Linked by Thom Holwerda on Thu 25th Mar 2010 22:20 UTC
Privacy, Security, Encryption It's that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don't read too much into that one, please).
Thread beginning with comment 415294
To read all comments associated with this story, please click here.
Windows 7 secure? Ha!
by abraxas on Thu 25th Mar 2010 22:52 UTC
abraxas
Member since:
2005-07-07

Thom, this just goes to show you that you were wrong as ever when you said DEP and ASLR were never cracked. I know I pointed out before that this was not the case but now we have new exploit techniques that do not rely on third party code. It just goes to show that nothing is really secure. I don't doubt that we will see the same results year after year.

Reply Score: 5

RE: Windows 7 secure? Ha!
by Thom_Holwerda on Thu 25th Mar 2010 22:53 in reply to "Windows 7 secure? Ha!"
Thom_Holwerda Member since:
2005-06-29

Thom, this just goes to show you that you were wrong as ever when you said DEP and ASLR were never cracked.


Back then, they were indeed not yet cracked.

This is now.

That's not rocket science.

Reply Parent Score: 2

RE[2]: Windows 7 secure? Ha!
by abraxas on Thu 25th Mar 2010 22:55 in reply to "RE: Windows 7 secure? Ha!"
abraxas Member since:
2005-07-07

Did you even read the article or anything I posted this time or last time? Both had been cracked for a while now. The new technique just doesn't require a third party app like flash or java.

Reply Parent Score: 8

v RE[2]: Windows 7 secure? Ha!
by mnem0 on Fri 26th Mar 2010 08:39 in reply to "RE: Windows 7 secure? Ha!"
RE: Windows 7 secure? Ha!
by ephracis on Thu 25th Mar 2010 23:25 in reply to "Windows 7 secure? Ha!"
ephracis Member since:
2007-09-23

*I* even managed to bust the ASLR on Vista (and Win7). It was as easy as finding a register that you could use to calculate the offset in memory. I believe that the implementation in Vista has been documented in "Hacking Exposed" or maybe it was "Shellcoders handbook". Anyway, use the same principal and you bust ASLR in Win7.

And *I* am not even that good... just read a few books and copy-pasted some code just to try it, basically. I wouldn't be surprised if ASLR and DEP has been "unofficially" cracked for a while by now. Probably Chrome as well. Never underestimate the blackhats. Though, gotta give it to the people in Pwn2Own. They are sure doing us all a favor by finding these exploits.

I'm just worried about the exploits out there that hasn't been "officially" found yet.

By the way, are they using only vanilla installations? How about with antivirus/etc installed, is it just as easy for them?

Edited 2010-03-25 23:26 UTC

Reply Parent Score: 4

RE[2]: Windows 7 secure? Ha!
by abraxas on Fri 26th Mar 2010 00:35 in reply to "RE: Windows 7 secure? Ha!"
abraxas Member since:
2005-07-07

I wouldn't be surprised if ASLR and DEP has been "unofficially" cracked for a while by now. Probably Chrome as well. Never underestimate the blackhats.


Agreed. Some people don't seem to understand that blackhats and even security researches hoard exploits. I don't doubt for a second that a lot of software that people use on a daily basis is exploitable and someone knows about it, and it is usually the wrong someone. People are living in fantasy land if they think their code is secure just because a security advisory hasn't been released for it.

Edited 2010-03-26 00:36 UTC

Reply Parent Score: 3

Fuzzing
by kaelodest on Fri 26th Mar 2010 00:48 in reply to "Windows 7 secure? Ha!"
kaelodest Member since:
2006-02-12

There have been some great quotes from modern Mac Warriors. The ex CEO of Omni Wil Shipley had a poin of view about hacking security and privacy that essentially came down to being proud of the work you do and putting a lot of pride in it but do not expect that some new kids are not going to come over the hill and torch all that you did to secure your app (he was talking about serial numbers and SW piracy...) and he was right. We all might bee good or clever or some combo of both in a team. And our Opposing Force will be just a proud and clever when they hack or [K]rack or serve us old-heads. That is the only way that progress gets made.
I did a seminar a few years back with Jon Wolf Rentzch about code injections and fuzzing. I understood about half of it 3 years ago and I have picked up on half of what I didn't know since then. It is one thing to think that this-patch or that-patch will fix anything.
At least with the Unixes and the Mac we do not have obvious WTF 'features' like exec bits set on tmp folders and - - Ooops by default we do have a lot of holes.
Hell unix used to be full of holes in the 70s and 80s and Microsoft used to be much worse. Someday it will be these guys bitching about 2014s new 0-day exploit

until then fight the good fight

Reply Parent Score: 2

RE: Windows 7 secure? Ha!
by sakeniwefu on Fri 26th Mar 2010 14:37 in reply to "Windows 7 secure? Ha!"
sakeniwefu Member since:
2008-02-26

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.

More importantly, the jail was broken, and each new exploit for IE8 finds a way of breaking it, so the people that rely mainly on jails instead of trying to prevent the code to run in the first place are the ones that should be getting really worried. Windows is on the right track by doing it all. Windows 7 is not your grandpa's Windows 98.

Reply Parent Score: 2

RE[2]: Windows 7 secure? Ha!
by darknexus on Fri 26th Mar 2010 15:21 in reply to "RE: Windows 7 secure? Ha!"
darknexus Member since:
2008-07-15

DEP is 100% unbreakable if permissions are set correctly.


Nothing remains unbreakable forever. Ever. That's just the nature of computing. The harder security is implemented the more they will try, and succeed, to break it open. It's the same with any type of security, not just computing. It's startlingly close to the laws of the physical world, specifically that every action has an equal and opposite reaction.
There's only one way to keep yourself completely safe online, and that is to use your own common sense. Sadly, it seems as though many people lack such a useful attribute these days and want the computer to do the thinking for them.

Reply Parent Score: 5

RE[2]: Windows 7 secure? Ha!
by bousozoku on Fri 26th Mar 2010 18:30 in reply to "RE: Windows 7 secure? Ha!"
bousozoku Member since:
2006-01-23

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.
...


If you can bypass ASLR in Windows as was done, it doesn't seem as though full ASLR (as Windows advocates say) is much better than the partial ASLR that Mac OS X has.

Charlie Miller said that Mac OS X is easier to hack than Windows 7 but it doesn't seem that it's more than a matter of degrees. Of course, they're still attacking by browser, so apparently neither one has a direct opening.

It's good enough, though, because some users will click on anything.

Reply Parent Score: 3

RE[2]: Windows 7 secure? Ha!
by Mike Pavone on Fri 26th Mar 2010 22:38 in reply to "RE: Windows 7 secure? Ha!"
Mike Pavone Member since:
2006-06-26

DEP is 100% unbreakable if permissions are set correctly.


No it's not. DEP prevents you from running code out of the stack or a data buffer, but you can still overwrite the return address on the stack to jump to an arbitrary point inside the code of the app itself or a library it uses. By carefully piecing together these fragments of code you can effectively do just about anything.

Now ASLR makes these kinds of attacks much more difficult (particularly on 64-bit systems) if implemented properly.

Reply Parent Score: 1