Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista's Security Rendered Completely Useless

kdawson posted more than 6 years ago | from the bypassing-memory-protection-safeguards dept.

Security 415

scribbles89 sends in a story that originally ran in SearchSecurity; it sounds like it could be a game-changer. "While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi..., 'the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.'" Update: 08/08 14:23 GMT by KD : Changed the link, as the story first linked had been lifted without attribution.

Sorry! There are no comments related to the filter you selected.

Details... (5, Insightful)

EvanED (569694) | more than 6 years ago | (#24523001)

Too bad it doesn't explain what they actually did and just says "ooo, this is really bad". It'd be interesting to see a description, and see if other systems with similar protections are vulnerable.

Well.... (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24523039)

...you could always go the the Black Hat Conference and find out.

Re:Details... (5, Insightful)

Anonymous Coward | more than 6 years ago | (#24523053)

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

From this paragraph it sure sounds like the author of the article hasn't got a clue.

Re:Details... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24523333)

Who needs a clue when you've got the odd-ass-ity of hope, and loose change to follow?

Re:Details... (5, Insightful)

encoderer (1060616) | more than 6 years ago | (#24523629)

Exactly. It's saber rattling. Sounds like nothing more.

Furthermore, I love how silly some people here can be. The article says:

far-reaching implications not only for Microsoft

But somehow this is a Vista security issue?

Please. Many here on this site, and many articles posted here, have a bias. There's nothing wrong with that, most things in life have a bias in some way.

But there's a difference between "bias" and "intellectual dishonesty."

This is the latter.

Re:Details... (4, Insightful)

rsmith-mac (639075) | more than 6 years ago | (#24523071)

They also don't point out whether this breaks out of the IE sandbox or not. This makes a big difference, as if they can't break out of the sandbox, it makes any attack fairly useless on a correctly configured machine using IE. More details would have been nice.

Re:Details... (3, Interesting)

mr_mischief (456295) | more than 6 years ago | (#24523153)

Well, if they can really get past "all memory protection safeguards", that means the code can just overwrite your running kernel. I doubt that sentence was really intended to say that, though. it probably means specifically the ones new to Vista over XP that were listed.

Re:Details... (5, Insightful)

archeopterix (594938) | more than 6 years ago | (#24523217)

if they can't break out of the sandbox, it makes any attack fairly useless on a correctly configured machine using IE.

Every time an exploit occurs, people start blabbering about "correctly configured" machines, completely missing the point. What is really important is this: does it work on an out-of-the-box Vista or not?

Re:Details... (4, Informative)

Blakey Rat (99501) | more than 6 years ago | (#24523379)

While you have a point, I'd just like to point out that out-of-the-box IE is in a sandbox in Vista. Frankly, I don't even know how to run it otherwise.

Re:Details... (4, Insightful)

Cid Highwind (9258) | more than 6 years ago | (#24523449)

"Properly configured" in the case of IE's sandbox means "I didn't turn off UAC". So, no, an attack that's stopped by IE sandboxing does not work on out-of-the-box Vista. It would only work on the sort of Neowin-reading "power users" who turn off security features to gain (perceived) speed and convenience.

Re:Details... (2, Interesting)

bcwright (871193) | more than 6 years ago | (#24523551)

While this is true as far as it goes, the article claims that the exploit has "no workaround". If that's really true (and the details are too sketchy to make any kind of judgment about that), then it would appear that even a "correctly configured" machine still has some degree of vulnerability.

Re:Details... (5, Interesting)

Zeinfeld (263942) | more than 6 years ago | (#24523091)

Too bad it doesn't explain what they actually did and just says "ooo, this is really bad"

In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.

CF all those 'studies' that 'prove' porn is bad or watching TV turns kids into Martians or whatever. Every time that stuff hits the press the paper is 'to be published' which is a good way to prevent opponents getting in a response.

Re:Details... (4, Insightful)

ShieldW0lf (601553) | more than 6 years ago | (#24523249)

Too bad it doesn't explain what they actually did and just says "ooo, this is really bad"

In the days of the Web there is a rule that if someone tells the press before they publish the paper, they are full of it. They haven't told Microsoft, so they can't even claim that they are not releasing the details to allow for a fix.


