More security FAIL

[unixronin]

LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

The new attack technique makes use of (yeah, you guessed it) Internet Explorer, and the way it and Vista handle .NET objects and active scripting, in order to load arbitrary code into any desired location on the target machine.  The attack does not exploit any particular vulnerability or pre-existing exploit, but rather is based on the underlying architecture of Vista itself.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author.  "They have attacks that let them load chosen content to a chosen location with chosen permissions.  That's completely game over."

"What this means is that almost any vulnerability in the browser is trivially exploitable," Dai Zovi added.  "A lot of exploit defenses are rendered useless by browsers.  ASLR and hardware DEP are completely useless against these attacks."

[...]

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities.  As a result, he said, there may soon be similar techniques applied to other platforms or environments.

"This is not insanely technical.  These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said.  "I definitely think this will get reused soon, sort of like heap spraying was."

It'll be interesting to see the fallout from this.  And probably not "interesting in a good way."

Interesting thought from xnguard, elsewhere:  "Can this be exploited via Firefox if the .NET plugins are installed?"

Comments

[ilcylic.livejournal.com]

Heh. It's a goddamn small world. I'm friends with Dino. He's from the 'Burque.

[unixronin.livejournal.com]

jilara maintains there's actually only about a thousand real people in the world, and they all know each other.


(Of course, if that's true, I want to know which 501 asshats voted for Bush.)

[ilcylic.livejournal.com]

Nah, the vote counts are generated by the simulation hardware.

[unixronin.livejournal.com]

"Will you take the blue pill ... or the red pill?"

[cipherpunk.livejournal.com]

<scream type="primal" profession="security geek" intensity="xx-high">
    Auuuuuuuuuuuuuuuuuugh!
</scream>

[unixronin.livejournal.com]

I'm not quite sure how to take that. ;)

[ithildae.livejournal.com]

Before you barricade and reinforce the door, install the side walls and roof.

The real beauty is that IE is now a part of the OS, and cannot be uninstalled. As we move to executing more and more programs via the web, this is an inevitable exploit. Kind of makes you think hard about cloud computing.

[unixronin.livejournal.com]

The real beauty is that IE is now a part of the OS, and cannot be uninstalled.

So much for consent decrees etc, huh?

As we move to executing more and more programs via the web, this is an inevitable exploit. Kind of makes you think hard about cloud computing.

Honestly, I've never thought cloud computing was something I much felt like trusting.

[ithildae.livejournal.com]

I've never thought cloud computing was something I much felt like trusting.

Likewise. Apart from the security concerns, it seemed like a way for servicing companies to justify charging for incremental use of software instead of a license. It looks like the gift that you will just keep paying for and paying for. Kind of like a tribble that eats your bank account and budget.