Re: Vista's Security Rendered Completely Useless by New Exploit
- From: johngalt <guest@xxxxxxxxxxxxxxxxx>
- Date: Mon, 11 Aug 2008 19:33:13 -0500
The proof, but Warp 10 is not gonna like it:
"http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html"; Wrote:
'*The sky isn't falling: a look at a new Vista security bypass*'
(http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html)
By 'Peter Bright' (http://arstechnica.com/authors.ars/PeterB) |
Published: August 11, 2008 - 07:30AM CT
One of the papers presented at the 'Black Hat USA 2008'
(http://www.blackhat.com/) security conference was an analysis a number
of the protection mechanisms built into Windows Vista and Windows Server
2008 that are designed to make it harder to convert software bugs into
security flaws. '-How to Impress Girls with Browser Memory Protection
Bypasses-' (http://taossa.com/archive/bh08sotirovdowd.pdf), authored by
security researchers Mark Dowd at IBM and Alexander Sotirov at VMware,
presented a number of attacks against Vista's various security features
in isolation, and then attacks that could disable multiple protections
all together. Put together, the result is that Vista's mitigation
mechanisms are circumvented, making buggy software exploitable.
The security features being bypassed are all intended to minimize the
impact of 'buffer overflows'
(http://en.wikipedia.org/wiki/Buffer_overflow). Buffer overflows are a
particular kind of programming error that occur when a program attempts
to store too much data in the buffer allocated for the data. This causes
anything following the buffer to be overwritten. Buffer overflows are
exploitable when it's possible to insert arbitrary executable code into
a process and then make that code run. If an attacker can do this then
the attacker has gained the ability to do whatever he likes to the
victim's computer.
MITIGATING AGAINST BUFFER OVERFLOWS
This kind of flaw is quite a common one, especially in the programming
languages C and C++. Many high-profile software flaws have been of this
type, from the 'Morris worm' (http://en.wikipedia.org/wiki/Morris_worm)
of the 1980s to the 'Code Red worm'
(http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29) of 2001, and
more recently the 'animated cursor'
(http://arstechnica.com/journals/microsoft.ars/2007/03/30/new-animated-cursor-vulnerability-affects-vista-as-well)
vulnerability. Although there are languages that make such flaws
impossible—Java and .NET are both immune to such flaws—the
unfortunate reality is that a large proportion of the software that we
run (including our operating systems, web browsers, and browser plugins)
don't use these safe languages, and so are susceptible to this ancient
problem.
This is why Microsoft included a number of protection schemes in Vista
to try to reduce the exploitability of buffer overflows. Although the
operating system cannot prohibit such flaws (except by mandating the use
of Java and .NET), it can make it less likely that an overflow can lead
to arbitrary code execution. One of these protections was introduced in
Windows XP Service Pack 2; Microsoft calls it Data Execution Protection,
DEP. With DEP enabled each block of memory in a process must be
explicitly marked "executable" before the processor can run any
instructions stored in that block. This means that even if an attacker
can write arbitrary code into a process, the processor isn't able to run
that code. This effectively prevents any easy exploitation of buffer
overflows.
Unfortunately, security researchers are a clever lot; they discovered
ways by which DEP could be defeated, for example by passing control not
to their own executable code, but instead to one of the system DLLs
loaded into the process and getting that to do their dirty work. Vista
therefore introduced several mechanisms to try to reduce the impact of
these DEP bypasses. One of these is 'Address Space Layout Randomization'
(http://arstechnica.com/reviews/os/vista-under-the-hood.ars/2), which
randomly organizes the location of the system DLLs so that an attacker
no longer knows where they are. Vista also inserts extra checks into the
operating system code to detect that certain kinds of overflow have
occurred and crash the program (although crashing might seem a bad thing
to do, it's safer than continuing to run after a buffer overflow).
It is these extra mechanisms that the paper at Black Hat attacks. Dowd
and Sotirov describe several different techniques for bypassing Windows'
protections that can be used to reinstate the exploitability of buffer
overflows. One of the key mechanisms used is the fact that the
protections are not always applied. Internet Explorer 7 and Firefox 2
both opt out of DEP, and many third-party libraries such as the Flash
plugin opt out of ASLR (and other protection mechanisms). Plugins can
also do things that can deliberately defeat the OS's countermeasures;
Java, for example, marks all of its memory as executable, meaning that a
Java applet can place into memory executable code that's immune to DEP
protection. The final trick is to use scripting or plugins to file large
amounts of memory with the malicious executable code, so that even when
ASLR is in effect, an attacker can still be sure that the malicious code
is where he needs it to be. Together, these techniques allow all of the
protections found in Vista to be defeated.