They're presenting their findings at a black hat conference this week. What makes you think they have any motivation to help MS fix it beforehand? Did it ever occur to you, as people who break security systems they think impede their own and other peoples freedom, they might, just might, have a strong motive to punish anyone who installed it and drive them off Vista?

Re:Details... (5, Insightful)

Kihaji (612640) | more than 6 years ago | (#24523397)

So you're claiming the "Wont someone please think of the children" defense? If they don't want to use Vista or any other piece of software, that's their choice, but to think that somehow they are doing this to protect me by making me see the "error of my ways", well that's a giant bag of crap. They are called PERSONAL choices for a freaking reason.

Re:Details... (0, Troll)

ShieldW0lf (601553) | more than 6 years ago | (#24523519)

So you're claiming the "Wont someone please think of the children" defense? If they don't want to use Vista or any other piece of software, that's their choice, but to think that somehow they are doing this to protect me by making me see the "error of my ways", well that's a giant bag of crap. They are called PERSONAL choices for a freaking reason.

Who said anything about protecting your freedom? If you're a Vista user, they're more likely interested in punishing you for what you've done with your freedom. Come to think of it, so am I. Freedom doesn't liberate you from accountability to the other free people you share this rock with, and if you think it does, you're in for a hard time.

Re:Details... (1)

sproot (1029676) | more than 6 years ago | (#24523719)

One works for IBM the other VMWare. What makes you think they're out to punish anyone or anything?

An incredibly worrying response from Microsoft (5, Interesting)

Anonymous Coward | more than 6 years ago | (#24523421)

From TFA:
"While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public."

So, Microsoft is
a.) Not currently aware of the details of the exploit and
b.) Doesn't plan (or, apparently, want) to GET the details until the details are PUBLISHED.

Apparently, Microsoft's "Security Response Center" has no idea that they have a window of opportunity to fix the problem BEFORE the details are in the wild. Why would we want that? Nah, we don't need to be pressing for details. We'll figure it out when our customers start screaming about exploits.

I've thought MS was somewhat incompetent on security, but this is mind boggling.

Re:Details... (1)

crunch_ca (972937) | more than 6 years ago | (#24523611)

True. This could be a lot of hyperbole. But, the researchers are from IBM and VMware, so that lends a little credence in my books.

Re:Details... (5, Insightful)

adpsimpson (956630) | more than 6 years ago | (#24523099)

I'm sure I'm not the only one who remembers running some little script [slashdot.org] with normal user privileges, and suddenly seeing the prompt change from
user@computer:~$
to
root@computer:~#

And, well, that had been around forever, apparently. And, well, it was fixed the next day.

The moral? Horrendous, gaping security holes do exist, and are found from time to time. And they get fixed (faster in FOSS than Windows, but they still get fixed). Of course, some OSs are more equal than others when it comes to general security and user-centric design, but I just can't believe for a minute that this is some life-shattering, end of the world event for Microsoft.

Re:Details... (1)

Z00L00K (682162) | more than 6 years ago | (#24523229)

I think that I'll go back to 8051 and Z80 coding.

Re:Details... (3, Funny)

mr_mischief (456295) | more than 6 years ago | (#24523405)

It's more like the 4004 or before. Don't trust the result on your handheld calculator if someone else has been in possession of it. It probably just says "boobies" if you turn it upside down.

Re:Details... (1)

DrSkwid (118965) | more than 6 years ago | (#24523723)

When I was a lad a local root exploit meant you has a hammer and a screwdriver.

Re:Details... (5, Funny)

bcmm (768152) | more than 6 years ago | (#24523351)

#!/bin/bash
PS1="root@computer:~#"
export PS1
# Pwned

Re:Details... (2, Funny)

adpsimpson (956630) | more than 6 years ago | (#24523529)

That's it! Damn it, I thought they'd fixed it!!

Let's test it:
adpsimpson@asimpson:~$ PS1='root@computer:~# '
root@computer:~# rm -r /media/winxp
rm: remove write-protected directory `winxp'?

