Vista's Security Rendered Completely Useless By New Exploit

Bas said:

littleguru said:

*snip*

Because each version of IE only ships with one feature that people want?

Tabs in IE7, standards support in IE8... I guess IE9 will get a proper javascript engine, and then maybe .NET support is on the list for IE10.

Oh IE8 will have a proper javascript engine... at least that's what we got told in the public

stevo_ said:

littleguru said:

*snip*

They said that at mix? I think, they posted some honest figures that said they made some progress.. still slower than the rest from what I saw.. anyway I'm baggsying a better download manager for IE11.. you heard it here.

Well, I expect the JavaScript engine to be top when IE8 gets released. It's still beta and they made progress - therefore I consider that the IE team focuses on that to get a proper experience for RTM. But this is my own opinion, I haven't spoken with the IE team at all.

mVPstar said:

blowdart said:

*snip*

So, basically, it's because the plugins themselves haven't been coded right that these attacks can be carried out? (sorry, the paper wont load for me)

The reason Vista was targetted:

This paper is about theoretical ways to circumvent memory protection schemes like ASLR, DEP/NX, SafeSEH, etc.

Vista is the only mainstream OS that makes effective use of all these technologies.  Certainly other OSes with similar protection models could be attacked in similar ways.  The reason this paper wouldn't make sense against Apple is that Apple doesn't even have most of these protection schemes, and so these techniques are unnecessary.  That alone should scare the crap out of Mac users.

This does not expose any particular buffer overflows in IE or Windows.  First you need to find one of those, in the right place, with the right things on the stack, and then hope that one of these theories work out in your situation.

Second, you need to target something with DEP / NX turned off, which unfortunately includes IE right now (but that is being worked on).

Third, the paper mainly talks about using plug-ins like Flash and the Java VM to overcome the browser's defenses.  These plugins are insecure on all platforms, and they REALLY need to be fixed.

Fourth, nothing in this paper even mentioned Protected Mode IE or UAC, and there is absolutely no claim about privilege escalation - meaning that any attacks against IE using these mechanisms is very limited in what it can achieve.

What it boils down to is a lot of food for thought for those working on Windows security going forward, and I'm sure that many of the concerns here have been known (while perhaps others have not).

The actionable results of this paper are:

1) Adobe needs to get off their asses and fix Flash so it supports DEP, ASLR, and doesn't make so many stupid security mistakes.
2) Sun needs to do the same.
3) Microsoft needs to look at the manipulated .NET PE header proposed in the paper and block that sort of attack.

Which of these do you think will happen first?  I know where my money is...

BHpaddock said:

mVPstar said:

*snip*

The reason Vista was targetted:

This paper is about theoretical ways to circumvent memory protection schemes like ASLR, DEP/NX, SafeSEH, etc.

Vista is the only mainstream OS that makes effective use of all these technologies.  Certainly other OSes with similar protection models could be attacked in similar ways.  The reason this paper wouldn't make sense against Apple is that Apple doesn't even have most of these protection schemes, and so these techniques are unnecessary.  That alone should scare the crap out of Mac users.

This does not expose any particular buffer overflows in IE or Windows.  First you need to find one of those, in the right place, with the right things on the stack, and then hope that one of these theories work out in your situation.

Second, you need to target something with DEP / NX turned off, which unfortunately includes IE right now (but that is being worked on).

Third, the paper mainly talks about using plug-ins like Flash and the Java VM to overcome the browser's defenses.  These plugins are insecure on all platforms, and they REALLY need to be fixed.

Fourth, nothing in this paper even mentioned Protected Mode IE or UAC, and there is absolutely no claim about privilege escalation - meaning that any attacks against IE using these mechanisms is very limited in what it can achieve.

What it boils down to is a lot of food for thought for those working on Windows security going forward, and I'm sure that many of the concerns here have been known (while perhaps others have not).

The actionable results of this paper are:

1) Adobe needs to get off their asses and fix Flash so it supports DEP, ASLR, and doesn't make so many stupid security mistakes.
2) Sun needs to do the same.
3) Microsoft needs to look at the manipulated .NET PE header proposed in the paper and block that sort of attack.

Which of these do you think will happen first?  I know where my money is...

mVPstar said:

blowdart said:

*snip*

So, basically, it's because the plugins themselves haven't been coded right that these attacks can be carried out? (sorry, the paper wont load for me)

And because IE is excluded from DEP by default because that would have broken a shed load of shoddy plugins

matthews said:

blowdart said:

*snip*

I tried enabling DEP in IE7, but the strangest thing happened: every time I visited a site with a java applet (which isn't too common, but often enough) DEP would shut down IE complaining of a breach.

Did you try the very latest version of the Java VM?

PaoloM said:

matthews said:

*snip*

QED

Haha

bjd223 said:

You're right Microsoft -- a huge corporation with 70,000 employees, billions of dollars, and 90%+ market share will just give up when and if this elaborate security breach is released.

Or they will just do their best to fix it as quickly as possible, and if needed lean on other vendors to do the same.

What I think is funny, is that most of what is allowing this is not even Microsoft code. Now that you mention it Microsoft should fix this by going completely closed based, like Apple. Sweet our unlimited software choices went down to like -4 titles. But they sure are secure titles.

Or they could go the Linux route, open source style, and go the completely different direction, and give away millions in profits for its share holders, I'm pretty sure that motion will get denied.

Many other operating systems do not even have many of these technologies to bypass, which is awesome. If you would get off your high horse for 5 minutes to realize that other people do in fact exist, and some of them may prefer something that is not Linux. And not because they haven’t heard about it, but because they are smart enough to realize that *nix is not for everyone. Wait it’s my choice if I want to pay for something that I think will suit my needs better than something that is free?

Sure Grandma, just open the Console and use the sudo command to edit the ini file. Yeah it will work, wait...what’s a sudo? Ohh Grandma cmon!

I'm sure people are working on getting this fixed It's quite old now.