Linked by Thom Holwerda on Thu 25th Mar 2010 22:20 UTC
Privacy, Security, Encryption It's that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don't read too much into that one, please).
Thread beginning with comment 415414
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Windows 7 secure? Ha!
by Mike Pavone on Fri 26th Mar 2010 22:38 UTC in reply to "RE: Windows 7 secure? Ha!"
Mike Pavone
Member since:
2006-06-26

DEP is 100% unbreakable if permissions are set correctly.


No it's not. DEP prevents you from running code out of the stack or a data buffer, but you can still overwrite the return address on the stack to jump to an arbitrary point inside the code of the app itself or a library it uses. By carefully piecing together these fragments of code you can effectively do just about anything.

Now ASLR makes these kinds of attacks much more difficult (particularly on 64-bit systems) if implemented properly.

Reply Parent Score: 1

RE[3]: Windows 7 secure? Ha!
by sakeniwefu on Sat 27th Mar 2010 03:08 in reply to "RE[2]: Windows 7 secure? Ha!"
sakeniwefu Member since:
2008-02-26

Well, of course DEP doesn't protect you from a buffer overflow in VM code overwriting your BASIC program, from the CIA, or from you doing sudo evil script. Its target is clear, it makes data execution impossible.

If ASLR is applied on everything on loading the only way the attacker could know the address of important functions is intentionally revealing it or it not being very random in the first place. It would of course be better if the programs didn't link-in the functions in the first place.

Buffer overflow exploits(even when the bug is present) are also a lot less likely if heap addresses are also randomized which Windows does at least to a degree if I can believe Wikipedia, but Linux, for example, doesn't and gives you(by default) the same blocks over and over. You can predict where things will be.

So Windows has implemented good techniques but has other problems which invalidate them. They also have all the other ACLs, jails, managed code, etc. features, that execution prevention naysayers defend as the ultimate solution and that seem to be bypassed easily all the time, without using CPU bugs or whatnot. You see that in the exploits the part they boast about is always breaking EP.

The sudo evil script problem is unfortunately unsolvable, ars(I think) had an article recently on how people would *forward* spam. However, that doesn't mean that exploit prevention is useless. Some people are less gullible than others; they deserve some protection even if it isn't perfect. Maybe you didn't notice, but we don't have viruses anymore like in the 90s.

Reply Parent Score: 2

PlatformAgnostic Member since:
2006-01-02

Windows caches and hands out the same blocks over and over too. It's better for efficiency that way.

Reply Parent Score: 2

RE[4]: Windows 7 secure? Ha!
by darknexus on Sat 27th Mar 2010 17:28 in reply to "RE[3]: Windows 7 secure? Ha!"
darknexus Member since:
2008-07-15

Maybe you didn't notice, but we don't have viruses anymore like in the 90s.

Funny, I guess I must be imagining all these XP machines people are still using that I *still* end up having to remove viruses from. Maybe you didn't notice, but there aren't a whole lot of consumers throwing away their three or four year old hardware for a Windows 7 machine and many of them don't know how to upgrade or even that they should. Hell, some of them did upgrade and didn't like it and what did they do? Back to XP... and back to virus hell. As long as XP survives, we will never be free of this.
Yes, we still do have those viruses.

Reply Parent Score: 2