Whoa, what are all these popups??

Re:Details... (2, Funny)

EvilNTUser (573674) | more than 6 years ago | (#24523639)

Your exploit would fail on OpenBSD. It is truly more secure.

Re:Details... (2, Insightful)

oyenstikker (536040) | more than 6 years ago | (#24523373)

There is a difference between a coding bug and a fatally flawed architecture design. One can often be fixed quickly and easily, and the other can't.

Re:Details... (4, Insightful)

Blakey Rat (99501) | more than 6 years ago | (#24523417)

Extraordinary claims require extraordinary proof. The linked article provides... vagueness. It mentions that used a browser (which one?) And that it has something to do with defeating the NX bit. I'm guessing that it's not nearly as severe as this article's hyperbole makes it seem.

Re:Details... (5, Funny)

ozmanjusri (601766) | more than 6 years ago | (#24523753)

Extraordinary claims require extraordinary proof.

Windows vulnerabilities are extraordinary?

I'll have some of what you're drinking, please.

Re:Details... (1, Funny)

Anonymous Coward | more than 6 years ago | (#24523391)

I'm sure I'm not the only one who remembers running some little script [slashdot.org] with normal user privileges, and suddenly seeing the prompt change from

user@computer:~$

to

root@computer:~#

Hey, psst, want some root exploit?

$(echo rkcbeg CF1='ebbg@\u:\j#\040'|tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]')

Re:Details... (2, Funny)

supersloshy (1273442) | more than 6 years ago | (#24523111)

It'd be interesting to see a description, and see if other systems with similar protections are vulnerable.

Hmm.... No, I can't think of anything as "secure" as vista to be as insecure.

Yeah, wasn't there some important necessity... (5, Insightful)

Concern (819622) | more than 6 years ago | (#24523145)

Something about "Big Claims" needing "Big Evidence"?

The "rah rah" quotes from the reporter make it sound like bullshit, even if it weren't. Without even the barest sensible explanation about what was done here, this is a non-story.

Re:Yeah, wasn't there some important necessity... (4, Interesting)

KillerBob (217953) | more than 6 years ago | (#24523511)

TFA does imply that the exploit takes advantage of an assumption at the OS level that .NET objects are automatically safe, and gives them the same privileges as the browser itself. It also says that the exploit takes advantage of a multi-homed attack using different scripting methods. Given that information, I'd venture a wild-assed guess that the exploit most likely uses JAVA and/or ActiveX to load a downloaded/forged .NET object which in turn loads arbitrary code as described.

If there's truth to the assumption about .NET objects, then it's a monumentally stupid decision on Microsoft's behalf. But there is a (temporary) fix that can be patched into the OS by requiring a signature. Yes, those can be forged. Yes, it's a stop-gap measure. But if you require authentication from online servers (remember, this is a drive-by online exploit, so it's safe to assume that anybody who needs to validate a signature like this has Internet access), then it is an improvement until it can be fixed properly.

Re:Details... (2, Insightful)

192939495969798999 (58312) | more than 6 years ago | (#24523279)

Yeah sure, they'll just publish a super-exploit so it can get posted to slashdot... that sounds like a great idea!

Re:Details... (1)

nimbius (983462) | more than 6 years ago | (#24523631)

wheres vixie when you need him!

Vista "Shatter" Attack? (1)

macs4all (973270) | more than 6 years ago | (#24523027)

This sounds like Take Deux on the famous WIndows Shatter Attack(TM).

Re:Vista "Shatter" Attack? (5, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#24523171)

It definitely sounds like a shatter attack [wikipedia.org] , but I thought that Vista's new security model was supposed to prevent this. (No, not being facetious, I really thought this).

Re:Vista "Shatter" Attack? (1)

mr_mischief (456295) | more than 6 years ago | (#24523535)

Is some part of IE's scripting dependent upon a service that's running at a higher priority than the logged-in user's processes? Like something in Session 0 that could be targeted with a message? If your browser is letting untrusted code into a sandbox which is capable of privilege escalation, then code in the sandbox can probably be crafted to take advantage of that.

