On BNET: 5 classic computer pranks
BNET Business Network:
BNET
TechRepublic
ZDNet

August 9th, 2008

Windows broken ... I'm surprised it took this long

Posted by Adrian Kingsley-Hughes @ 9:52 am

Categories: Microsoft, Security, Software, Thoughts, Vista

Tags: microsoft windows vista, microsoft corp., data execution prevention, microsoft windows vista (longhorn), microsoft windows, security, operating systems, software, adrian kingsley-hughes

So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista’s security next to useless (PDF of paper here - site currently Slashdotted …).

Some random thoughts in no particular order …

  • First off, I’m surprised that it took this long for the walls to come tumbling down, but I have to admit I didn’t expect all of them to come down at once like that! After boasting about Vista’s heightened security, Microsoft is now left with a serious amount of egg on its face.
  • While there’s a lot of cool stuff discussed in the paper, many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same.
  • The sky isn’t falling in, but this does make things a lot easier for the bad guys.
  • You can’t trust software to protect itself, and we need to combine hardware and software. One example - under Vista DEP (Data Execution Prevention) isn’t enforced well enough. It’s only partially enabled and if switched fully on too many applications fail. This is unacceptable. I’m sure that DEP isn’t perfect either, but it’s another layer that hackers have to get through.
  • It’ll be interesting to see how Microsoft spins this. The paper has huge implications and fixing these issues is going to be tricky. Given how long we can expect Vista to be around I expect that Microsoft will try to fix things in a future service pack. These issues are going to haunt Windows for years.
  • Where does this leave Windows 7? I would have expected Microsoft to have ported the security features from Vista into 7, but this paper kinda makes that obsolete. If Microsoft is going to make a stab at fixing these issues then this could very well delay Windows 7.
  • Now that Vista’s defenses have been crippled, we’re back to relying on third-party security applications to detect malicious code … some things don’t change.

[UPDATED: Source code here.]

[UPDATE: Since Ed Bott has picked up on this issue and has disagreed with some point I made, I'll post my response to his post here too:

... I know you read the paper because I sent you the PDF, but it seems you failed to notice a few things.

You accuse me of "alarming oversimplification" with the "set browser security back 10 years" quote yet you seemed to have overlooked that the authors themselves used that has the sub heading to the paper.

Also, you seem to emphasis that Vista's memory protection features were supposed to make attacks "more difficult," not "impossible"(a viewpoint that I agree with) but you don't follow on from that to the logical conclusion of this paper - that these defenses have, in part at any rate, been undone so the "more difficult" argument is now quickly becoming moot.

Also, you seem to have been selective in choosing quotes. From page 1 of the paper:

"We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers."

And the paper goes on to back that up ... in spades. This isn't an issue about defense in depth, it's about the quality of those defenses. From the paper again:

"Since real-world exploitation requires
bypassing multiple memory protections, we will present several ways in which these techniques
can be combined to achieve remote code execution."

Defense in depth is a non-starter if the bad guys can bypass enough of them to achieve their nefarious goals.

You said: "If you read the authors' actual words, not the sensationalist and wildly inaccurate news accounts, you get a completely different story."

Quote directly from the paper:

- "Setting back browser security by 10 years"

- "We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers."

- "The design and implementation of the memory protection mechanisms in Windows have a number of limitations that reduce their effectiveness."

- There are dozens more to choose from ... but I think that the conclusion is worth repeating: "In this paper we demonstrated that the memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a good chance of being able to bypass them." ... defense in depth shot down in flames.

You said: "One of the biggest targets of the work by Sotirov and Dowd is Address Space Layout Randomization (ASLR)."

GS, SafeSEH, heap protection and DEP are also covered. These are separate from ASLR.

You said: "The idea that they've been completely blindsided by the revelations in a single Black Hat paper and that they'll have to scrap the entire architecture of the Windows platform is naive, to put it charitably."

Good for Microsoft, Ed, but tell me how this helps me in the now better protect systems?

Sure, this paper doesn't foretell of the apocalypse, but it's enough for me, personally, to begin asking myself which OS is best to protect me and mine from the bad guys out there.

Link to Ed Bott's post.]

[UPDATED: Bruce Schnier's take on this. Three words: "This is huge."

Now when it comes to this kind of stuff, Schneier is one of the smartest on the planet, and when he speaks, I for one am going to sit up and pay attention.]

