Vista Pwned?

[Ookii]

I apologize if this is already posted.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit

Is there any truth to this?

[Murgos]

That it can't be fixed?

If find it unlikely that anyone credible would make that claim.  It's a program, it can always be changed.  The rest of it?  No clue.

[TripleDES]

Probably a bit of hyperbole, but this seems to be a problem that requires a little more than a service pack.

I guess their own code is biting them in the ass. Yet again. I bet Dave Cutler is chewing on a broom right now. As designer of VMS, the poster child for stability and security, he probably didn't intend Windows NT to become this shit fest of current-day Windows.

[eldaec]

One day someone needs to explain to me why the fuck we aren't still using VMS for serious business.

[TripleDES]

It's still in use in various places. Like airports, i.e. air traffic control systems. But on older existing systems. New ones will run on "contemporary" operating systems, since coding for VMS is something apparently only senile people still do. Like coding in COBOL, too.

[Trippy]

Is there any truth to this?

Have to wait and see what's in their presentation.

One day someone needs to explain to me why the fuck we aren't still using VMS for serious business.

Cause (Open)VMS isn't being kept up to date for the latest hardware (and software trends) so people are using Unix/Linux instead.

Also the creator of VMS went to MS and built NT which Vista is a descendant of

[eldaec]

NT isn't descendant, it's a disowned retarded cousin we don't talk about.

[Trippy]

NT is actually a decent kernel. It's gotta a little long in tooth but it's served MS well for a long time now. The stuff above the kernel however...

[Kitsune]

The real question is whether this exploit can function when encountered by an account with basic user privileges, or if it only works when someone's logged in as an administrator.  If the former, that's a real 'oh shit' moment; the latter, not so much.  ASLR and DEP aren't the entirety of Vista's security; UAC would also need to be circumvented.  As long as the owner hasn't turned it off.   

[Engels]

I thought UAC -=was=- the security feature in Vista. Sorta the same principle as sudo, cept executed in a way to ensure maximum irritation.

[Goreschach]

I thought UAC -=was=- the security feature in Vista. Sorta the same principle as sudo, cept executed in a way to ensure maximum irritation.

It's -=a=- security feature. It's not the only thing they added. At any rate, even with UAC deactivated, and this bug able to get around memory protection, that still only puts you at around XP levels of danger. And people have been using XP on the internet for years, without the world imploding. Just use an up-to-date browser with security turned on, don't win free ipods, and don't go to bullshit dubious sites.

Or you can just install noscript, and be done with all of this nonsense, forever.

[MahrinSkel]

Back in DX3 days, NT was actually far superior for gaming.  40% framerate boosts going from 98 to NT were typical.  Windows 2000 beta was equally good, until they deliberately pulled DX7 out of it.

--Dave

[Salamok]

That it can't be fixed?

If find it unlikely that anyone credible would make that claim.  It's a program, it can always be changed.  The rest of it?  No clue.

the claim is the OS can't be fixed, this is because it is a browser exploit.  Basically at some fundamental "unfixable level" the OS trusts the browsers opinion as to what is a valid .net component.  The exploit is basically a way of convincing the browser that any .net component you load into it is valid and the OS inherits it.  They as much as say this isn't a vista specific flaw it's an ie flaw that can be applied to other OS's. 

[Brolan]

It's still in use in various places. Like airports, i.e. air traffic control systems. But on older existing systems. New ones will run on "contemporary" operating systems, since coding for VMS is something apparently only senile people still do. Like coding in COBOL, too.

Hey, I make a fuck-load of money coding in COBOL.

[Trippy]

That it can't be fixed?

If find it unlikely that anyone credible would make that claim.  It's a program, it can always be changed.  The rest of it?  No clue.

No they aren't claiming it can't be fixed:

In this paper we demonstrated that the memory protection mechanisms available in the latest
versions of Windows are not always effective when it comes to preventing the exploitation of
memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a
good chance of being able to bypass them. Two factors contribute to this problem: the degree to
which the browser state is controlled by the attacker; and the extensible plugin architecture of
modern browsers.

The internal state of the browser is determined to a large extent by the untrusted and potentially
malicious data it processes. The complexity of HTML combined with the power of JavaScript and
VBscript, DOM scripting, .NET, Java and Flash give the attacker an unprecedented degree of
control over the browser process and its memory layout.

The second factor is the open architecture of the browser, which allows third-party extensions
and plugins to execute in the same process and with the same level of privilege. This not only
means that any vulnerability in Flash affects the security of the entire browser, but also that a
missing protection mechanism in a third-party DLL can enable the exploitation of vulnerabilities
in all other browser components.

The authors expect these problems to be addressed in future releases of Windows and browser
plugins shipped by third parties.

Backing up a bit this isn't about hacking UAC or anything like that. It's about bypassing the mechanism MS has been adding to Windows and programs developed for Windows to try and minimize the now ubiquitous "remote code execution" problem. The authors presented a number of techniques for bypassing those protections when going through IE 7.

Paper and code examples are here:

http://taossa.com/index.php/2008/08/07/impressing-girls-with-vista-memory-protection-bypasses/

[Soln]

is like that Coreflood Admin sploit?  I think that's known. Maybe not solved but known.  Dunno.

[Trippy]

If by "Coreflood Admin" you mean this:

http://www.infoworld.com/article/08/07/02/Trojan_lurks_waiting_to_steal_admin_passwords_1.html

no it's not.