Before the Slashdotters rip this article apart... (3, Informative)

Anonymous Coward | more than 6 years ago | (#24523035)

It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.

Although I have a nagging feeling that this isn't as groundbreaking as Neowin.net makes it to be.

Re:Before the Slashdotters rip this article apart. (4, Interesting)

something_wicked_thi (918168) | more than 6 years ago | (#24523095)

I suspect you're right. Reading the article, it sounds like they have a way of using browser plugins as a way to get around the address space randomization features in Vista. That's a big deal, and it really might be as hard to patch as they claim. But address space randomization was never a silver bullet and even without it, all they've done is put is back to a Windows XP world.

What would be interesting is if they can extend the attack to Linux, which also does a certain amount of randomization. If they can do that, then they've got a reusable, general purpose attack. But, as it stands, it certainly doesn't sound like anything too new. People have been attacking Flash, ActiveX, Java applets, and other plugins for years.

Neowin is running... (1)

c.r.o.c.o (123083) | more than 6 years ago | (#24523043)

Vista I assume?

"Neowin is moving servers

If you are seeing this message, either your ISP or your computer is caching DNS records for Neowin.net
or alternatively, you have setup a 'hosts' file, pointing Neowin.net at this IP address.
Please flush your DNS cache, or remove the hosts file entry in order to continue browsing Neowin.
This work will ensure future speed and reliability of the Neowin.net website. We apologise for the inconvenience this may have caused."

".NET loads DLLs into the browser itself..." (3, Interesting)

VGPowerlord (621254) | more than 6 years ago | (#24523045)

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

So in other words, like 80+% of the other exploits on web, the exploit only works if you use Internet Explorer?

Re:".NET loads DLLs into the browser itself..." (0)

Anonymous Coward | more than 6 years ago | (#24523077)

nope:

but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.

Re:".NET loads DLLs into the browser itself..." (5, Insightful)

kingramon0 (411815) | more than 6 years ago | (#24523089)

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

So in other words, like 80+% of the other exploits on web, the exploit only works if you use Internet Explorer?

From TFA:

This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System. (emphasis added)

Re:".NET loads DLLs into the browser itself..." (4, Informative)

VGPowerlord (621254) | more than 6 years ago | (#24523259)

As far as I'm aware, other browsers* don't allow "active scripting" to access the operating system unless a plug-in has been installed to do so (such as Java or Flash, and those have their own built-in restrictions).

* "other browsers" meaning ones that aren't IE or re-branded versions of IE.

Re:".NET loads DLLs into the browser itself..." (3, Informative)

csnydermvpsoft (596111) | more than 6 years ago | (#24523269)

This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System. (emphasis added)

What kind of "active scripting" is this? I can guarantee you that Firefox's JavaScript interpreter doesn't use OS-provided libraries to run the code - that would make cross-platform consistency impossible.

I'm sure that by "other browsers," the author of the article means browsers like Maxthon [maxthon.com] that are simply wrappers around IE. It's the same thing as saying that a bug in the Gecko rendering engine affects Galeon as well as Firefox. Many people (the article author included, apparently) can't distinguish between completely separate browsers and browsers that share 90% of the same code-base.

seems to me anything built on .Net is vulnerable (1)

brokeninside (34168) | more than 6 years ago | (#24523199)

Ponder the full significance of the first part of the sentence ``"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects.''

This implies to me that the problem isn't with the browser per se but the .Net platform that the browser is built upon.

Re:".NET loads DLLs into the browser itself..." (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#24523243)

No. All browsers do this.

But inserting a payload into a trusted shared library (i.e., DLL in the Windows world) is not a new technique. It's been around for years. See virus [wikipedia.org] .

Re:".NET loads DLLs into the browser itself..." (1)

UnknowingFool (672806) | more than 6 years ago | (#24523425)

The article seems to imply IE but left open the possibility other browsers are affected depending on how they handle scripting. It was noted that it does only affect Vista and not XP. Does this mean Win2003 Server might be affected as they share some code? s

Aaaaaaaand Slashdotted! (0, Redundant)

d3ac0n (715594) | more than 6 years ago | (#24523057)

That didn't take long. Not bad for a Friday morning.

