Coffeehouse Thread

53 posts

Vista's Security Rendered Completely Useless By New Exploit

Back to Forum: Coffeehouse
  • User profile image
    evildictait​or

    stevo_ said:
    Sven Groot said:
    *snip*
    Alright makes sense.. surely its possible to write a modular unmanaged process where the hardware manages the memory access rights of each "module"? or is the smallest unit of hardware security guarentee a windows process?
    It's do-able (the OS does this to stop some badprogram.exe from writing all over the kernel memory), but it slows everything down and gets all kind-of-icky.

    It makes more sense for IE to drop support for native plugins and force adoption of a language where memory and permissions are formalized in the language.

    Now if only someone would get around to making one like that. I'd call it D-flat or something...

  • User profile image
    Bas

    littleguru said:
    Sven Groot said:
    *snip*
    Why don't I expect IE8 to ship with support for .NET addins... hmmm...
    Because each version of IE only ships with one feature that people want? Tongue Out

    Tabs in IE7, standards support in IE8... I guess IE9 will get a proper javascript engine, and then maybe .NET support is on the list for IE10. Tongue Out

  • User profile image
    littleguru

    Bas said:
    littleguru said:
    *snip*
    Because each version of IE only ships with one feature that people want? Tongue Out

    Tabs in IE7, standards support in IE8... I guess IE9 will get a proper javascript engine, and then maybe .NET support is on the list for IE10. Tongue Out
    Oh IE8 will have a proper javascript engine... at least that's what we got told in the public Wink

  • User profile image
    stevo_

    littleguru said:
    Bas said:
    *snip*
    Oh IE8 will have a proper javascript engine... at least that's what we got told in the public Wink
    They said that at mix? I think, they posted some honest figures that said they made some progress.. still slower than the rest from what I saw.. anyway I'm baggsying a better download manager for IE11.. you heard it here.

  • User profile image
    littleguru

    stevo_ said:
    littleguru said:
    *snip*
    They said that at mix? I think, they posted some honest figures that said they made some progress.. still slower than the rest from what I saw.. anyway I'm baggsying a better download manager for IE11.. you heard it here.
    Well, I expect the JavaScript engine to be top when IE8 gets released. It's still beta and they made progress - therefore I consider that the IE team focuses on that to get a proper experience for RTM. But this is my own opinion, I haven't spoken with the IE team at all.

  • User profile image
    Bas

    stevo_ said:
    littleguru said:
    *snip*
    They said that at mix? I think, they posted some honest figures that said they made some progress.. still slower than the rest from what I saw.. anyway I'm baggsying a better download manager for IE11.. you heard it here.
    That's wat I got out of it too, really. Some improvements in the JS engine, but Firefox's (also beta) engine was still running circles around it.

    But I think a download manager is actually more likely than .NET support. So I guess that's going in IE10, and .NET support in 11. Cool, maybe I'll be able to write IE plugins before I retire.

  • User profile image
    BHpaddock

    mVPstar said:
    blowdart said:
    *snip*
    So, basically, it's because the plugins themselves haven't been coded right that these attacks can be carried out? (sorry, the paper wont load for me)
    The reason Vista was targetted:

    This paper is about theoretical ways to circumvent memory protection schemes like ASLR, DEP/NX, SafeSEH, etc.

    Vista is the only mainstream OS that makes effective use of all these technologies.  Certainly other OSes with similar protection models could be attacked in similar ways.  The reason this paper wouldn't make sense against Apple is that Apple doesn't even have most of these protection schemes, and so these techniques are unnecessary.  That alone should scare the crap out of Mac users.

    This does not expose any particular buffer overflows in IE or Windows.  First you need to find one of those, in the right place, with the right things on the stack, and then hope that one of these theories work out in your situation.

    Second, you need to target something with DEP / NX turned off, which unfortunately includes IE right now (but that is being worked on).

    Third, the paper mainly talks about using plug-ins like Flash and the Java VM to overcome the browser's defenses.  These plugins are insecure on all platforms, and they REALLY need to be fixed.

    Fourth, nothing in this paper even mentioned Protected Mode IE or UAC, and there is absolutely no claim about privilege escalation - meaning that any attacks against IE using these mechanisms is very limited in what it can achieve.

    What it boils down to is a lot of food for thought for those working on Windows security going forward, and I'm sure that many of the concerns here have been known (while perhaps others have not).

    The actionable results of this paper are:

    1) Adobe needs to get off their asses and fix Flash so it supports DEP, ASLR, and doesn't make so many stupid security mistakes.
    2) Sun needs to do the same.
    3) Microsoft needs to look at the manipulated .NET PE header proposed in the paper and block that sort of attack.

    Which of these do you think will happen first?  I know where my money is...

  • User profile image
    littleguru

    BHpaddock said:
    mVPstar said:
    *snip*
    The reason Vista was targetted:

    This paper is about theoretical ways to circumvent memory protection schemes like ASLR, DEP/NX, SafeSEH, etc.

    Vista is the only mainstream OS that makes effective use of all these technologies.  Certainly other OSes with similar protection models could be attacked in similar ways.  The reason this paper wouldn't make sense against Apple is that Apple doesn't even have most of these protection schemes, and so these techniques are unnecessary.  That alone should scare the crap out of Mac users.

    This does not expose any particular buffer overflows in IE or Windows.  First you need to find one of those, in the right place, with the right things on the stack, and then hope that one of these theories work out in your situation.

    Second, you need to target something with DEP / NX turned off, which unfortunately includes IE right now (but that is being worked on).

    Third, the paper mainly talks about using plug-ins like Flash and the Java VM to overcome the browser's defenses.  These plugins are insecure on all platforms, and they REALLY need to be fixed.

