Linked by Amjith Ramanujam on Fri 8th Aug 2008 13:14 UTC
Windows This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
Thread beginning with comment 326329
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Summary of "exploit"
by vaette on Sat 9th Aug 2008 21:12 UTC in reply to "RE: Summary of "exploit""
vaette
Member since:
2008-08-09

IE is not the problem, not only will the same techniques work against Firefox, Opera and Safari, they will if anything work better as those don't present the additional hurdle of the IE UAC sandbox.

This has nothing to do with ActiveX, any other plugin architecture would be just as problematic. Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough. Still, as Flash and Java never sets up secure page settings it doesn't really make much difference for now.

Reply Parent Score: 1

Windows Sucks Member since:
2005-11-10

IE is not the problem, not only will the same techniques work against Firefox, Opera and Safari, they will if anything work better as those don't present the additional hurdle of the IE UAC sandbox.

This has nothing to do with ActiveX, any other plugin architecture would be just as problematic. Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough. Still, as Flash and Java never sets up secure page settings it doesn't really make much difference for now.


Where did you get that info? In the articles that came out IE is the issue. Yes this problem would happen on any other browser and almost any plug in. But they make a point to say IE is a big problem Do you have some info that shows something else. Please provide.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gc...

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

"By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it."

"If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

According to this you can run a default Windows Vista set up with no third party software and you are wide open. And there is nothing you can do (But use Windows XP)

So no it's not a problem with the actual plugins but its a major problem with how Windows handles even Microsoft plugins! People will try to blame it on third party developers. Just want to make sure its clear that its MS that made this problem not bad programing developers! Not third parties making bad plugins!

Reply Parent Score: 2

RE[4]: Summary of "exploit"
by vaette on Sun 10th Aug 2008 10:04 in reply to "RE[3]: Summary of "exploit""
vaette Member since:
2008-08-09

As I noted above the article (and the discussion that follows from it) is pretty awful, vague and bordering on completely incorrect. I got my info from the linked paper above. I think it has been removed at this point however, so you may either need to track down another copy or take my word for it.

While they do use the way that IE handles ActiveX controls, Java- and .NET-applets, the same applies equally to just about any other plugin architecture as long as the plugin runs in-process. Which covers all popular web-browsers.

So, to reiterate:
* There is no exploit, nothing is "wide open". They use the old (long patched) .ANI exploit to demo the techniques. The talk has been given and all the facts are out, feel free to check Secunia or such for security advisories. Spoiler: there are none.
* This only deals with a handful of the protections in Vista, as a whole IE on Vista remains far more secure than IE on XP (even if all Vista protections were completely knocked down we would still at worst be in the same place we are on XP).
* All other browsers (and, in principle, OS's) are equally affected by this; if they have similar protections they can be overriden in the same way, if they don't, well, then they were worse off to start with. The only reason why Vista is the example in the paper is because it has a comprehensive set of protections to consider.
* Indeed .NET header loading bug makes IE in a clean default Vista install susceptible to the DEP-disabling/ASLR-slide part of the trick. This is the most serious part, but will probably get fixed, and doesn't matter much as 95% of all installs get Flash within minutes of going online.

I realize that the most serious problem with my comments is that the paper doesn't seem accessible anymore, but please consider the possibility that you are barking up the wrong tree here. You will surely find plenty of other things to complain about in Vista ;)

Reply Parent Score: 2

RE[3]: Summary of "exploit"
by abraxas on Mon 11th Aug 2008 15:12 in reply to "RE[2]: Summary of "exploit""
abraxas Member since:
2005-07-07

Being able to fool .NET to not run with a poor DEP setup with a specially crafted header is a problem (probably a bug) though, true enough


This sentence is hard to parse but it seems like you are saying that .NET's incompatiblity with DEP is a bug but it is not. The same thing happens on Linux with Mono. Memory protections must be disabled for Mono because it takes advantage of runtime code generation that DEP and PaX specifically try to prevent. This is generally OK though because .NET and Mono are not affected by buffer overruns.

Reply Parent Score: 2

RE[4]: Summary of "exploit"
by vaette on Mon 11th Aug 2008 15:46 in reply to "RE[3]: Summary of "exploit""
vaette Member since:
2008-08-09

This aspect of it does appear to be a bug. Sure VM's will need to write to pages and then execute for the sake of JIT code generation. However, what they should do, and .NET normally does is at the very least have heap pages non-executable (that is, any page which is not a target of the JIT). Additionally the JIT should not leave its pages writable once done with a round of compilation (which would only mean that there exists readable/executable pages during the instants when the JIT is actively running, and only for touched pages at that time).

It is the first case that .NET can be fooled into failing on (and Java always fails on), getting non-code pages with exectuable permissions. I am not sure whether or not it handles the latter case well or not, which is an interesting question in itself, but not something that is exploited in this paper either way.

Overall this seems to be rather neglected by VM's, which is kind of frightening as the whole point of most VM's is to be a core part of sandboxing and other such security measures.

Reply Parent Score: 1