[UPDATED: Further commentary by Schneier:

"Here's commentary that says this isn't such a big deal after all. I'm not convinced; I think this will turn out to be a bigger problem than that."

Again, I have to choose a side to believe here (Schneier vs. Ars Technica), I'm siding with Schneier.]

Thoughts?

Adrian Kingsley-HughesAdrian is a technology journalist and author who has devoted over a decade to helping users get the most from technology. He also runs a popular blog called The PC Doctor. See his full profile and disclosure of his industry affiliations

Want to get in touch? Got a tip? Feel free to drop me a note! I ALWAYS respect anonymity. I'm also on Twitter (@the_pc_doc)

Right to Reply: Should any industry representatives wish to comment on any posts on Hardware 2.0, I will be happy to publish their reply verbatim on this blog.

Subscribe to Hardware 2.0 via Email alerts or RSS.

  • Talkback
  • Most Recent of 193 Talkback(s)
Its called layered security folks!
Much like defenses around a castle..each one was designed to SLOW the advance of an enemy and make it that much more difficult to take over the castle but ultimately, any enemy who spends enough time ... (Read the rest)
Posted by: beldar33@... Posted on: 08/20/09 You are currently: a Guest | | Terms of Use
Adrian, you've caught ZeroDay Fever  betelgeuse68 | 08/09/08
Shoddy software on Windows demands admin access  terry flores | 08/09/08
Then stop using shoddy software?  threedaysdwn | 08/09/08
Unfortunately  Ben_rockwood | 08/09/08
MS Office does NOT require admin access  betelgeuse68 | 08/09/08
Privilege escalation  voska1 | 08/11/08
FALSE  qmlscycrajg | 08/11/08
Prove Your Assertion, qmlscycrajg!  Cardhu | 08/31/08
Just an observation...  zkiwi | 08/11/08
FALSE  qmlscycrajg | 08/10/08
Prove It!  Cardhu | 08/31/08
What is the basis for your "statistic?"  Cardhu | 08/31/08
I disagree  betelgeuse68 | 08/09/08
Here's what I've seen  voska1 | 08/11/08
TOP .01%  mswift@... | 08/11/08
Yup...  Sleeper Service | 08/09/08
But that's how blogs like this one work...  cgdams | 08/10/08
Digg style FUD  ericesque | 08/10/08
It's ridiculous to expect...  Henrik Moller | 08/11/08
Then it's a good thing MS already addressed it over 18 months ago.  ye | 08/11/08
I thougt the same thing  Crestview | 08/11/08
UAC Necessary & not Annoying!!!  POPPA G | 08/11/08
Windows not broken  honeymonster | 08/09/08
Best security is to take computers off the Net  terry flores | 08/09/08
Browser in virtual VMware session ...  MisterMiester | 08/09/08
Agree 100%  thx-1138_@... | 08/11/08
I agree, and furthermore...  w_c_mead | 08/11/08
Amen!  Timpraetor | 08/12/08
er.. so let me understand  ZDNET_guest666 | 08/12/08
Create a .NET DLL ... what a huge bar  wackoae | 08/10/08
Adrian, Once Again You Hit The Nail On the Head!  chessmen | 08/09/08
"scripting languages"  LBiege | 08/09/08
But he doesn't...  Sleeper Service | 08/09/08
ok so let's be clear here.  bmerc | 08/11/08
Thank you for your input.  Sleeper Service | 08/12/08
I Agree With Chessman's Point  Cardhu | 08/31/08
Before Vista RTM, I made a suggestion.  TripleII | 08/09/08
*nix and AppArmor in a nutshell...  MisterMiester | 08/09/08
Yes, UAC is similar to AppArmor.  TripleII | 08/09/08
You seem to misunderstand how Windows works  threedaysdwn | 08/09/08
Cross FS is a standardless operation  mitzampt@... | 08/10/08
NTFS already has such a system  CobraA1 | 08/09/08
I always have to clarify.  TripleII | 08/10/08
Look at the details more  SMFX | 08/11/08
if you have a flaw in linux kernel you run exploit with root privileges  qmlscycrajg | 08/11/08
Do you ...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
Holy moving targets batwoman!  TripleII | 08/11/08
UAC is based on NTFS permissions  qmlscycrajg | 08/10/08
Shhhhh... please...  mitzampt@... | 08/10/08
Use some of that grey matter.  TripleII | 08/10/08
Another thing different ...  MisterMiester | 08/11/08
Not so:  ye | 08/11/08
