Linked by Thom Holwerda on Thu 25th Mar 2010 22:20 UTC
Privacy, Security, Encryption It's that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don't read too much into that one, please).
Order by: Score:
Windows 7 secure? Ha!
by abraxas on Thu 25th Mar 2010 22:52 UTC
abraxas
Member since:
2005-07-07

Thom, this just goes to show you that you were wrong as ever when you said DEP and ASLR were never cracked. I know I pointed out before that this was not the case but now we have new exploit techniques that do not rely on third party code. It just goes to show that nothing is really secure. I don't doubt that we will see the same results year after year.

Reply Score: 5

RE: Windows 7 secure? Ha!
by Thom_Holwerda on Thu 25th Mar 2010 22:53 UTC in reply to "Windows 7 secure? Ha!"
Thom_Holwerda Member since:
2005-06-29

Thom, this just goes to show you that you were wrong as ever when you said DEP and ASLR were never cracked.


Back then, they were indeed not yet cracked.

This is now.

That's not rocket science.

Reply Score: 2

RE[2]: Windows 7 secure? Ha!
by abraxas on Thu 25th Mar 2010 22:55 UTC in reply to "RE: Windows 7 secure? Ha!"
abraxas Member since:
2005-07-07

Did you even read the article or anything I posted this time or last time? Both had been cracked for a while now. The new technique just doesn't require a third party app like flash or java.

Reply Score: 8

v RE[2]: Windows 7 secure? Ha!
by mnem0 on Fri 26th Mar 2010 08:39 UTC in reply to "RE: Windows 7 secure? Ha!"
RE[3]: Windows 7 secure? Ha!
by Thom_Holwerda on Fri 26th Mar 2010 10:04 UTC in reply to "RE[2]: Windows 7 secure? Ha!"
Thom_Holwerda Member since:
2005-06-29

A lot of people, including Thom unfortunately, keeps buying into and repeating the hype instead of reviewing what's _actually_ there


Ah, we're back tot he pro-Microsoft accusations. I guess we got tired of the OSS-zealot accusations.

Edited 2010-03-26 10:04 UTC

Reply Score: 1

RE[4]: Windows 7 secure? Ha!
by abraxas on Fri 26th Mar 2010 11:02 UTC in reply to "RE[3]: Windows 7 secure? Ha!"
abraxas Member since:
2005-07-07

Ah, we're back tot he pro-Microsoft accusations. I guess we got tired of the OSS-zealot accusations.


If it makes you feel any better Thom I don't think you're a Microsoft zealot, I just think you're wrong. ;)

Reply Score: 3

RE[5]: Windows 7 secure? Ha!
by FrankenFuss on Fri 26th Mar 2010 16:18 UTC in reply to "RE[4]: Windows 7 secure? Ha!"
FrankenFuss Member since:
2009-08-05

If it makes you feel any better Thom I don't think you're a Microsoft zealot, I just think you're wrong. ;)


Ah...abraxas...FTW!

Edited 2010-03-26 16:18 UTC

Reply Score: 1

RE: Windows 7 secure? Ha!
by ephracis on Thu 25th Mar 2010 23:25 UTC in reply to "Windows 7 secure? Ha!"
ephracis Member since:
2007-09-23

*I* even managed to bust the ASLR on Vista (and Win7). It was as easy as finding a register that you could use to calculate the offset in memory. I believe that the implementation in Vista has been documented in "Hacking Exposed" or maybe it was "Shellcoders handbook". Anyway, use the same principal and you bust ASLR in Win7.

And *I* am not even that good... just read a few books and copy-pasted some code just to try it, basically. I wouldn't be surprised if ASLR and DEP has been "unofficially" cracked for a while by now. Probably Chrome as well. Never underestimate the blackhats. Though, gotta give it to the people in Pwn2Own. They are sure doing us all a favor by finding these exploits.

I'm just worried about the exploits out there that hasn't been "officially" found yet.

By the way, are they using only vanilla installations? How about with antivirus/etc installed, is it just as easy for them?

Edited 2010-03-25 23:26 UTC

Reply Score: 4

RE[2]: Windows 7 secure? Ha!
by abraxas on Fri 26th Mar 2010 00:35 UTC in reply to "RE: Windows 7 secure? Ha!"
abraxas Member since:
2005-07-07

I wouldn't be surprised if ASLR and DEP has been "unofficially" cracked for a while by now. Probably Chrome as well. Never underestimate the blackhats.


Agreed. Some people don't seem to understand that blackhats and even security researches hoard exploits. I don't doubt for a second that a lot of software that people use on a daily basis is exploitable and someone knows about it, and it is usually the wrong someone. People are living in fantasy land if they think their code is secure just because a security advisory hasn't been released for it.

Edited 2010-03-26 00:36 UTC

Reply Score: 3

Fuzzing
by kaelodest on Fri 26th Mar 2010 00:48 UTC in reply to "Windows 7 secure? Ha!"
kaelodest Member since:
2006-02-12

There have been some great quotes from modern Mac Warriors. The ex CEO of Omni Wil Shipley had a poin of view about hacking security and privacy that essentially came down to being proud of the work you do and putting a lot of pride in it but do not expect that some new kids are not going to come over the hill and torch all that you did to secure your app (he was talking about serial numbers and SW piracy...) and he was right. We all might bee good or clever or some combo of both in a team. And our Opposing Force will be just a proud and clever when they hack or [K]rack or serve us old-heads. That is the only way that progress gets made.
I did a seminar a few years back with Jon Wolf Rentzch about code injections and fuzzing. I understood about half of it 3 years ago and I have picked up on half of what I didn't know since then. It is one thing to think that this-patch or that-patch will fix anything.
At least with the Unixes and the Mac we do not have obvious WTF 'features' like exec bits set on tmp folders and - - Ooops by default we do have a lot of holes.
Hell unix used to be full of holes in the 70s and 80s and Microsoft used to be much worse. Someday it will be these guys bitching about 2014s new 0-day exploit

until then fight the good fight

Reply Score: 2

RE: Windows 7 secure? Ha!
by sakeniwefu on Fri 26th Mar 2010 14:37 UTC in reply to "Windows 7 secure? Ha!"
sakeniwefu Member since:
2008-02-26

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.

More importantly, the jail was broken, and each new exploit for IE8 finds a way of breaking it, so the people that rely mainly on jails instead of trying to prevent the code to run in the first place are the ones that should be getting really worried. Windows is on the right track by doing it all. Windows 7 is not your grandpa's Windows 98.

Reply Score: 2

RE[2]: Windows 7 secure? Ha!
by darknexus on Fri 26th Mar 2010 15:21 UTC in reply to "RE: Windows 7 secure? Ha!"
darknexus Member since:
2008-07-15

DEP is 100% unbreakable if permissions are set correctly.


Nothing remains unbreakable forever. Ever. That's just the nature of computing. The harder security is implemented the more they will try, and succeed, to break it open. It's the same with any type of security, not just computing. It's startlingly close to the laws of the physical world, specifically that every action has an equal and opposite reaction.
There's only one way to keep yourself completely safe online, and that is to use your own common sense. Sadly, it seems as though many people lack such a useful attribute these days and want the computer to do the thinking for them.

Reply Score: 5

RE[2]: Windows 7 secure? Ha!
by bousozoku on Fri 26th Mar 2010 18:30 UTC in reply to "RE: Windows 7 secure? Ha!"
bousozoku Member since:
2006-01-23

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.
...


If you can bypass ASLR in Windows as was done, it doesn't seem as though full ASLR (as Windows advocates say) is much better than the partial ASLR that Mac OS X has.

Charlie Miller said that Mac OS X is easier to hack than Windows 7 but it doesn't seem that it's more than a matter of degrees. Of course, they're still attacking by browser, so apparently neither one has a direct opening.

It's good enough, though, because some users will click on anything.

Reply Score: 3

RE[2]: Windows 7 secure? Ha!
by Mike Pavone on Fri 26th Mar 2010 22:38 UTC in reply to "RE: Windows 7 secure? Ha!"
Mike Pavone Member since:
2006-06-26

DEP is 100% unbreakable if permissions are set correctly.


No it's not. DEP prevents you from running code out of the stack or a data buffer, but you can still overwrite the return address on the stack to jump to an arbitrary point inside the code of the app itself or a library it uses. By carefully piecing together these fragments of code you can effectively do just about anything.

Now ASLR makes these kinds of attacks much more difficult (particularly on 64-bit systems) if implemented properly.

Reply Score: 1

RE[3]: Windows 7 secure? Ha!
by sakeniwefu on Sat 27th Mar 2010 03:08 UTC in reply to "RE[2]: Windows 7 secure? Ha!"
sakeniwefu Member since:
2008-02-26

Well, of course DEP doesn't protect you from a buffer overflow in VM code overwriting your BASIC program, from the CIA, or from you doing sudo evil script. Its target is clear, it makes data execution impossible.

If ASLR is applied on everything on loading the only way the attacker could know the address of important functions is intentionally revealing it or it not being very random in the first place. It would of course be better if the programs didn't link-in the functions in the first place.

Buffer overflow exploits(even when the bug is present) are also a lot less likely if heap addresses are also randomized which Windows does at least to a degree if I can believe Wikipedia, but Linux, for example, doesn't and gives you(by default) the same blocks over and over. You can predict where things will be.

So Windows has implemented good techniques but has other problems which invalidate them. They also have all the other ACLs, jails, managed code, etc. features, that execution prevention naysayers defend as the ultimate solution and that seem to be bypassed easily all the time, without using CPU bugs or whatnot. You see that in the exploits the part they boast about is always breaking EP.

The sudo evil script problem is unfortunately unsolvable, ars(I think) had an article recently on how people would *forward* spam. However, that doesn't mean that exploit prevention is useless. Some people are less gullible than others; they deserve some protection even if it isn't perfect. Maybe you didn't notice, but we don't have viruses anymore like in the 90s.

Reply Score: 2

RE[4]: Windows 7 secure? Ha!
by PlatformAgnostic on Sat 27th Mar 2010 16:16 UTC in reply to "RE[3]: Windows 7 secure? Ha!"
PlatformAgnostic Member since:
2006-01-02

Windows caches and hands out the same blocks over and over too. It's better for efficiency that way.

Reply Score: 2

RE[4]: Windows 7 secure? Ha!
by darknexus on Sat 27th Mar 2010 17:28 UTC in reply to "RE[3]: Windows 7 secure? Ha!"
darknexus Member since:
2008-07-15

Maybe you didn't notice, but we don't have viruses anymore like in the 90s.

Funny, I guess I must be imagining all these XP machines people are still using that I *still* end up having to remove viruses from. Maybe you didn't notice, but there aren't a whole lot of consumers throwing away their three or four year old hardware for a Windows 7 machine and many of them don't know how to upgrade or even that they should. Hell, some of them did upgrade and didn't like it and what did they do? Back to XP... and back to virus hell. As long as XP survives, we will never be free of this.
Yes, we still do have those viruses.

Reply Score: 2

where is the python script?
by panzi on Fri 26th Mar 2010 00:16 UTC
panzi
Member since:
2006-01-22

Does anyone have the link to the said Python script? I think this is really interesting and would like to run it against some apps I wrote/I use. Maybe I can help improve software security of the open source desktop this way? ;)

Reply Score: 4

RE: where is the python script?
by WereCatf on Fri 26th Mar 2010 00:33 UTC in reply to "where is the python script?"
WereCatf Member since:
2006-02-15

Does anyone have the link to the said Python script?

I'd also like to see it but just for purely academic reasons; I am still a beginner even when it comes to basic programming, but it'd still help me learn atleast something new ;)

Reply Score: 2

RE: where is the python script?
by Karitku on Fri 26th Mar 2010 07:38 UTC in reply to "where is the python script?"
Karitku Member since:
2006-01-12

Does anyone have the link to the said Python script? I think this is really interesting and would like to run it against some apps I wrote/I use. Maybe I can help improve software security of the open source desktop this way? ;)

Better way would be learning TDD(test driven development) and using tools like Pex(look Microsoft research) when you program. I'm shocked how few people actually use something simple as TDD as principle on coding. It is so much easier find bug using white box testing than black box testing.

Reply Score: 2

RE[2]: where is the python script?
by reez on Fri 26th Mar 2010 10:46 UTC in reply to "RE: where is the python script?"
reez Member since:
2006-06-28

You are right.

Just as a small note. All programming languages I know have something like this. Smalltalk usually has this integrated and nearly Perl devs make heavy use of it. So there is no reason to not use it.

It also helps a lot when it comes to portability.

Reply Score: 1

Good Job
by kaelodest on Fri 26th Mar 2010 00:25 UTC
kaelodest
Member since:
2006-02-12

Honestly Chris Miller seems to have done his homework correctly and thoroughly. Now there are ways to tighten the OS and as a Mac guy I will stand by my tools and techniques. At the same time talking "Mac Security" to Mac users is like leading stupid horses to water. My favorite user(My Wife copy/pasted a link into Safari and pow '0wn3d'). No amount of code signing or address space randomization will replace solid understanding of what I am doing just good situational awareness. So the Next level of responsibility falls to Network Security, I hit the switch on the router. Then I checked my firewall logs and settings. Then I checked the logs on the Mac and the firewall again. It was trying to telnet her/our address book somewhere, that port was blocked, and now that address is blocked. If it hadn't happened in real time I suppose I would only have theory on what I (as more than just a random end user/ my kids or carol in Accounting…) would do if my unhackable box got hacked.
Does this mean that I am safe or less safe on a Mac? or on a PC? or some FOSS/Linux? My wife kept asking me if we were safe. And I suppose that we still are basically as safe as we want to believe. And out in the world or on some open/unencrypted network - Well if it can happen at home (and a failed hack is just as good as a fire for me) then it can happen 100% easier on an uncontrolled network.

Reply Score: 2

All are secure until broken
by ramasubbu_sk on Fri 26th Mar 2010 01:18 UTC
ramasubbu_sk
Member since:
2007-04-05

Atleast now no one is shout at ONLY Microsoft for buggier (unsecure) browser. Fact is all software are not secure by its own.
The only solution for this is, you be causious & secure rather than you relay on browsers, like limiting your self with only legitimate sites. As long as you are in the limit you are almost (99.99%) safe and not opening any mail attachment for until you are sure of what you are opening.

Reply Score: 2

RE: All are secure until broken
by Jon Dough on Fri 26th Mar 2010 11:12 UTC in reply to "All are secure until broken"
Jon Dough Member since:
2005-11-30

[...] The only solution for this is, you be cautious & secure rather than you relay on browsers, like limiting yourself with only legitimate sites. As long as you are in the limit you are almost (99.99%) safe and not opening any mail attachment for until you are sure of what you are opening.


And you can't let your guard down. The hackers are getting better at the social end of it. I like to believe I'm situationally aware, but I almost fell for a link from a friend on Facebook. Had I not seen someone else's post about how these links led to some sort of virus, I would've been toast.

Reply Score: 2

RE: All are secure until broken
by bert64 on Sat 27th Mar 2010 15:29 UTC in reply to "All are secure until broken"
bert64 Member since:
2007-04-23

The trouble with only viewing legitimate sites, is that even legit sites can get hacked, or serve ads from third party sites...
The best thing to do, is isolate your browser from anything important you do, and use a niche browser running on a niche os (and proprietary things like flash severely hamper this)

Reply Score: 2

drunk teens
by wanker90210 on Fri 26th Mar 2010 12:25 UTC
wanker90210
Member since:
2007-10-26

I see that drunk dutch teens has the same healthy relationship to alcohol as swedish teens does. ;)

Reply Score: 1

jabbotts
Member since:
2007-09-06

The competition is fun but based on it's rules, it can only highlight the researcher. They choose the single target to attempt and can not use the exploit against a second target.

What I'd like to see is a post-competition stage where the same exploit is tested against all browser/platform combinations. Find out and publish the full spectrum of vulnerable configurations. Are all current versions of Firefox vulnerable and across what platform installs rather than just 3.6.2 on osX.

Reply Score: 2