[Yegolev]

Hmph.  It's always the browser, isn't it?  If MS just let you deinstall IE, we'd not have these massive holes... at least according to what I can see.

[Salamok]

I'm def not a fan of active x browser objects but I really don't think firefox would be all that much better if it was under the scrutiny that having 80% of the market share brings. 

[Trippy]

Firefox allows plug-ins like Java and Flash that the authors used to demonstrate the problems with Vista's memory protection schemes through IE 7 so it's possible some of those same techniques are transferable to other browsers.

[Phred]

One day someone needs to explain to me why the fuck we aren't still using VMS for serious business.

Most businesses were sold on NT as an operating system that didn't need professional sysadmins to take care of it.  Now you have your IT staff.  They work cheaper but tend to know a lot less about how to really fix things because they all took their certification from Microsoft, who's solution to everything is buy more software from us.

[Yegolev]

I'm not bashing IE over Firefox, it's just that I can actually deinstall Firefox if I choose.

[Mrbloodworth]

[fuser]

I thought UAC -=was=- the security feature in Vista. Sorta the same principle as sudo, cept executed in a way to ensure maximum irritation.

It's -=a=- security feature. It's not the only thing they added. At any rate, even with UAC deactivated, and this bug able to get around memory protection, that still only puts you at around XP levels of danger.

Only one thing irritates me about UAC, it blocks remote connection confirmation dialogues, you have to be physically there.. fun things for our VNC support. Either then that I don't see how its any more annoying then OSX's lock, admin password request, etc.

Edit: Yes i know this is the whole point of UAC, just my only "annoyance" with it ;)

[Trippy]

Only one thing irritates me about UAC, it blocks remote connection confirmation dialogues, you have to be physically there.. fun things for our VNC support. Either then that I don't see how its any more annoying then OSX's lock, admin password request, etc.

Edit: Yes i know this is the whole point of UAC, just my only "annoyance" with it ;)

I don't use Vista but I do use Mac OS X so this is only based on what I've read but my understanding is with the default settings with UAC it comes up quite a bit. With OS X it rarely prompts you for your password to do "sudo" type stuff -- i.e. it's mostly when you are installing Apple Software Updates. Regular software installs (which are a trivial click and drag operation) and day to day stuff you never get prompted for your password.

[schild]

UAC comes up all the time on default settings. First thing I turned off, other than a bunch of graphical effects.

[Yegolev]

UAC is a good idea, but I only hear about people turning it off.  With sudo, I can finely control pretty much everything.  Does UAC allow anything other than ON/OFF?

[schild]

UAC is just implemented badly. Things get flagged for protection under it that shouldn't have it. It doesn't quite know if something is good or bad. And it's not set for just Very Specific things. Mostly it's crap. AFAIK there's only On and Off. Morons, sure, I can see them needing it, but then, morons shouldn't be on a computer really.

[Engels]

I don't use Vista but I do use Mac OS X so this is only based on what I've read but my understanding is with the default settings with UAC it comes up quite a bit. With OS X it rarely prompts you for your password to do "sudo" type stuff -- i.e. it's mostly when you are installing Apple Software Updates. Regular software installs (which are a trivial click and drag operation) and day to day stuff you never get prompted for your password.

I know that on my regular installations of Office 2008 for Mac, I'm prompted for a password. Another thing to bear in mind is that Apple isn't as paranoid as Microsoft in this regard, and can aford not to sudo everything in sight.

[Krakrok]

Hey, I make a fuck-load of money coding in COBOL.

California needs you!

[TripleDES]

It would help if UAC allowed for fine grained on-off settings, based on actions and applications. For instance it's nice it kicks in when a random application tries funny business, but it's fucking annoying if Explorer is second guessing every single fucking action I do outside of my profile directory.

[kildorn]

UAC is obnoxious with a lot of things. Java updater, certain directories, Manage Computer, etc etc.

It was set to Holy Crap due to the amount of stupid people try to do, and all the flak MS gets for shitty security. That said, a lot of their issues come from IE being a horrible mess, and also being so closely tied to the OS. It's like running a security company that employs a crack addict as it's night shift. No matter how good the rest of it is, you still have a goddamned crack addict with keys to the place.

[Big Gulp]

No matter how good the rest of it is, you still have a goddamned crack addict with keys to the place.

Note to self:  review hiring practices.

[Trippy]

I don't use Vista but I do use Mac OS X so this is only based on what I've read but my understanding is with the default settings with UAC it comes up quite a bit. With OS X it rarely prompts you for your password to do "sudo" type stuff -- i.e. it's mostly when you are installing Apple Software Updates. Regular software installs (which are a trivial click and drag operation) and day to day stuff you never get prompted for your password.

I know that on my regular installations of Office 2008 for Mac, I'm prompted for a password. Another thing to bear in mind is that Apple isn't as paranoid as Microsoft in this regard, and can aford not to sudo everything in sight.

If Office 2008 requires an "installer" like the kind used in the Windows world then yeah I'm not surprised it requires a password. Normal Mac apps are self-contained folders and you just drag them to wherever you want install (and you can just throw the folder into the Trash to delete) and as long as you have permissions to that folder it won't ask for a password. If the install is so complicated that it has to spread crap all over the place including "system" folders (which is typically what the Apple Software Updates need to do) then you'll need your password.

[Engels]

If the install is so complicated that it has to spread crap all over the place

Sounds about right for a Windows product installation...