Home » News » Software News » Windows Vista Blown Open By Unstoppable Hack

Windows Vista Blown Open By Unstoppable Hack

Gordon Kelly by

Vista Blown Open By Unstoppable Hack

Expect that chairs to be flying over at Microsoft HQ about this...

Search Security reports during a charged presentation at the Black Hat hacking conference last week Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov of VMware Inc revealed a fatal flaw in Windows Vista which potentially blows the OS wide open and in such a way that it cannot be fixed.

Their method involves using scripting systems such as Java and elements of the .NET framework to run malicious code. This code attacks Vista's Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) technologies and allows the hackers to load any content they desire to any location on a user's machine.

"The genius of this is that it's completely reusable," said Security specialist Dino Dai Zovi to Search Security. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. "What this means is that almost any vulnerability in the browser is trivially exploitable."

Naturally enough the entry method of choice is through Internet Explorer but it is not limited to this. The approach can also potentially be applied to other operating systems such as Windows XP and Mac OS X.

Unsurprisingly Microsoft has yet to comment on this as it no doubt takes a long hard look at Dowd and Sotirov's findings. Of course these are likely to go public soon so expect this to be a red hot topic over the comings months.

Feeling safe...?

289142 sid14_gci1324395 00.html via SearchSecurity.com

Go to comments

Wackywavinginflateablearmflail

August 11, 2008, 6:26 am

"Vista Blown Open By Unstoppable Hack "





Why am I not surprised..?





Ubuntu is looking pretty good lately...

Hans Gruber

August 11, 2008, 7:29 am

"Vista Blown Open By Unstoppable Hack"





Oops.





"The approach can also potentially be applied to other operating systems such as Windows XP and Mac OS X."





Oh no. Nevermind!

ilovethemonkeyhead

August 11, 2008, 12:42 pm

ouch...





i'm fast loosing faith in windows vista, now...

The Mighty Ben

August 11, 2008, 2:21 pm

Never leave your Windows open - a burglar might get in.

stephenallred

August 11, 2008, 2:37 pm

"The approach can also potentially be applied to other operating systems such as Windows XP and Mac OS X."


Mac OS X doesn't have a .NET virtual machine, and is a completely different design, with a different kernel and ecosystem to Windows, so I really doubt that claim. Shockingly, being a completely different operating system, OSX doesn't use either Vista's Address Space Layout Randomization (ASLR) (it uses randomization of some library offsets in 10.5 and above) or Data Execution Prevention (DEP) technologies. If, however, it is true, every BSD, and the Linux kernel and it's derivatives would be equally as vulnerable.

Gordon394

August 11, 2008, 2:56 pm

@Stephen - I believe the phrase: "can also potentially be applied to" means just that. The full details have not been made public yet but obviously it won't use .NET, best you hold off and wait for its publishing so you can make an informed verdict.

howiem

August 11, 2008, 5:55 pm

Why do these articles always seem to focus on the threat and not on the means of protection? In other words, what actions should Vista users be taking to mitigate the threat.

Gordon394

August 11, 2008, 6:55 pm

@howiem - for now the hint is in the title... nothing can be done.

RafflesNH

August 11, 2008, 9:23 pm

Is this the 'full details' you mention Gordon?


http://taossa.com/archive/bh08... (53 pages) written 7th August.


The final paragraph in the authors' concluding statement reads:


"The authors expect these problems to be addressed in future releases of Windows and browser plugins shipped by third parties."


So not really the 'Unstoppable hack', surely?

howiem

August 11, 2008, 9:48 pm

Gordon, are you saying that firewalls, HIPs and other protection will not do anything?

Gordon394

August 11, 2008, 10:28 pm

@howiem, no idea at this stage - we're waiting for the full details to go public. Either way, it's worrying...

howiem

August 11, 2008, 10:35 pm

You might want to look at Ed Bott's article over at http://blogs.zdnet.com/Bott/?p...

dworvos

August 12, 2008, 4:00 am

@Stephen Allred


Data Execution Prevention (DEP) is a good thing if used correctly (which is supported at the hardware level by a XD bit), the fact that OS X doesn't use it makes me question the security of the OS. Security is based on the weakest link so if there are no other avenues of attack, this one will remain open. Unfortunately, Apple does not go the route of Microsoft and disclose their bugs, Apple denies there are bugs in their OS and then fixes them quietly. Here's a site of someone who found a bug a day for a month in 2007. http://projects.info-pull.com/...

Hans Gruber

August 12, 2008, 10:28 pm

Alex Sotirov responds to Ed Bott's ZDnet's blog: "Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.





Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won&#8217t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed."





Just a storm in a tea cup then? http://blogs.zdnet.com/Bott/?p...

stephenallred

August 13, 2008, 3:37 am

@dworvos


Did I say OSX didn't use the No eXecute (or eXecute Disable, as Intel have decided to market it) bit? No. I said OSX doesn't use the Vista's (and by that token XP's) implementation of it, which Microsoft have helpfully dubbed DEP (which, you may like to note, is by default only active on essential OS processes).


You think Microsoft discloses it's bugs? More fool you. As for the bug a day for a month, that's 31 bugs in a modern OS. That's really not surprising.

Chani Tough

August 13, 2008, 2:21 pm

Windows are a pane

comments powered by Disqus