Re:Aaaaaaaand Slashdotted! (1)

Lord Lode (1290856) | more than 6 years ago | (#24523231)

Well, the page still loads fast for me...

Re:Aaaaaaaand Slashdotted! (1)

d3ac0n (715594) | more than 6 years ago | (#24523669)

Yeah, looks like it's back up. Kudos to the Neowin guys!

Marketing opportunity (5, Funny)

dalesc (66212) | more than 6 years ago | (#24523059)

Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.

Re:Marketing opportunity (1)

wild_quinine (998562) | more than 6 years ago | (#24523147)

Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.

Unfortunately, code can be injected by causing a buffer overflow in passing cosmic rays.

Re:Marketing opportunity (3, Funny)

BitterOldGUy (1330491) | more than 6 years ago | (#24523331)

Microsoft has reacted to this security exposure by launching a new version that puts the OS out of reach and is guaranteed attack-proof: Vista for Vacuums.

Then Vista would really suck.

Re:Marketing opportunity (1)

RKThoadan (89437) | more than 6 years ago | (#24523457)

Because regular Vista doesn't suck enough!

Re:Marketing opportunity (0)

Anonymous Coward | more than 6 years ago | (#24523689)

It certainly does suck!

BSOD (0)

Anonymous Coward | more than 6 years ago | (#24523083)

I bet MS misses the BSOD now

Game Over? I doubt it (4, Insightful)

Lord Byron II (671689) | more than 6 years ago | (#24523101)

First of all, the hack takes advantage of the way Internet Explorer handles scripting languages, implying that Firefox/Safari/Opera users are safe. Second, I can run most Windows code on my Linux machine via Wine. If Wine doesn't have this security hole (or even XP for that matter) then its perfectly reasonable to assume that a rewrite of the affected portions of Vista will provide the fix.

To say that it's broken and can't be fixed is as much of a sure thing as saying it's secure and can't be hacked.

Re:Game Over? I doubt it (4, Informative)

Dude McDude (938516) | more than 6 years ago | (#24523177)

First of all, the hack takes advantage of the way Internet Explorer handles scripting languages, implying that Firefox/Safari/Opera users are safe.

FTA: "This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System."

Re:Game Over? I doubt it (1)

mr_mischief (456295) | more than 6 years ago | (#24523251)

Ah, but if it's a fundamental design flaw, can it be patched in a reasonable way? There are things to consider other than possibility. Cost is one. Whether or not the OS would be able to offer the same features, performance, and application compatibility after the patch as before are other factors. Changing the fundamental security design of an OS tends to change all three of those elements.

Re:Game Over? I doubt it (0)

Anonymous Coward | more than 6 years ago | (#24523281)

Have a reading disability do we?

Re:Game Over? I doubt it (1)

Blakey Rat (99501) | more than 6 years ago | (#24523469)

There's very very little difference in how IE's JScript engine works, and how Firefox/Safari/Opera's various Javascript engines work. JScript isn't 100% ECMA-compliant, but it's hovering around 95%+ and if you're following the same specs as the other engines, you're going to implement it in fundamentally the same way. In short, if JScript in IE can do it, Javascript in Firefox, Safari and Opera probably can, too. (Maybe with slight modifications to the attacking code.)

I think this article is bunk, though. I'll be hugely surprised if this turns out to be anything at all.

Obligatory Hudson quote... (-1)

Anonymous Coward | more than 6 years ago | (#24523105)

"Game over, man, game over!"

Article Text (5, Informative)

Anonymous Coward | more than 6 years ago | (#24523107)

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

According to Microsoft, many of the defenses added to Windows Vista (and Windows Server 2008) were added to stop all host-based attacks. For example, ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process' stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov's new method. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

While Microsoft hasn't officially responded to the findings, Mike Reavey, group manager of the Microsoft Security Response Center, said the company has been aware of the research and is very interested to see it once it has been made public. It currently isn't known whether these exploits can be used against older Microsoft Operating Systems, such as Windows XP and Windows Server 2003, but since these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

Re:Article Text (0)

Anonymous Coward | more than 6 years ago | (#24523747)

The following technologies fundementally do not implement security as they either react to known problems or simply make it harder to implement an attack against an otherwise flawed system:

IDS
Firewall
Virus Scan
ASLR
DEP/NX

Wouldn't it be something if people directed their limited time and efforts on real issues such as improving code quality and better tools to prevent stack smashing than wasting their time naievly participating in unwinnable wars that simply makes them feel safer?

