Linked by Thom Holwerda on Thu 25th Mar 2010 22:20 UTC
Privacy, Security, Encryption It's that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don't read too much into that one, please).
Thread beginning with comment 415368
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Windows 7 secure? Ha!
by sakeniwefu on Fri 26th Mar 2010 14:37 UTC in reply to "Windows 7 secure? Ha!"
sakeniwefu
Member since:
2008-02-26

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.

More importantly, the jail was broken, and each new exploit for IE8 finds a way of breaking it, so the people that rely mainly on jails instead of trying to prevent the code to run in the first place are the ones that should be getting really worried. Windows is on the right track by doing it all. Windows 7 is not your grandpa's Windows 98.

Reply Parent Score: 2

RE[2]: Windows 7 secure? Ha!
by darknexus on Fri 26th Mar 2010 15:21 in reply to "RE: Windows 7 secure? Ha!"
darknexus Member since:
2008-07-15

DEP is 100% unbreakable if permissions are set correctly.


Nothing remains unbreakable forever. Ever. That's just the nature of computing. The harder security is implemented the more they will try, and succeed, to break it open. It's the same with any type of security, not just computing. It's startlingly close to the laws of the physical world, specifically that every action has an equal and opposite reaction.
There's only one way to keep yourself completely safe online, and that is to use your own common sense. Sadly, it seems as though many people lack such a useful attribute these days and want the computer to do the thinking for them.

Reply Parent Score: 5

RE[2]: Windows 7 secure? Ha!
by bousozoku on Fri 26th Mar 2010 18:30 in reply to "RE: Windows 7 secure? Ha!"
bousozoku Member since:
2006-01-23

DEP is 100% unbreakable if permissions are set correctly. And that's not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.

Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux's; and MacOS X's is even worse and only available in the latest version.
...


If you can bypass ASLR in Windows as was done, it doesn't seem as though full ASLR (as Windows advocates say) is much better than the partial ASLR that Mac OS X has.

Charlie Miller said that Mac OS X is easier to hack than Windows 7 but it doesn't seem that it's more than a matter of degrees. Of course, they're still attacking by browser, so apparently neither one has a direct opening.

It's good enough, though, because some users will click on anything.

Reply Parent Score: 3

RE[2]: Windows 7 secure? Ha!
by Mike Pavone on Fri 26th Mar 2010 22:38 in reply to "RE: Windows 7 secure? Ha!"
Mike Pavone Member since:
2006-06-26

DEP is 100% unbreakable if permissions are set correctly.


No it's not. DEP prevents you from running code out of the stack or a data buffer, but you can still overwrite the return address on the stack to jump to an arbitrary point inside the code of the app itself or a library it uses. By carefully piecing together these fragments of code you can effectively do just about anything.

Now ASLR makes these kinds of attacks much more difficult (particularly on 64-bit systems) if implemented properly.

Reply Parent Score: 1

RE[3]: Windows 7 secure? Ha!
by sakeniwefu on Sat 27th Mar 2010 03:08 in reply to "RE[2]: Windows 7 secure? Ha!"
sakeniwefu Member since:
2008-02-26

Well, of course DEP doesn't protect you from a buffer overflow in VM code overwriting your BASIC program, from the CIA, or from you doing sudo evil script. Its target is clear, it makes data execution impossible.

If ASLR is applied on everything on loading the only way the attacker could know the address of important functions is intentionally revealing it or it not being very random in the first place. It would of course be better if the programs didn't link-in the functions in the first place.

Buffer overflow exploits(even when the bug is present) are also a lot less likely if heap addresses are also randomized which Windows does at least to a degree if I can believe Wikipedia, but Linux, for example, doesn't and gives you(by default) the same blocks over and over. You can predict where things will be.

So Windows has implemented good techniques but has other problems which invalidate them. They also have all the other ACLs, jails, managed code, etc. features, that execution prevention naysayers defend as the ultimate solution and that seem to be bypassed easily all the time, without using CPU bugs or whatnot. You see that in the exploits the part they boast about is always breaking EP.

The sudo evil script problem is unfortunately unsolvable, ars(I think) had an article recently on how people would *forward* spam. However, that doesn't mean that exploit prevention is useless. Some people are less gullible than others; they deserve some protection even if it isn't perfect. Maybe you didn't notice, but we don't have viruses anymore like in the 90s.

Reply Parent Score: 2