Linked by Amjith Ramanujam on Fri 8th Aug 2008 13:14 UTC
Windows This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
Thread beginning with comment 326379
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Summary of "exploit"
by vaette on Sun 10th Aug 2008 10:04 UTC in reply to "RE[3]: Summary of "exploit""
vaette
Member since:
2008-08-09

As I noted above the article (and the discussion that follows from it) is pretty awful, vague and bordering on completely incorrect. I got my info from the linked paper above. I think it has been removed at this point however, so you may either need to track down another copy or take my word for it.

While they do use the way that IE handles ActiveX controls, Java- and .NET-applets, the same applies equally to just about any other plugin architecture as long as the plugin runs in-process. Which covers all popular web-browsers.

So, to reiterate:
* There is no exploit, nothing is "wide open". They use the old (long patched) .ANI exploit to demo the techniques. The talk has been given and all the facts are out, feel free to check Secunia or such for security advisories. Spoiler: there are none.
* This only deals with a handful of the protections in Vista, as a whole IE on Vista remains far more secure than IE on XP (even if all Vista protections were completely knocked down we would still at worst be in the same place we are on XP).
* All other browsers (and, in principle, OS's) are equally affected by this; if they have similar protections they can be overriden in the same way, if they don't, well, then they were worse off to start with. The only reason why Vista is the example in the paper is because it has a comprehensive set of protections to consider.
* Indeed .NET header loading bug makes IE in a clean default Vista install susceptible to the DEP-disabling/ASLR-slide part of the trick. This is the most serious part, but will probably get fixed, and doesn't matter much as 95% of all installs get Flash within minutes of going online.

I realize that the most serious problem with my comments is that the paper doesn't seem accessible anymore, but please consider the possibility that you are barking up the wrong tree here. You will surely find plenty of other things to complain about in Vista ;)

Reply Parent Score: 2

RE[5]: Summary of "exploit"
by Windows Sucks on Sun 10th Aug 2008 11:46 in reply to "RE[4]: Summary of "exploit""
Windows Sucks Member since:
2005-11-10

We will have to see over the next couple of weeks what is actually meant as these issues come to light.

Normally when docs like that "vanish" then ether they are wrong or they are not detailed right.

So we will see if this can be demoed and if they can show it on other OS's.

Reply Parent Score: 2

PlatformAgnostic Member since:
2006-01-02

The paper is back up, but it is very long and rather technical. These attacks all only apply to the defense-in-depth measures, so you need to combine them with an actual vulnerability in order to break in.

You'll see that the attacks do require certain preconditions. It so happens that these preconditions are almost always met for a web-browser due to the common third-party plugins (and due to an issue in .NET header validation) and application compatibility conerns. One thing to note, is that running 64-bit apps on Windows will allow you to get away from these problems for various technical reasons (including the presence of table-based exception handling).

Reply Parent Score: 3