Not really ...  MisterMiester | 08/11/08
Not really what? What are you trying to say?  ye | 08/11/08
@ye - Did a correction ...  MisterMiester | 08/11/08
Not entirely accurate  SMFX | 08/11/08
@SMFX: How did what you say differ from what I said?  ye | 08/11/08
@ye - it was a response to MM  SMFX | 08/11/08
Funny thing  voska1 | 08/11/08
Same for Windows too:  ye | 08/11/08
I'll go even one step further.  TripleII | 08/11/08
This capability has existed since Windows NT 3.1  ye | 08/11/08
3. No. He/she is not...!  Gruffydd | 08/11/08
I disagree. His knowledge of Windows appears to be...  ye | 08/11/08
And once again Ye makes a sweeping generalization  bmerc | 08/11/08
Sweeping? Hardly. It was targetted towards one...  ye | 08/11/08
Let me 'splain it to you...  bmerc | 08/11/08
Then I'll ask you.  TripleII | 08/11/08
This is the first I've heard of it.  ye | 08/11/08
You have heard of it, being obtuse.  TripleII | 08/11/08
@TripleII: So you dream something up and expect...  ye | 08/11/08
a =b, b=c, therefore a=c. If you can't see that...  TripleII | 08/11/08
@TripleII: As I said:  ye | 08/11/08
This is memory based exploits  SMFX | 08/11/08
Yes, I got it.  TripleII | 08/11/08
Closer, but not quite  SMFX | 08/11/08
Their quote, not mine.  TripleII | 08/11/08
Andrian please change your link ...  MisterMiester | 08/09/08
Andrian? Hybrid Borg/Blogger?  Don Collins | 08/11/08
RE: Windows broken ... I'm surprised it took this long  zato_3@... | 08/09/08
Perhaps You Need A Technical Link To Windows New Found Security Weakness  chessmen | 08/09/08
One wonders...  Sleeper Service | 08/10/08
I wonder if they found the problem on  Pliny the Elder | 08/09/08
This is nothing new.  CobraA1 | 08/09/08
Actually it's more than that ...  MisterMiester | 08/10/08
Hmmmm...  Goudy | 08/11/08
This was found in 2005 . . .  CobraA1 | 08/09/08
And in the last three years  Hemlock Stones | 08/11/08
Vista Will be Great  Utah Stan | 08/10/08
Sounds not too far off...  Sleeper Service | 08/10/08
but ...  Eduardo_z | 08/11/08
this news is pure FUD !  qmlscycrajg | 08/10/08
Still using that grey matter I see.  TripleII | 08/10/08
Lack of posts prove otherwise ...  MisterMiester | 08/10/08
Or  rtk | 08/10/08
So do "Windows Defenders" only surf during office hours? (NT)  Zogg | 08/10/08
I've noticed that seems to be the case.  Bill4 | 08/10/08
weekend activity  rtk | 08/11/08
rtk does...  hasta la Vista, bah-bie | 08/11/08
This Article Is Not Fear, Uncertainty, And Doubt  Cardhu | 08/31/08
Linux's ASLR protection bypassed!  qmlscycrajg | 08/10/08
Of course, that article is six years old...  bmerc | 08/11/08
but it's still valid!  qmlscycrajg | 08/11/08
Vendors have not done a thing to move to dot net  progon | 08/10/08
Say what?  Stuka | 08/11/08
Just what we DON'T NEED  cornpie | 08/11/08
Like everyone of these kind of stories I say  James Quinn | 08/11/08
And, isn't it amazing...  cornpie | 08/11/08
Usually are...:P  James Quinn | 08/11/08
Perhaps this is just a non-issue  Gruffydd | 08/11/08
I myself hold this to be true....  James Quinn | 08/11/08
RE: Windows broken ... I'm surprised it took this long  jscott418 | 08/11/08
RE: Windows broken ... I'm surprised it took this long  billbo72 | 08/11/08
Too early. Blog seems overstated.  DevGuy_z | 08/11/08
Read the paper ...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
That's the problem. Everyone's too lazy to read...  bmerc | 08/11/08
We did.  Sleeper Service | 08/11/08
Windows security..  green alien | 08/11/08
Baa... baa....  Sleeper Service | 08/11/08
We can't stop the end-user  theastronomer | 08/11/08
I think your colleague ripped Adrian a new one  cnfrisch | 08/11/08
Odd how he chose to rip me ...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
I noticed that as well (nt)  Stuka | 08/11/08
I think it's because...  Sleeper Service | 08/11/08
If I'm being sensationalist ...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
Oh come on...  Sleeper Service | 08/11/08
