J3115
August 8th, 2008, 11:04 PM
Vista's Security Rendered Completely Useless by New Exploit
This week at the Black Hat Conference two security researchers will
discuss their findings which could completely bring Windows to its
knees. Mark Dowd of IBM Internet Security Systems (ISS) and Alexander
Sotirov, of VMware Inc. have discovered a technique that can be used to
bypass all memory protection safeguards that Microsoft built into
Windows Vista. These new methods have been used to get around Vista's
Address Space Layout Randomization (ASLR), Data Execution Prevention
(DEP) and other protections by loading malicious content through an
active web browser. The researchers were able to load whatever content
they wanted into any location they wished on a user's machine using a
variety of objects, such as Java, ActiveX and even .NET objects. This
feat was achieved by taking advantage of the way that Explorer (and
other browsers) handle active scripting in the. While this may seem
like any standard security hole, other researchers say that the work is
a major breakthrough and there is very little that Microsoft can do to
fix the problems. These attacks work differently than other security
exploits, as they aren't based on any new Windows vulnerabilities, but
instead take advantage of the way Microsoft chose to guard Vista's
fundamental architecture. According to Dino Dai Zovi, a popular
security researcher, "the genius of this is that it's completely
reusable. They have attacks that let them load chosen content to a
chosen location with chosen permissions. That's completely game over.
"According to Microsoft, many of the defenses added to Windows Vista
(and Windows Server 2008) were added to stop all host-based attacks.
For example, ASLR is meant to stop attackers from predicting key memory
addresses by randomly moving a process' stack, heap and libraries.
While this technique is very useful against memory corruption attacks,
it would be rendered useless against Dowd and Sotirov's new method.
"This stuff just takes a knife to a large part of the security mesh
Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If
you think about the fact that .NET loads DLLs into the browser itself
and then Microsoft assumes they're safe because they're .NET objects,
you see that Microsoft didn't think about the idea that these could be
used as stepping stones for other attacks. This is a real tour de
force. "While Microsoft hasn't officially responded to the findings,
Mike Reavey, group manager of the Microsoft Security Response Center,
said the company has been aware of the research and is very interested
to see it once it has been made public. It currently isn't known
whether these exploits can be used against older Microsoft Operating
Systems, such as Windows XP and Windows Server 2003, but since these
techniques do not rely on any one specific vulnerability, Zovi believes
that we may suddenly see many similar techniques applied to other
platforms or environments. "This is not insanely technical. These two
guys are capable of the really low-level technical attacks, but this is
simple and reusable," Dai Zovi said. "I definitely think this will get
reused soon." These techniques are being seen as an advance that many
in the security community say will have far-reaching implications not
only for Microsoft, but also on how the entire technology industry
thinks about attacks. Expect to be hearing more about this in the near
future and possibly being faced with the prospect of your "secure"
server being stripped completely naked of all its protection.
http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit
This week at the Black Hat Conference two security researchers will
discuss their findings which could completely bring Windows to its
knees. Mark Dowd of IBM Internet Security Systems (ISS) and Alexander
Sotirov, of VMware Inc. have discovered a technique that can be used to
bypass all memory protection safeguards that Microsoft built into
Windows Vista. These new methods have been used to get around Vista's
Address Space Layout Randomization (ASLR), Data Execution Prevention
(DEP) and other protections by loading malicious content through an
active web browser. The researchers were able to load whatever content
they wanted into any location they wished on a user's machine using a
variety of objects, such as Java, ActiveX and even .NET objects. This
feat was achieved by taking advantage of the way that Explorer (and
other browsers) handle active scripting in the. While this may seem
like any standard security hole, other researchers say that the work is
a major breakthrough and there is very little that Microsoft can do to
fix the problems. These attacks work differently than other security
exploits, as they aren't based on any new Windows vulnerabilities, but
instead take advantage of the way Microsoft chose to guard Vista's
fundamental architecture. According to Dino Dai Zovi, a popular
security researcher, "the genius of this is that it's completely
reusable. They have attacks that let them load chosen content to a
chosen location with chosen permissions. That's completely game over.
"According to Microsoft, many of the defenses added to Windows Vista
(and Windows Server 2008) were added to stop all host-based attacks.
For example, ASLR is meant to stop attackers from predicting key memory
addresses by randomly moving a process' stack, heap and libraries.
While this technique is very useful against memory corruption attacks,
it would be rendered useless against Dowd and Sotirov's new method.
"This stuff just takes a knife to a large part of the security mesh
Microsoft built into Vista," said Dai Zovi to SearchSecurity.com. "If
you think about the fact that .NET loads DLLs into the browser itself
and then Microsoft assumes they're safe because they're .NET objects,
you see that Microsoft didn't think about the idea that these could be
used as stepping stones for other attacks. This is a real tour de
force. "While Microsoft hasn't officially responded to the findings,
Mike Reavey, group manager of the Microsoft Security Response Center,
said the company has been aware of the research and is very interested
to see it once it has been made public. It currently isn't known
whether these exploits can be used against older Microsoft Operating
Systems, such as Windows XP and Windows Server 2003, but since these
techniques do not rely on any one specific vulnerability, Zovi believes
that we may suddenly see many similar techniques applied to other
platforms or environments. "This is not insanely technical. These two
guys are capable of the really low-level technical attacks, but this is
simple and reusable," Dai Zovi said. "I definitely think this will get
reused soon." These techniques are being seen as an advance that many
in the security community say will have far-reaching implications not
only for Microsoft, but also on how the entire technology industry
thinks about attacks. Expect to be hearing more about this in the near
future and possibly being faced with the prospect of your "secure"
server being stripped completely naked of all its protection.
http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit