Linked by Amjith Ramanujam on Fri 8th Aug 2008 13:14 UTC
Windows This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
Permalink for comment 326379
To read all comments associated with this story, please click here.
RE[4]: Summary of "exploit"
by vaette on Sun 10th Aug 2008 10:04 UTC in reply to "RE[3]: Summary of "exploit""
Member since:

As I noted above the article (and the discussion that follows from it) is pretty awful, vague and bordering on completely incorrect. I got my info from the linked paper above. I think it has been removed at this point however, so you may either need to track down another copy or take my word for it.

While they do use the way that IE handles ActiveX controls, Java- and .NET-applets, the same applies equally to just about any other plugin architecture as long as the plugin runs in-process. Which covers all popular web-browsers.

So, to reiterate:
* There is no exploit, nothing is "wide open". They use the old (long patched) .ANI exploit to demo the techniques. The talk has been given and all the facts are out, feel free to check Secunia or such for security advisories. Spoiler: there are none.
* This only deals with a handful of the protections in Vista, as a whole IE on Vista remains far more secure than IE on XP (even if all Vista protections were completely knocked down we would still at worst be in the same place we are on XP).
* All other browsers (and, in principle, OS's) are equally affected by this; if they have similar protections they can be overriden in the same way, if they don't, well, then they were worse off to start with. The only reason why Vista is the example in the paper is because it has a comprehensive set of protections to consider.
* Indeed .NET header loading bug makes IE in a clean default Vista install susceptible to the DEP-disabling/ASLR-slide part of the trick. This is the most serious part, but will probably get fixed, and doesn't matter much as 95% of all installs get Flash within minutes of going online.

I realize that the most serious problem with my comments is that the paper doesn't seem accessible anymore, but please consider the possibility that you are barking up the wrong tree here. You will surely find plenty of other things to complain about in Vista ;)

Reply Parent Score: 2