages during the instants when the JIT is actively running, and only for touched pages at that time).
It is the first case that .NET can be fooled into failing on (and Java always fails on), getting non-code pages with exectuable permissions. I am not sure whether or not it handles the latter case well or not, which is an interesting question in itself, but not something that is exploited in this paper either way.
Overall this seems to be rather neglected by VM’s, which is kind of frightening as the whole point of most VM’s is to be a core part of sandboxing and other such security measures.
I still don’t see this as a .NET bug. Buffer overruns are not really a problem on .NET or Java so extra memory protections should not be required. Java or .NET is used to bypass ASLR but the real issue seems to be the fact that DEP is not enabled on IE7. ASLR mitigated some attacks that the lack of DEP allowed but now ASLR is useless and when using IE7 as an attack vector DEP isn’t even a factor!