ASLR is no different than syskey without a password. Its just an obfuscation function. Computer security is fundementally incompatible with obfuscation unless you subscribe to "security by obscurity".

Article is also completely useless (0, Funny)

Anonymous Coward | more than 6 years ago | (#24523117)

The article is also completely useless, as it doesn't explain the vulnerability in any detail necessary to understand it.

Sceptically speaking... (4, Insightful)

wild_quinine (998562) | more than 6 years ago | (#24523131)

I would treat this 'news' with a healthy dose of scepticism for now. It looks like the standard shit-talking that goes ahead of all major black-hat conferences.

Save your Microsoft bashing for the unlikely possibility that this is even half the exploit as Dowd and Sotirov are claiming.

Re:Sceptically speaking... (0)

Anonymous Coward | more than 6 years ago | (#24523195)

agreed - this article is either ignorant, or intended to generate interest and traffic to their site. i'm sure the problem is fixable

Anyone else reminded (3, Insightful)

Sir_Real (179104) | more than 6 years ago | (#24523135)

of GRC's sensationalist "ZOMG teh Windoze is going to eat yer babies!" shatter attack nonsense?

Yeah. That totally crippled MS...

It's software people. SOFT. ware.

Re:Anyone else reminded (2, Informative)

Sir_Real (179104) | more than 6 years ago | (#24523157)

After reading the first paragraph of the neowin article.... Turn scripting off in your browser. It's all browser based.

Re:Anyone else reminded (0)

Anonymous Coward | more than 6 years ago | (#24523735)

How well does Slashdot's new interface work without Javascript turned on?

Thank you mozilla ! (1)

aepervius (535155) | more than 6 years ago | (#24523139)

The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects.

Thanks got for mozilla and noscript...

sounds like a publicity stunt (1, Funny)

Anonymous Coward | more than 6 years ago | (#24523149)

microsoft is obviously trying to get more people aware of vista's existence.

Well, OK, then. Security (5, Funny)

smchris (464899) | more than 6 years ago | (#24523207)

But what about all the _other_ great things about Vista? Like......ummm, you know.

Re:Well, OK, then. Security (3, Funny)

thermian (1267986) | more than 6 years ago | (#24523273)

But what about all the _other_ great things about Vista? Like......ummm, you know.

The Aquaducts?

Re:Well, OK, then. Security (1)

AlexMax2742 (602517) | more than 6 years ago | (#24523703)

A 64-bit version that actually has driver support?

So, um... (1, Troll)

sm62704 (957197) | more than 6 years ago | (#24523261)

Would the Microsoft employees and other MS apologists explain to me again how Windows' insecurity is only due to its popularity?

Re:So, um... (1)

hal9000(jr) (316943) | more than 6 years ago | (#24523365)

Silly button, no reasonable person argues Windows insecurity is due solely to it's popularity. The scrutiny it receives (compared to the lesser scrutiny other OS's receive/received), and has received in the past, is the reason so many are *found*. Obviously, the vulnerabilities have to be there in the first place.

What is not known is if other OS's became as popular, if they would receive as much scrutiny.

Re:So, um... (2, Insightful)

Blakey Rat (99501) | more than 6 years ago | (#24523501)

Uh, before you make this argument we should stick around and see if this Slashdot story is even remotely accurate. My guess? No, it's not.

