The Mac Observer

Skip navigational links

Choose text size: Select small text. Select medium text. Select large text.

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Researchers at Black Hat Reveal Major Vista Security Issue

Researchers at Black Hat Reveal Major Vista Security Issue

by , 2:00 PM EDT, August 8th, 2008

On day two of the Black Hat security conference, Mark Dowd with IBM and Alexander Sotirov with VMware presented a paper on a technique to completely bypass the memory protection features of Microsoft Vista along with recommendations to Microsoft.

In their talk, entitled, "How to Impress Girls with Browser Memory Protection Bypasses," the researchers showed how take advantage of the way IE and other browsers handle active scripting in the OS.

The description of the presentation from the Black Hat conference said:

"Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

"This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

"Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. We will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, we will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more."

Vista, as well as Mac OS X and Linux, uses a technique called ASLR to randomly change the locations of certain addressable memory locations so that malware cannot insert executable code. It's not a substitute for secure code, but can reduce vulnerability. Mr. Dowd's presentation focused on how to get around ASLR and other techniques like Data Execution Prevention (DEP).

Back in June, Mr. Dowd predicted that his coming demonstration would obliterate Vista security improvements.

"We're going to show a couple of ways you can tip the odds in your favour so vulnerabilities can be easily exploited by techniques that bypass these protection mechanisms," he said. "Some completely obliterate the protections."

According to neowin.net, Dino Dai Zovi, a popular security researcher said, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

Microsoft is aware of the issue, and the verdicts are just starting to come in how how serious this breach is and what can be done to prevent it. The good news is that as these exploits are discovered and analyzed by the good guys at conferences like Black Hat, the OS vendors can work to remain one step ahead of the bad guys.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Guest
Thu Aug 14, 2008 12:57 pm Subject: True Origins of this "Bug."

Ultimately the cause of such errors such as buffer overruns, which is one of the oldest hacking techniques, is not the OS. Vista simply can not stop flaws created by 3rd party apps, it can however slow them down. If you pay attention to recommended settings, and the admin elevation pop ups, and do as Microsoft recommends (do not log on as admin, elevate as needed,) then most problems are avoided. Also, this bug applies to XP as well. Vista's security is not broken, just not as rock solid as we initially thought.


 Reply | Quote
Comment on this Article


Guest Posts Visible. Hide Them.
Back to top  Page 1 of 1    

You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated February 11th

Fri, 8:10 PM
News - Apple Sues Motorola Mobility in California Over German Case
7:54 PM
Free on iTunes - OnLive Desktop: Windows & Office on Your iPad
7:43 PM
Product News - Apple Rolls Out MacBook Air Configurations for Education
6:35 PM
Just a Peek - Battle Pocket Bulge With The Hint for iPhone
6:01 PM
Rumor - Apple Reportedly Bringing MacBook Air Styling to Pro Line
4:50 PM
Particle Debris - The Hidden Gotchas of Browser Security
3:56 PM
Apple Stock Watch - Analyst: Paying a Dividend Makes Sense for Apple
2:58 PM
Deal Brothers - iMac 27-inch 2.93GHz Intel Quad-Core i7 processor:  $1,999
2:45 PM
In-Depth Review - Theodolite App for iOS is Breathtaking
12:52 PM
Apple Stock Watch - Mizuho Securities Starts Apple Coverage with $635 Target
11:35 AM
Hot Forum Topic - Forum Poll: Are You Planning on Buying a New iPad?
11:00 AM
Analysis - Competitors Size up Apple’s iBooks Author

The Mac Observer Reader Specials

  • TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
  • Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
  • Poker Mac If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!