Linked by Amjith Ramanujam on Fri 8th Aug 2008 13:14 UTC
Windows This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
Thread beginning with comment 326318
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Summary of "exploit"
by Windows Sucks on Sat 9th Aug 2008 16:20 UTC in reply to "Summary of "exploit""
Windows Sucks
Member since:
2005-11-10

The interesting this about this problem is that it seems that IE is the biggest problem, along with .NET and Active X (All Microsoft products)

Does not focus on Java and Flash etc.

So that said, does this mean that MS also does not put the same security on their own products?? As Java, Flash etc does not use the security built in?

Reply Parent Score: 2

RE[2]: Summary of "exploit"
by vaette on Sat 9th Aug 2008 21:12 in reply to "RE: Summary of "exploit""
vaette Member since:
2008-08-09

IE is not the problem, not only will the same techniques work against Firefox, Opera and Safari, they will if anything work better as those don't present the additional hurdle of the IE UAC sandbox.

This has nothing to do with ActiveX, any other plugin architecture would be just as problematic. Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough. Still, as Flash and Java never sets up secure page settings it doesn't really make much difference for now.

Reply Parent Score: 1

Windows Sucks Member since:
2005-11-10

IE is not the problem, not only will the same techniques work against Firefox, Opera and Safari, they will if anything work better as those don't present the additional hurdle of the IE UAC sandbox.

This has nothing to do with ActiveX, any other plugin architecture would be just as problematic. Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough. Still, as Flash and Java never sets up secure page settings it doesn't really make much difference for now.


Where did you get that info? In the articles that came out IE is the issue. Yes this problem would happen on any other browser and almost any plug in. But they make a point to say IE is a big problem Do you have some info that shows something else. Please provide.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gc...

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

"By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it."

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

According to this you can run a default Windows Vista set up with no third party software and you are wide open. And there is nothing you can do (But use Windows XP)

So no it's not a problem with the actual plugins but its a major problem with how Windows handles even Microsoft plugins! People will try to blame it on third party developers. Just want to make sure its clear that its MS that made this problem not bad programing developers! Not third parties making bad plugins!

Reply Parent Score: 2

RE[3]: Summary of "exploit"
by abraxas on Mon 11th Aug 2008 15:12 in reply to "RE[2]: Summary of "exploit""
abraxas Member since:
2005-07-07

Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough


This sentence is hard to parse but it seems like you are saying that .NET's incompatiblity with DEP is a bug but it is not. The same thing happens on Linux with Mono. Memory protections must be disabled for Mono because it takes advantage of runtime code generation that DEP and PaX specifically try to prevent. This is generally OK though because .NET and Mono are not affected by buffer overruns.

Reply Parent Score: 2