I sense a new alert message in your future... (3, Interesting)

Anung_Un_Rama (929302) | more than 6 years ago | (#24523265)

Ok, they have found an exploit that can lead to any malicious code being run on a host machine. That is pretty bad. The fact that this hole can be exploited using something as simple as JavaScript, even worse. However, I don't think this is exploit is something that cannot be defended against. Anything run on the client side must be loaded on the client first, which means you do have a chance to catch it before it is loaded. Granted, on pre-compiled objects this does present more of a challenge, but scripting exploits should be easily filtered out. It would certainly slow down page rendering, but I am sure most browsers will come up with a message allowing you to bypass any pre-rendering checks... "The page you requested contains code which, when loaded, may prove to bring your Vista operating system to it's knees. Do you wish to continue?"

Re:I sense a new alert message in your future... (4, Insightful)

andrewd18 (989408) | more than 6 years ago | (#24523643)

I am sure most browsers will come up with a message allowing you to bypass any pre-rendering checks... "The page you requested contains code which, when loaded, may prove to bring your Vista operating system to it's knees. Do you wish to continue?"

And that will be extremely effective, right up until Joe Sixpack says, "Well if I say no, I can't get my porn." and clicks Yes.

Not surprised (5, Insightful)

unity100 (970058) | more than 6 years ago | (#24523275)

this is what happens when you implement an extreme layer of security that can totally take over a computer, but DONT trust the computer's owners, users enough to give all power over it to them, and allow for privileged access to outside sources - be it microsoft's update servers, be it certified tech support etc.

it is only a matter of time for any malicious third party to figure out your elaborate access scheme and get control of people's computers. because if you can do it, others can do it too.

Hmm... (4, Interesting)

bhtooefr (649901) | more than 6 years ago | (#24523291)

Looks to me more like a .NET and IE design flaw that could be easily fixed, than what this article is making it out to be. ABSOLUTE worst case is that it requires better authentication of the system's own code, which... shit, isn't that already part of Vista's security model? Just expand the scope. (Granted, THAT could break stuff.)

And, there's even a quick and dirty fix Microsoft could do, albeit at a possible extreme performance hit.

Sandbox .NET apps, don't trust any of the framework.

It could break OLE horribly, but not if they do it right - and how much is old-school OLE used anyway? And, for ActiveX plugins that are also used as standalone apps (such as Adobe Reader,) just fire up a second copy of the process in the sandbox.

Re:Hmm... (3, Informative)

awitod (453754) | more than 6 years ago | (#24523513)

.NET apps are already sandboxed. The guy who said "Microsoft trusting the objects because they are .NET" is full of crap.

SOP after hacking is to patch the exploit, so... (1)

postermmxvicom (1130737) | more than 6 years ago | (#24523329)

...would the first you do after hacking Vista be to install XP?




Dear FBI, I don't know this because I am a hacker, but I knew someone who got fired because they got hacked. And the first thing the hacker did was to patch the exploit, I guess so no one else could hack it and he could keep it to himself and maintain a low profile?

The Real Story is The Time of Post (2, Funny)

dearmansoor (1340939) | more than 6 years ago | (#24523357)

Microsoft's security holes are not "story" any more. Its the 8-08-08, 8:08am time stamp of this post that clicked...

Hmmm (1)

blackjack13 (1340947) | more than 6 years ago | (#24523359)

Wasn't there an article, earlier this week, about an "i-9/11" event that would bring the iPatriot act in effect? I'm just saying...

Blogspam (1)

DaveV1.0 (203135) | more than 6 years ago | (#24523433)

It has no real information about the exploit. The article is a summary of a summary of a presentation given at BlackHat.

This is not news. News would be a decent summary of the actual presentation with an analysis of the exploit, technical detail, etc. This is just anti-MS blogspam.

Vista's Rendered Completely Useless (0)

Anonymous Coward | more than 6 years ago | (#24523447)

That's how I read it the first time. Scared me because I thought some one had tried installing it on a computer. That's a really unfair way to test Vista with all the different hardware configurations. The proper way to enjoy and appreciate all that Vista can do is a Microsoft commercial. Installing Vista is a waste of a perfectly good OS.

Not a real problem (5, Funny)

sjonke (457707) | more than 6 years ago | (#24523455)

Hackers will get so frustrated with the repeated, "Are you sure you want root privileges?" dialogs that they'll give up.

