Many of the security measures Microsoft has implemented and touted for Windows Vista have been compromised through a single exploit, a presentation made at this week's Black Hat hacking conference claims. IBM Information Security Systems' Mark Dowd and VMware's Alexander Sotirov have found a method that uses scripting systems such as Java and elements of the .NET framework in Windows-based web browsers to arbitrarily run code on Vista systems. Internet Explorer is particularly vulnerable due to its use of ActiveX. The malicious code not only negates the effectiveness of Vista's Address Space Layout Randomization and Data Execution Prevention technologies, which respectively randomize the location of some code in memory and prevent executing code from outside a certain memory space, but specifically abuses their behavior to ensure an attack gets through.
Microsoft is also unlikely to have any way of patching against the approach, since it can be reused whenever another vulnerability is found in a web browser. Such programs are also often the one Internet-based program that is often unblocked by security software and would thus thwart simple defense mechanisms such as blocking network ports or program permissions.
The technique is also characterized as generic enough that it can run in other environments and on other platforms, although it's uncertain whether this would permit a variant to attack a non-Windows OS or simply other programs within Windows.
Microsoft knows of the exploit's existence but hasn't been given a private briefing; the company is currently waiting on a public elaboration on the full details of how the exploit works.
The discovery of the security potentially undermines much of Microsoft's marketing effort for Vista, which has regularly centered around security. The company has suffered previous blows to its reputation through Windows XP exploits such as the Blaster worm, whose rapid spread in 2003 prompted public concern and a new effort on the part of Microsoft to emphasize security over convenience.
No comments:
Post a Comment