On BNET: 5 classic computer pranks
BNET Business Network:
BNET
TechRepublic
ZDNet

August 11th, 2008

Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out

Posted by Ed Bott @ 5:57 pm

Categories: Internet Explorer, Security, Windows Vista, Windows XP

Tags: Black Hat, Paper, Microsoft Windows XP, Vulnerability, Microsoft Windows Vista, Microsoft Corp., Web Browser, Exploitation, Microsoft Windows, Microsoft Windows Vista (Longhorn)

Earlier today I published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas. (See Windows security rendered useless? Uh, not exactly…) As I noted in that post:

It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.

This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:

Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.

Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won’t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.

I just got off the phone with Alex, who took time out of his busy schedule to answer a few follow-up questions:

What was the atmosphere like at Black Hat? How was your paper received by people in the audience?

Positive. A lot of people in the audience seemed to really like the paper. A lot of them came up and asked more questions afterward. Everybody who talked to me said it was pretty impressive.

Did you get any reaction from Microsoft?

Microsoft had contacted us before Black Hat. We had some conference calls and sent them an early draft a few weeks ago. In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. It was a very positive experience working with Microsoft. Our research is helping them learn where they need to focus their resources and where they need to improve. We did not take any of the vendors by surprise. Also through Microsoft, both Adobe and Sun were notified about the paper. We haven’t spoken to them directly, but the Microsoft people have, I believe.

Is there any exploit code or proof of concept code available yet for the techniques you describe?

Well, we only gave the paper last week, so I doubt that anyone is using any of these techniques right now. What we presented is weaknesses in the protection mechanism. It still requires the attacker to have a vulnerability. Without the presence of a vulnerability these techniques don’t really [accomplish] anything. We used the ANI cursor vulnerability that had been patched. We chose this example because it worked on XP and Vista, but the example we used would not work [in the real world] because this issue was patched already.

Do you have any advice for Windows users today? Should they be alarmed?

As long as they follow standard security practices — use antivirus products and other typical things that are good standard policy — they shouldn’t have anything to worry about. Our research is to some extent academic. The articles that describe Vista security as “broken” or “done for,” with “unfixable vulnerabilities” are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we’re bypassing don’t even exist. XP is even less secure than Vista in this respect. [What we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.

Your research focuses on weaknesses in browsers. Does the movement to doing more in the browser mean the danger is increasing?

Browsers are used more widely than they were five years ago. A lot more businesses rely on browsers now to do [everyday work]. Businesses could have blocked access to the web five years ago, but with widespread use of the web as an interface, the importance of the browser has increased. It’s a lot harder to tell people they cannot use a browser. The possibility of a vulnerability in the browser affects their security.

One last question. Your paper was entitled “How to Impress Girls with Browser Memory Protection Bypasses.” In a blog post, your partner Mark Dowd said you were going to be conducting “ongoing research” on this subject in Las Vegas. Did you really flood your hot tub at Caesars Palace?

Uh… [pause] Yeah.

Thanks for your time.

You’re welcome.

Ed BottEd Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. See his full profile and disclosure of his industry affiliations.

Email Ed Bott

Subscribe to Ed Bott's Microsoft Report via Email alerts or RSS.

  • Talkback
  • Most Recent of 125 Talkback(s)
I did.
In the meantime you can continue to run a round shouting that the sky is falling.