Dai Zovi is Completely Wrong (5, Informative)

awitod (453754) | more than 6 years ago | (#24523463)

From TFA....

"This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," said Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

Internet Explorer (or any Common Language Runtime host) is subject to .NET's Code Access Security model. Assemblies from untrusted locations, like the Internet Zone get a very restricted set of permissions unless there is an explicit CAS policy in place to give said assemblies more permission via some form of evidence (usually a strong name or x.509 certificate).

Security is applied based on the caller, so you can't load an untrusted assembly and elevate its priviledges by simply calling a method on a trusted component on the local machine. This is not enforced by IE (or any other host) but by the runtime itself. In order to get full trust you have to get a policy in place or somehow trick the host into thinking the source is a trusted location.

Given his completely false assertion that "Microsoft assumes they're safe because they're .NET objects", you should discount everything else he has to say because he clearly has no reservations about making strong assertions about things he doesn't understand.

IT DOESNT JUST AFFECT VISTA (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24523539)

At least potentially. That's the whole point. I'm seeing a lot of comments saying this is just MS bashing or that "I have Firefox and Noscript, I'm safe" and so on.

You Are Missing The Point

The *entire* point to this being a problem is a *process* problem not a *code* problem. It is a methodology. Technically, it is actually patentable in the USA. The specifics on what you'll do to launch the attack will change based on the platform, but the actual attack *plan* remains the same.

In otherwords, this is a *design* flaw, and one that Microsoft is not alone in making.

I'm very interested in seeing the work on this. They're right in that it has the potential to change the entire playing field. Note, that's *potential* not a guarantee. At the moment we see attacks based on a specific code base. You go after one platform using one app and make a specific attack. Maybe you get lucky and more than one app has that vulnerability. Or maybe you design it to go after a specific OS because it handles code a certain way that leaves it vulnerable.

In both those situations, you have a short window before it gets patched once its discovered what you are doing. That's where this all changes. This doesn't care what OS you are running nor what app you are using. There have even been a few viruses that can make the hop out of a VM box so combine the two and even people that use VMs to browse the web are vulnerable.

I bring that up because Microsoft is putting a lot of virtualization in Windows7. Who wants to bet that IE in Windows 7 runs in a VM to sandbox it?

Anyways, until we get the finite details play it safe. Do not just shrug this off. If it is what it promises, we're in for a heap of trouble until we can find a way to counter it. If it IS all that it promises that may mean a new OS is required (and this will be *great* for FOSS).

Hopefully you folks are right, and its just hype. But this is a threat with some serious potential and it won't affect "just Vista boxes."

the other major flaw in vista... (0)

stoofa (524247) | more than 6 years ago | (#24523559)

...is the fact that it is possible to sneak malicious code onto a user's PC by hiding the code in the airflow behind a flying chair.

Neowin Plagiarists? (5, Interesting)

awitod (453754) | more than 6 years ago | (#24523645)

Too funny, not on is this article blog spam, it's plagiarised blog spam!

This comment is at the bottom of their board.

Guys: I couldn't find the editor contact info, but you've basically reposted our story from SearchSecurity.com without authorization: http://searchsecurity.techtarget.com/news/...1324395,00.html [techtarget.com] We'd like the excerpt removed immediately so we don't have to get the lawyers involved. Thank you. Eric Parizo Editor - SearchSecurity.com eparizo@techtarget.com

nice

In related news. (1)

dtml-try MyNick (453562) | more than 6 years ago | (#24523663)

Rumor has it that Microsoft just ordered a large batch of new office chairs.

Throw this in the bucket... (3, Funny)

east coast (590680) | more than 6 years ago | (#24523679)

Put it along side the 100% unbreakable DRMs that were defeated with a Sharpie marker.

Most secure Vista version... (1)

stewbacca (1033764) | more than 6 years ago | (#24523739)

...is the one without a connection to the Internet. Or at least that's the vision I get in my head, with the MS spin team out there touting the latest, most secure (doesn't go on the web) version of Vista. To address another issue raised in this thread, until this exploit hits other operating systems, then YES it is ONLY a Vista exploit (by definition).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?