    Fourth, nothing in this paper even mentioned Protected Mode IE or UAC, and there is absolutely no claim about privilege escalation - meaning that any attacks against IE using these mechanisms is very limited in what it can achieve.

    What it boils down to is a lot of food for thought for those working on Windows security going forward, and I'm sure that many of the concerns here have been known (while perhaps others have not).

    The actionable results of this paper are:

    1) Adobe needs to get off their asses and fix Flash so it supports DEP, ASLR, and doesn't make so many stupid security mistakes.
    2) Sun needs to do the same.
    3) Microsoft needs to look at the manipulated .NET PE header proposed in the paper and block that sort of attack.

    Which of these do you think will happen first?  I know where my money is...

    Hah! Well said... I really wonder when/if the JAVA VM problem is going to be fixed... lucky me I don't have it installed.

  • User profile image
    blowdart

    mVPstar said:
    blowdart said:
    *snip*
    So, basically, it's because the plugins themselves haven't been coded right that these attacks can be carried out? (sorry, the paper wont load for me)
    And because IE is excluded from DEP by default because that would have broken a shed load of shoddy plugins

  • User profile image
    matthews

    blowdart said:
    An interesting analysis

    One of the key mechanisms used is the fact that the protections are not always applied. Internet Explorer 7 and Firefox 2 both opt out of DEP, and many third-party libraries such as the Flash plugin opt out of ASLR (and other protection mechanisms). Plugins can also do things that can deliberately defeat the OS's countermeasures; Java, for example, marks all of its memory as executable, meaning that a Java applet can place into memory executable code that's immune to DEP protection. The final trick is to use scripting or plugins to file large amounts of memory with the malicious executable code, so that even when ASLR is in effect, an attacker can still be sure that the malicious code is where he needs it to be. Together, these techniques allow all of the protections found in Vista to be defeated.

    So two open source ("Many eyes make it more secure") applications opt out of DEP. Naughty. (Oh and under Vista you can turn DEP on for IE - I have it set that way)

    I tried enabling DEP in IE7, but the strangest thing happened: every time I visited a site with a java applet (which isn't too common, but often enough) DEP would shut down IE complaining of a breach.

  • User profile image
    PaoloM

    matthews said:
    blowdart said:
    *snip*
    I tried enabling DEP in IE7, but the strangest thing happened: every time I visited a site with a java applet (which isn't too common, but often enough) DEP would shut down IE complaining of a breach.
    QED Smiley

  • User profile image
    BHpaddock

    matthews said:
    blowdart said:
    *snip*
    I tried enabling DEP in IE7, but the strangest thing happened: every time I visited a site with a java applet (which isn't too common, but often enough) DEP would shut down IE complaining of a breach.
    Did you try the very latest version of the Java VM?

  • User profile image
    littleguru

    PaoloM said:
    matthews said:
    *snip*
    QED Smiley

    Haha Smiley

  • User profile image
    matthews

    BHpaddock said:
    matthews said:
    *snip*
    Did you try the very latest version of the Java VM?
    I should have the latest JDK, so I'd assume with that would come the latest JVM.

  • User profile image
    bjd223

    You're right Microsoft -- a huge corporation with 70,000 employees, billions of dollars, and 90%+ market share will just give up when and if this elaborate security breach is released.

    Or they will just do their best to fix it as quickly as possible, and if needed lean on other vendors to do the same.

    What I think is funny, is that most of what is allowing this is not even Microsoft code. Now that you mention it Microsoft should fix this by going completely closed based, like Apple. Sweet our unlimited software choices went down to like -4 titles. But they sure are secure titles.

    Or they could go the Linux route, open source style, and go the completely different direction, and give away millions in profits for its share holders, I'm pretty sure that motion will get denied.

    Many other operating systems do not even have many of these technologies to bypass, which is awesome. If you would get off your high horse for 5 minutes to realize that other people do in fact exist, and some of them may prefer something that is not Linux. And not because they haven’t heard about it, but because they are smart enough to realize that *nix is not for everyone. Wait it’s my choice if I want to pay for something that I think will suit my needs better than something that is free?

    Sure Grandma, just open the Console and use the sudo command to edit the ini file. Yeah it will work, wait...what’s a sudo? Ohh Grandma cmon!

  • User profile image
    magicalclick

    Nah, probably the same exploit firstly introduced by hacking a Mac in three minuts. 

    Edit: oh sorry, it is in 2 minuts, my bad.

    http://www.infoworld.com/article/08/03/27/Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

     

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    littleguru

    bjd223 said:

    You're right Microsoft -- a huge corporation with 70,000 employees, billions of dollars, and 90%+ market share will just give up when and if this elaborate security breach is released.

    Or they will just do their best to fix it as quickly as possible, and if needed lean on other vendors to do the same.

    What I think is funny, is that most of what is allowing this is not even Microsoft code. Now that you mention it Microsoft should fix this by going completely closed based, like Apple. Sweet our unlimited software choices went down to like -4 titles. But they sure are secure titles.

    Or they could go the Linux route, open source style, and go the completely different direction, and give away millions in profits for its share holders, I'm pretty sure that motion will get denied.

    Many other operating systems do not even have many of these technologies to bypass, which is awesome. If you would get off your high horse for 5 minutes to realize that other people do in fact exist, and some of them may prefer something that is not Linux. And not because they haven’t heard about it, but because they are smart enough to realize that *nix is not for everyone. Wait it’s my choice if I want to pay for something that I think will suit my needs better than something that is free?

    Sure Grandma, just open the Console and use the sudo command to edit the ini file. Yeah it will work, wait...what’s a sudo? Ohh Grandma cmon!

    I'm sure people are working on getting this fixed Smiley It's quite old now.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.