A new attack method may render Vista’s security useless. May also work on other platforms.

If this article at SearchSecurity.com is correct then Vista’s security system has been rendered moot for folks who insist on using Internet Explorer:

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

“The genius of this is that it’s completely reusable,” said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.

“What this means is that almost any vulnerability in the browser is trivially exploitable,” Dai Zovi added. “A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks.”

I doubt that there’s truly little Microsoft can do about the problem, but the solutions involved might be unpalatable to their business goals (e.g. drop ActiveX altogether). The attack appears to rely on Internet Explorer specifically so one possible solution for Vista users is to switch to a different browser such as Firefox or Safari. Which, really, they probably should do anyway.

What’s more interesting is the conclusion of the article:

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.

“This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,” Dai Zovi said. “I definitely think this will get reused soon, sort of like heap spraying was.”

Unless those other platforms are running Internet Explorer and ActiveX I’m not sure how they’d be vulnerable, but then the article doesn’t go into great detail on exactly what the hack involves. Microsoft has said their aware of the presentation and are interested in looking at it more closely once it’s made public.

12 thoughts on “A new attack method may render Vista’s security useless. May also work on other platforms.

  1. Yeah.  I basically use FireFox for all my web browsing.  But if this other platforms(And by platforms, I mean OSs) thing is true, then Mac and Linux owners may be feeling the same heat Windows owners have been feeling.

  2. I can’t figure out how MS can justify keeping ActiveX, it has a rich history of being a security hole and it isn’t really necessary.  There are more secure ways to do things than to use ActiveX. 

    The only reason I can see for keeping ActiveX is to keep a lock on MSIE, which is a piss poor reason to expose users to security vulnerabilities.

  3. … then Mac and Linux owners may be feeling the same heat Windows owners have been feeling.

    The biggest difference is that Firefox and other open source browsers are patched much faster than IE after a significant security issue is discovered.

  4. Pick one or more reasons:

    1.  It comes with Windows

    2.  It is the “Internet button”

    3.  It is what they use at work

    4.  Firefox is too hard   /whine

    4.  Corporations set IE as their standard supported browser

    5.  Many corporations use web applications that need ActiveX

    6.  Some web sites just won’t work with anything other than IE (these are getting to be less common)

  5. Les:

    You pretty much answered your own end question during your quotation from the article. The gaping holes in question for other platforms? Java and scripting. Both are used extensively outside of Windows environments as well.

    Linux, BSD, Unix and OSX all rely heavily on scripting, even if OSX covers it up with shiny graphics smile

    I know for a fact that all of the major operating systems use or rely on some form of ASLR and hardware DEP as well.

    There you have just about everything mentioned as being parts of the issue, with the exception of ActiveX, .NET and IE.

    There is similar things in the OSS world though…the Mono project for instance…

    It is quite easy to make this kind of error in design though. They mentioned in the article that .NET will load .DLL files into IE for example, and the default behavior of Windows is to treat .NET objects as “trusted”. JAVA will also load objects into a browser in a similar manner, and is similarly trusted by the operating system because JAVA itself is “signed” code.

    The designers didn’t account for or didn’t realize the security risk for this type of behavior which is found in all operating systems: Something that is loaded by a “System” level program or process is given a free pass by default (You can however, specify certain behaviors using ACLS or similar).

    It would be tough to place blame on any of the teams at MS on this one – as the operating system is working like it is supposed to, and so are the combination of programs involved. It’s not the fault of any individual program, but it’s something that happens when the capabilities and ways certain types of programs handle things are combined together that is the issue.

    One of the few obvious ways to fix this is to kill off .NET, JAVA, etc access to any web browsers, but that kind of defeats the purpose of even having any of them and that would kind of set the entire internet, etc back to the mid-1990’s dark-ages if that were to happen (Think banks, etc who use a combination of JS, JAVA and .NET for their online banking sites for instance).

  6. I browse with JAVA turned off on my browsers (Firefox and Opera) and it very seldom causes a problem.  The only site I regularly use that needs JAVA is my credit union’s site.  I generally allow javascript, but I don’t consider it to be much of a risk; more of a potential annoyance, and it is certainly nowhere near as dangerous as ActiveX.

  7. Yes zilch, I use the IE. But only to print web pages. Firefox fail fails miserably at printing most of the pages.

    you wrote:

    What I don’t understand (as a computer dummy) is why anyone is using IE at all?

  8. Thanks for your answers.  Itdontmatter:
    1-4 I understand, but if a dummy like me can do Firefox, then anyone who can’t should probably not be allowed to use a computer or vote.

    5- I guess I don’t need ActiveX.
    6- I have yet to come across a web page that didn’t work with Firefox, but perhaps I’m just not well-traveled.

    Obi- I don’t print much from the internet, but what I’ve done so far has all worked with Firefox.  Again, that probably just shows how humble my needs are…

  9. Zilch:

    don’t get me wrong. Firefox is probably the best browser around (depends on what you want to do).

    But even the latest version has problems with printing web pages. IE does not. So I browse using Firefox and when I need do print something, I fire up IE, copy and paste the URL into IE etc.

    I wonder what I shall be doing when I’ve moved to Linux, BSD or OS-X, which I think will be inevitable in the long run, considering the outlook at M$.

    I like to print stuff out and then read it on the tram or train or wherever I am moving.

  10. Huh, I’ve not had any problems printing webpages from Firefox and I do it often.

    Though admittedly it’s mostly maps from Google Maps.

  11. zilch, Internet pages that don’t work with Firefox are now quite rare, although there are still quite a few incompatible pages on corporate intranets.  There is a Firefox plugin called ‘IE Tab’ that allows you to open a page in Firefox using the IE engine, which is useful if you come across an incompatible site.  I just noticed that there is a 4 and another 4 on the list—oops.

    I also don’t recall running into printing problems using Firefox.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.