BetaArchive Logo
Navigation Home Database Screenshots Gallery Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 70d, 17h, 30m | CPU: 85% | MEM: 6248MB of 12287MB used
{The community for beta collectors}

Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
 PostPost subject: Windows security rendered useless? Uh, not exactly        Posted: Fri Aug 15, 2008 7:56 am 
User avatar

Fri Jun 13, 2008 10:22 am


The article is long, I won't post the entire thing here. Just follow the link if you're enticed to by the following.

Oh dear. The Chicken Little contingent is out in full force. Break out your Kevlar helmets, everyone, because the sky is falling on Windows! At last week’s Black Hat conference in Las Vegas, researchers Alexander Sotirov and Mark Dowd presented a paper that outlined some new attack vectors they had discovered targeting some security features introduced in different versions of Windows XP and Windows Vista. It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code.

Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries, most notably the one provided by SearchSecurity, which was picked up by Slashdot and our own Adrian Kingsley-Hughes. Alas, those stories are wildly inaccurate and hopelessly sensationalized.

The “rendered useless” quote is in the headline from SearchSecurity’s article, which breathlessly asserts:

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems.

I’ll skip right over the implication in that first statement, that the author of the SearchSecurity article hadn’t yet read the paper and was instead relying on second- and third-hand accounts. As for the contention that “there is little that Microsoft can do,” maybe we should ask Sotirov and Dowd, who conclude their paper with this matter-of-fact statement:

The authors expect these problems to be addressed in future releases of Windows and browser plugins shipped by third parties.

The “rendered useless” meme was picked up by Adrian, who led off his story with this alarming oversimplification:

So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista’s security have been rendered useless … [sic] I’m surprised that it took this long for the walls to come tumbling down, but I have to admit I didn’t expect all of them to come down at once like that!

And then, three paragraphs later, he notes, “The sky isn’t falling in.”

OK, so which is it? One clue is that Adrian’s piece doesn’t include a single quote from the original paper. It has no discussion of the exploit techniques as described by the authors, nor does it include any commentary from the authors or from anyone who saw their talk in Las Vegas. Instead, it echoes the wording of the SearchSecurity article.

If you read the authors’ actual words, not the sensationalist and wildly inaccurate news accounts, you get a completely different story. Here’s how the authors describe the talk they gave at Black Hat, for example:

Specifically, we will be discussing how rich browser functionality can be utilized to help lessen the impact of memory protections (and in some cases, completely negate them). Some of the techniques we will be discussing are known ones, whereas others are new approaches that we haven’t seen discussed in public forums before.

Memory protection is one part of a comprehensive, multi-layered approach to security. Microsoft calls this approach “defense in depth,” and specifically makes the point that features like this will always be under attack and will eventually be defeated. If you don’t believe me, listen to Microsoft’s Michael Howard, security expert and author of Writing Secure Code, who predicted this back in 2006:

There are two overarching goals at work – the first is to reduce the number of bugs in the code, and the second is to make it harder to reliably exploit any bugs that remain. … [W]e can do the very best we could possibly do, but Windows Vista will be in the market place for years and in that time, I can guarantee new attack techniques will be discovered, as will new bug types, and we can’t necessarily anticipate the future. Also, our tools are not perfect; we know they won’t find all vulnerable code. With that in mind, we must add other defenses.

So how does defense in depth work? Well, an attack has to start with code that exploits a system vulnerability, such as buffer overrun that allows an attacker’s code to execute on a target machine. The victim has to be induced to actually run that code (in this case, by visiting a booby-trapped web page). The example that Sotirov and Dowd use is the ANI cursor vulnerability, which was unveiled and patched in early 2007. The best defense against this type of vulnerability is to fix it before it’s released; the next layer of defense is to quickly patch vulnerabilities like this after they’re disclosed. Well-written antivirus software can identify and block specific exploits and can also detect and stop generic attacks. What Windows Vista adds to the mix is a set of memory protection features that make it more difficult for attackers to run code remotely. Note that I said “more difficult,” not “impossible.”

The sensationalist stories about this paper start with the amateurish viewpoint that memory protection was designed to be an infallible security barrier. Security professionals inside and outside Microsoft know otherwise.


Top  Profile
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2019


Sitemap | XML | RSS