...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
...five locks protecting your home...  PollyProteus | 08/11/08
@PollyProteus ...  Adrian Kingsley-HughesZDNet Moderator | 08/11/08
But they've showed...  Sleeper Service | 08/11/08
But the paper shows how to break both DEP AND ASLR together!  Zogg | 08/11/08
Aside from...  Sleeper Service | 08/11/08
I mean "Anything that XP didn't have".  Zogg | 08/11/08
So we're going to...  Sleeper Service | 08/11/08
Funny you should say that...  Zogg | 08/11/08
Sensationalism or layman's terms...  storm14k | 08/11/08
No, actually, it's not odd at all.  bmerc | 08/11/08
Hardly.  TripleII | 08/11/08
HW Firewall For Dialup Users? And Which 3rd-Party Solutions?  dumptux | 08/11/08
Try Agnitum Security Suite Pro  kimo99@... | 08/11/08
Why dial-up?  Merlin the Wiz | 08/11/08
"ported the security features from Vista into 7" ??  PB_z | 08/11/08
RE: Windows broken ... I'm surprised it took this long  dave01010101 | 08/11/08
Don't bother with Ed Bott  dfolk2 | 08/11/08
A big nail in Vista!!!!  chaz15 | 08/11/08
Byzantine (read House of cards) security  tracy anne | 08/11/08
It's all a game  Crestview | 08/11/08
Yup...  Sleeper Service | 08/11/08
Oh wait.  tracy anne | 08/11/08
Disagree.  Sleeper Service | 08/11/08
The difference is  tracy anne | 08/11/08
Well, yes...  Sleeper Service | 08/12/08
.....  Linux User 147560 | 08/11/08
*Yawn*  Sleeper Service | 08/12/08
For all the hollering and whining  Crestview | 08/11/08
What heck happened, Adrian????  Kromaethius | 08/11/08
RE: Windows broken ... I'm surprised it took this long  POPPA G | 08/11/08
Ask the author of the Black Hat paper  Ed BottZDNet Moderator | 08/11/08
Wow! Breaking News!  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
Adrian  nmcfeters | 08/12/08
True  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
Adrian broken. I'm surprised it took this long...  Helio99000 | 08/11/08
Not the only comment of interest ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
I Agree  Cardhu | 08/31/08
Talk about FUD... even the Black Hat authors were surprised  transposeIT | 08/11/08
It's not about ideology ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
MS Trolls with their heads in the sand???  i8thecat | 08/12/08
"Ankle Deep In The Sand"  Cardhu | 08/31/08
RE: Windows broken ... I'm surprised it took this long  Multivac | 08/11/08
Not that high a standard ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
If you think their standard are low...why pay attention to them at all?  Helio99000 | 08/12/08
The fact that your ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
It is a badge of honor, Adrian  Ole Man | 08/14/08
Great research  nmcfeters | 08/12/08
News Flash! Windows Isn't Perfect  SteveMak | 08/12/08
Too Many Secrets  justanotheradmin | 08/12/08
RE: Download link in editorial is it safe?  The Management consultant | 08/12/08
RE: Download link in editorial is it safe?  The Management consultant | 08/12/08
So Now they will make Windows 7 unusable with UAC  Randalllind | 08/12/08
Get a Mac or switch to Linux, I did...  mikifinaz1@... | 08/12/08
Haha, yeah right  nmcfeters | 08/12/08
And yet ...  Adrian Kingsley-HughesZDNet Moderator | 08/12/08
RE: Windows broken ... I'm surprised it took this long  alaniane@... | 08/12/08
RE: Windows broken ... I'm surprised it took this long  BigDoggyDog | 08/12/08
Loss Of Confidence In Microsoft  Cardhu | 08/31/08
Thanks Adrian for Caution Awareness & The PLAIN FACTS!  whitesfyre | 08/13/08
Will you retract your statements and apologize to Ed?  Speednet | 08/13/08
You Also Miss The Point  Cardhu | 09/01/08
Adrian Kingsley-Hughes, you've damanged your credibility with this article.  Solid Jedi Knight | 08/26/08
You Miss The Point  Cardhu | 08/31/08
Hear! Hear!  Ole Man | 08/31/08
Vista, the bloody, bloated blimp of Broadway & Ballmer  Ole Man | 08/29/08
Its called layered security folks!  beldar33@... | 08/20/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here