Vista's Security Rendered Completely Useless by New Exploit

["Richard M. Smith" <rms () computerbytesman com>]

http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complete
ly-useless-by-new-exploit
 
This week at the Black Hat Security Conference two security researchers will
discuss their findings which could completely bring Windows
<http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complet
ely-useless-by-new-exploit#>  Vista
<http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complet
ely-useless-by-new-exploit#>  to its knees.

Mark Dowd of IBM  <http://www.iss.net/> Internet Security Systems (ISS) and
Alexander Sotirov, of VMware Inc. <http://www.vmware.com/>  have discovered
a technique that can be used to bypass all memory protection safeguards that
Microsoft built into Windows Vista. These new methods have been used to get
around Vista's Address Space Layout Randomization (ASLR), Data Execution
Prevention (DEP) and other protections by loading malicious content through
an active web browser. The researchers were able to load whatever content
they wanted into any location they wished on a user's machine using a
variety of scripting languages, such as Java, ActiveX and even .NET objects.
This feat was achieved by taking advantage of the way that Internet
<http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complet
ely-useless-by-new-exploit#>  Explorer (and other browsers) handle active
scripting in the Operating
<http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complet
ely-useless-by-new-exploit#> System.

While this may seem like any standard security hole, other researchers say
that the work is a major breakthrough and there is very little that
Microsoft
<http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-complet
ely-useless-by-new-exploit#>  can do to fix the problems. These attacks work
differently than other security exploits, as they aren't based on any new
Windows vulnerabilities, but instead take advantage of the way Microsoft
chose to guard Vista's fundamental architecture. According to Dino Dai Zovi
<http://www.theta44.org/main.html> , a popular security researcher, "the
genius of this is that it's completely reusable. They have attacks that let
them load chosen content to a chosen location with chosen permissions.
That's completely game over."

According to Microsoft, many of the defenses added to Windows Vista (and
Windows Server 2008) were added to stop all host-based attacks. For example,
ASLR is meant to stop attackers from predicting key memory addresses by
randomly moving a process' stack, heap and libraries. While this technique
is very useful against memory corruption attacks, it would be rendered
useless against Dowd and Sotirov's new method. "This stuff just takes a
knife to a large part of the security mesh Microsoft built into Vista," said
Dai Zovi. "If you think about the fact that .NET loads DLLs into the browser
itself and then Microsoft assumes they're safe because they're .NET objects,
you see that Microsoft didn't think about the idea that these could be used
as stepping stones for other attacks. This is a real tour de force."

...
 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.