‘unfixable’ Vista exploit

**horse** · 9th August 2008, 09:59 AM

I read this this morning and thought others should know. Sounds very serious...

Vista ‘security’ rendered completely useless by new ‘unfixable’ exploit

Full article here: http://www.neowin.net/news/main/08/0...by-new-exploit

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees," Jason Kelley reports for Newwin.net.

"Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System," Kelley reports.

"While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, 'the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.'"

Kelly reports, "'This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,' said Dai Zovi to SearchSecurity.com. 'If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.'"

**Ron Dunn** · 9th August 2008, 10:48 AM

Did you read the comments which followed the article? The exploit is claimed, but not yet demonstrated or tested.

I'm not saying it CAN'T be true, but the three variables which make me doubt it are the lack of detail around UAC (user account control), browser isolation, and chip-level memory management.

I'll post Microsoft responses as soon as they are available.

**dazzler** · 9th August 2008, 03:51 PM

Yep

i was never that happy with the Address space layout randomisation (ASLR) or the data extraction prevention (DEP). Much prefer the Case replication Address Protocols (CRAP) and Performance Orientation Octagonisation (POO).

**Master Splinter** · 9th August 2008, 10:18 PM

There were much more interesting talks at that conference, like:
How To Impress Girls With Browser Memory Protection Bypasses

And on Vista related matters, how about that even though XP is no longer sold...
XP is still killing Vista in sales volume: HP

**horse** · 11th August 2008, 09:59 AM

I hear what you are saying Ron, but when Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. put their professional reputation on the line with such an announcement, at this stage, I am more incline to believe them.

Not only is their own professional reputation on the line but so is IBM’s and VMware’s corporate reputation on the line. IBM is too big and important to take such risks. VMware, while not so big, it’s the same for them. Corporate Identity is too massively important for a business to risk with unsubstantiated innuendo and rumour.

In the mean time I will assume the integrity of the comments until otherwise stated.

**Ron Dunn** · 11th August 2008, 10:16 AM

There are two ways you could handle reading an article like this.

First, you could run around doing a Chicken Little impersonation, so popular with the Anything But Microsoft crowd, shouting "The sky is falling! Vista is destroyed!".

Second, you could wait until the paper has actually been presented and informed commentary is available.

Your first choice is nothing but rumour and speculation. Somewhat typical of the ABMs.

Do you ever do any woodworking, or are you just here on some crazy computer jihad?

**Ron Dunn** · 12th August 2008, 07:40 PM

Here is an objective analysis of the paper:

http://arstechnica.com/news.ars/post...ty-bypass.html

My Chicken Little comment wasn't the only one.

I'm still waiting on a detailed response from the Microsoft team, but I think it is fair to say that there is nothing alarming here.

Thread: ‘unfixable’ Vista exploit

Thread Tools

Search Thread

‘unfixable’ Vista exploit

reputations on the line

Similar Threads

Vista Business

vista

Help!!!! Vista v's Win 98 Networking problem

Windows Vista

Sierra Vista

Tags for this Thread

Posting Permissions