A fair compromise, no?... (Read the rest)
Posted by: Sleeper Service Posted on: 08/21/08 You are currently: a Guest | | Terms of Use
Nicely done  croberts | 08/11/08
Thanks Ed...  OutsideThe Box | 08/11/08
Again, Bravo Ed  silent.griffin | 08/11/08
Thanks to all!  Pliny the Elder | 08/11/08
Rebuttal forthcoming from Adrian Kingsley-Hughes?  cnfrisch | 08/11/08
Adrian, we're ready when you are.. (NT)  silent.griffin | 08/11/08
I hope Adrian likes the taste of humble pie....  Scrat | 08/12/08
Yes Adrian...  rjohn05 | 08/12/08
Wow!  Qbt | 08/11/08
Thanks Ed, great blog  NonZealot | 08/11/08
You can't avoid the Gutman effect  cgdams | 08/12/08
Earth to Ed ..... being a nice "black hat" won't change the fact ...  wackoae | 08/11/08
Sure, whe get it...  cgdams | 08/12/08
Reality is missing you.  Sleeper Service | 08/12/08
Beverage abuse alert!  wolf_z | 08/12/08
You never ....  wackoae | 08/12/08
Nor men mine.  Sleeper Service | 08/12/08
There is a reason you have "wacko" in your name...  Scrat | 08/12/08
What about using some neurons ....  wackoae | 08/12/08
wacko what is their to debunk. prove what you said then  SO.CAL Guy | 08/12/08
One immutable truth about online debate  Duke E. Love | 08/15/08
As you would try to spin it the other way? (nt)  GuidingLight | 08/12/08
Thanks, Ed.  Sleeper Service | 08/12/08
thanks ed, but please follow up  patibulo | 08/12/08
These guys are "experienced hackers"  Ed BottZDNet Moderator | 08/12/08
Oh dear Patibulo, you don't really understand the term BLACK HAT do you NT  Scrat | 08/12/08
give me a break patibulo calling the researchers liars shows you just want  SO.CAL Guy | 08/12/08
Great blog Ed you are one of the only reasons I stay reading ZDNet  Martin_Australia | 08/12/08
Thank God for Ed Bott!  eggmanbubbagee@... | 08/12/08
I wanna be in Ed's gang?  martin23 | 08/13/08
Martin, you missed one part  Ed BottZDNet Moderator | 08/13/08
Your other mistake  Ed BottZDNet Moderator | 08/13/08
Interesting response ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
Then why is there a Norton AV for OSX? (nt)  GuidingLight | 08/12/08
Mainly scare tactics by Norton to increase revenue wink  Kid Icarus-21097050858087920245213802267493 | 08/12/08
Man you are a funny little man...nt  USTechHead | 08/14/08
Because theres a sucker born every minute....(nt)  devlin_X | 08/13/08
Sorry Adrian, that is just weak!  ShadeTree | 08/12/08
Sorry, that's weak ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
So is it your contention ....  ShadeTree | 08/12/08
Fictitious?  quux | 08/12/08
Your proof is?  devlin_X | 08/13/08
Mate as we say in Australia the horse has already bolted so give it up  Martin_Australia | 08/12/08
"Truth" defined as those who can shout the loudest?  Zogg | 08/12/08
Limitations  Ed BottZDNet Moderator | 08/12/08
Yes, but how does that answer my question?  Zogg | 08/12/08
Let me try again  Ed BottZDNet Moderator | 08/12/08
But this paper shows how you can exploit a buffer overrun in Vista!  Zogg | 08/12/08
Further  nmcfeters | 08/12/08
Even if they don't - still have to find a vulnerability.  DevGuy_z | 08/12/08
Ah...  Sleeper Service | 08/12/08
I believe...  Ed BottZDNet Moderator | 08/12/08
Bingo.  Sleeper Service | 08/12/08
Keeping Score  Harry Bardal | 08/12/08
*Sigh*  Sleeper Service | 08/12/08
The average non technical user?  notsofast | 08/13/08
Adrian it is easier to admit you were wrong than to keep  SO.CAL Guy | 08/12/08
Well Adrian Yes but...  marks055@... | 08/12/08
Wanna be somewhere else right about now?  flatliner | 08/12/08