CHICKEN LITTLE RUNS AMOK
This is certainly unfortunate. The great thing about these protection
mechanisms is that they provided a degree of safety even when
applications contained bugs. That will no longer be the case, at least
for web browsers (programs that do not support third-party plugins (or
apply more stringent checks to those plugins) might continue to benefit
from the protections). Unfortunate, yes, but not—as was reported
in the immediate aftermath of the presentation—'evidence that
Vista's security is useless'
(http://www.theinquirer.net/gb/inquirer/news/2008/08/08/vista-security-rendered-usless),
nor does this work constitute a 'major security issue'
(http://www.macobserver.com/article/2008/08/08.8.shtml). And it's not
'game over'
(http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html),
either. Sensationalism sells, and there's no news like bad news, but
sometimes—particularly when covering security issues—it
would be nice to see accuracy and level-headedness instead. Alarmism
helps no one. Responsible vulnerability disclosure is a big concern in
the security industry; it would be good to see it coupled with
responsible reporting.
The work done by Dowd and Sotirov focuses on making buffer overflows
that were previously not exploitable on Vista exploitable. These are
buffer overflows that would be exploitable on Windows XP anyway; after
all, there's no need to defeat ASLR if an OS does not have ASLR at all.
Furthermore, these attacks are specifically on the buffer overflow
protections; they do not circumvent the 'IE Protected Mode'
(http://arstechnica.com/reviews/os/vista-under-the-hood.ars/2) sandbox,
nor Vista's (in)famous 'UAC'
(http://arstechnica.com/reviews/os/vista-under-the-hood.ars/1)
restrictions. DEP, ASLR, and the other mitigation features in Vista are
unlikely to ever be unbreakable, especially in an application like a web
browser that can run both scripts and plugins of an attacker's choosing.
Rather, their purpose is to make exploitation more difficult. Microsoft
has a solution for those wanting to make it impossible—use .NET.
These protections are there for when that's not an option, to
reduce—but not eliminate—the vulnerability caused by such
programming errors. Even with DEP and ASLR, the coding errors that
result in buffer overflows still ought to be fixed; it is only through
fixing the errors that the flaws can truly be eliminated.
Even with the attacks described in the paper, Vista has many worthwhile
security improvements compared to XP. Internet Explorer on Vista runs in
a highly restricted environment, so that even when it is running
malicious code it cannot harm the system. Stories suggesting that
Vista's security is now irredeemably broken are far off the mark; the
truth is merely that some of its automatic security protection is less
effective than it was before.
What Microsoft will do in response remains to be seen. Some of the
specific featurs of the attacks can be resolved by Microsoft
itself—preventing IE plugins from opting out of the protection
schemes, by improving the way that .NET interacts with the protection,
and by making Windows default to enabling all the protection
schemes—and others can be minimized by third parties—by
writing plugins that enable with all the security mechanisms, by being
more careful with executable memory, and so on. Longer term, a switch to
64-bit programs might allow considerably more randomization to be
applied; while making large allocations is enough to fill up a 32-bit
program's memory (which allows attackers to defeat randomization) the
same is not true of 64-bit processes—they're simply too big.
'The sky isn't falling: a look at a new Vista security bypass'
(http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html)
For those too disinterested, I'll pull out the important part:
FURTHERMORE, THESE ATTACKS ARE SPECIFICALLY ON THE BUFFER OVERFLOW
PROTECTIONS; THEY DO NOT CIRCUMVENT THE
IE
PROTECTED MODE (\"HTTP://ARSTECHNICA.COM/REVIEWS/OS/VISTA-UNDER-THE-HOOD.ARS/2\";) SANDBOX, NOR VISTA'S (IN)FAMOUS
UAC (\"HTTP://ARSTECHNICA.COM/REVIEWS/OS/VISTA-UNDER-THE-HOOD.ARS/1\";)
RESTRICTIONS.
And finally, if you think Vista is ****, then why the heck are you
hanging around in a Vista newsgroup? At forums we call such folks
trolls - and ban them ASAP.
--
johngalt
_*<-----*_-If_you_found_my_post_meritable,_show_me!
-__*Please_do_not_contact_me_via_PM_or_IM_for_help_-_post_it_in_the_forums_so_that_others_may_benefit_from_solutions_that_may_be_found_/_offered.*_
:cool:
*CPU:* Core 2 Quad 6600 G0 CPU @3.375 GHz
*Heatsink:* Tuniq Tower 120 LFB Cooler
*Motherboard:* eVGA 780i Motherboard
*PSU:* OCZ ModXStream 780W SLI Ready PSU
*Graphics Card:* eVGA 8800 GTS 512 KO edition GA
*RAM:* 2 X 2GB OCZ PC2-8000 ReaperX HPC RAM @ 500 MHz (1000
MHz Dual)
*HDs:* 2 X Seagate 500 GB 7200.11 RPM 32MB Cache HDs
*Optical:* SONY DRU-830A Dual Layer IDE DVD burner
*Extra:* Hauppage WinTV 1800 HVR TV Tuner card with Remote
*Case:* ThermalTake Armour case
*Monitors:* Dual Acer X312Wbd 21.6" Widescreen Active Matrix TFT with
2500:1 DC
http://picasaweb.google.com/johnlgalt/TheBeast
.
- References:
- Prev by Date: Re: Vista's Security Rendered Completely Useless by New Exploit
- Next by Date: how many franks you need to screw a light bulb.
- Previous by thread: Re: Vista's Security Rendered Completely Useless by New Exploit
- Next by thread: Re: Vista's Security Rendered Completely Useless by New Exploit
- Index(es):
Relevant Pages
|