Well Duh!  notsofast | 08/13/08
Great Job Ed  B.Beck | 08/12/08
Another Tirade From Ed Bott  chessmen | 08/12/08
Hilarious  Ed BottZDNet Moderator | 08/12/08
There should be an award ....  ShadeTree | 08/12/08
Does Not Even Deserve An Award...  OutsideThe Box | 08/12/08
Have you actually read the paper yet?  Zogg | 08/12/08
Yes I have...  OutsideThe Box | 08/12/08
No...  Sleeper Service | 08/12/08
You can claim that when the patch is installed.  Zogg | 08/13/08
There's no evidence...  Sleeper Service | 08/13/08
Flash was only one example presented.  Zogg | 08/13/08
Then I guess it's a race then.  Sleeper Service | 08/13/08
Yes, it's a race.  Zogg | 08/13/08
Yes. It worries me. But Chicken Little is still wrong.  quux | 08/12/08
You forgot .Net. Apparently, it's even worse than Flash and Java. (NT)  Zogg | 08/13/08
Didn't forget.  quux | 08/14/08
What's wrong in defending something that is wrongfully maligned.  DevGuy_z | 08/12/08
Hello?!?!?!?!! The paper *proves* that Vista is NOT solid!  Zogg | 08/12/08
Rebel with a cause  B.Beck | 08/12/08
mo?ron [–noun] coming from the greek moros, meaning "foolish, dull"  Scrat | 08/12/08
More like another attempt to shoot the messenger  LBiege | 08/12/08
Great Work, Ed  nilotpal_c | 08/12/08
WOW  B.Beck | 08/12/08
The difference between blogging and reporting  coffeeshark | 08/12/08
This is beyond hilarious  storm14k | 08/12/08
Reality Check Buddy  mikefarinha | 08/12/08
Eh ...?  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
A hint  mikegalos@... | 08/12/08
I don't think...  storm14k | 08/12/08
I agree  thungurknifur | 08/14/08
Defense in depth  Ed BottZDNet Moderator | 08/14/08
Actually the security hasn't changed!  ShadeTree | 08/12/08
This has got to be a joke...  storm14k | 08/12/08
Read what the author of the paper ....  ShadeTree | 08/13/08
RE: Eh...?  mikefarinha | 08/12/08
Check this...  storm14k | 08/12/08
Let me spell it out for you.  ShadeTree | 08/12/08
Makes it like XP, in fact.  Zogg | 08/12/08
Or just like linux or OSX ....  ShadeTree | 08/12/08
Apples, oranges?  Zogg | 08/12/08
Depends on which version and which distro?  ShadeTree | 08/12/08
Linux has supported the NX bit since August 2004.  Zogg | 08/13/08
Ahem...  Ed BottZDNet Moderator | 08/12/08
Ahem Ahem...  storm14k | 08/12/08
You find it "funny"...  cgdams | 08/13/08
You really need to read again  Ed BottZDNet Moderator | 08/13/08
You guys need a fresh start  LBiege | 08/12/08
Wow, what pat-on-the-back fest!! grin  Kid Icarus-21097050858087920245213802267493 | 08/12/08
Let me cite Terry Pratchett...  cgdams | 08/12/08
LOL - Very good.nt  USTechHead | 08/14/08
Not "completely"?  Qbt | 08/12/08
Dense or just plain humored?  Kid Icarus-21097050858087920245213802267493 | 08/12/08
Your are no different  B.Beck | 08/14/08
Then its on par with XP...  storm14k | 08/12/08
Thanks for confirming everyone's view...nt  USTechHead | 08/14/08
Nice work, Ed  davidsmontgomery@... | 08/14/08
Wow.  Gnutella | 08/14/08
Well done Ed, very nice follow-up...nt  USTechHead | 08/14/08
Ed I love you. FUD campaign against Vista has been debunked again!  qmlscycrajg | 08/16/08
Put the pom-poms down and back away slowly.  Zogg | 08/17/08
And in case you've forgotten...  Sleeper Service | 08/17/08
The score is "all currently unfixed", until we learn differently.  Zogg | 08/17/08
Oh stop it.  Sleeper Service | 08/17/08
Fine, enjoy waving your pom-poms in the meantime then.  Zogg | 08/17/08
I did.  Sleeper Service | 08/21/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More