[Celtic Ferret]

Quote

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

neowin.net
The INQ

Quote

Other researchers have since commented that they believe that we may see similar techniques applied to other operating systems, including previous version of Windows.

Quote

These techniques are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. Expect to be hearing more about this in the near future and possibly being faced with the prospect of your "secure" server being stripped completely naked of all its protection.

Next... DEFCON. It's been an "interesting" week, in the Chinese sense of that word.
--CF

[WiltedShoots]

As a non expert, this exploit is just one more reason why a good sandbox must be included in your setup.
That would prevent it assume.
Correct if wrong, please.

This post has been edited by FortressX: 08 August 2008 - 08:09 PM

[ColdinCbus]

FortressX, on Aug 8 2008, 04:08 PM, said:

As a non expert, this exploit is just one more reason why a good sandbox must be included in your setup.
That would prevent it assume.
Correct if wrong, please.

There is no telling until they make the presentation. From the sounds of it, it is not browser nor OS specific. They are using the "Vista" mention to get more play.

[Haroldo]

Is my Win 3.1 safe?

[ColdinCbus]

Haroldo, on Aug 8 2008, 04:43 PM, said:

Is my Win 3.1 safe?

Your Mac may not be safe from the sounds of it, if that makes you feel better.

[Haroldo]

ColdinCbus, on Aug 8 2008, 04:48 PM, said:

...if that makes you feel better.

Cookie dough ice cream makes me feel better.

[johngalt]

I'll be interested to know if these are exploitable remotely through IE (or any other browser) even with UAC and 'protected mode' on. If they were performed locally, well, yeah, of course that will work....

[Celtic Ferret]

Lots more info and discussion at Ars (cooler heads prevail?):
The sky isn't falling: a look at a new Vista security bypass
Discussion in the forums

Quote

The work done by Dowd and Sotirov focuses on making buffer overflows that were previously not exploitable on Vista exploitable. These are buffer overflows that would be exploitable on Windows XP anyway; after all, there's no need to defeat ASLR if an OS does not have ASLR at all. Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista's (in)famous UAC restrictions. DEP, ASLR, and the other mitigation features in Vista are unlikely to ever be unbreakable, especially in an application like a web browser that can run both scripts and plugins of an attacker's choosing. Rather, their purpose is to make exploitation more difficult.

It goes on to say that .NET is immune, which seems to contradict the original article.

But fixing these buffer overflows caused by coding errors should be a no-brainer, and, unfortunately, this news may place more perceived blame on Microsoft instead of on the individual applications where it belongs.

In either case Haroldo's cookie dough ice cream seems safe... for now...
--CF

[johngalt]

Thanks for that link - it goes to prove the points made by an admin at Vistax64 - you can't trust the the hype following the research because it doesn't deal with DEP and UAC.

[TeMerc]

Ed Bott on this FUD this morning:
http://blogs.zdnet.com/Bott/?p=512

Quote

It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.

Then he interviews the original researcher, albeit briefly:
http://blogs.zdnet.com/Bott/?p=513

[johngalt]

Gotta love Bott.

[quote name='"http://blogs.zdnet.com/Bott/?p=513"']This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:

[quote name='"Alexander Sotirov"'] Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.[/quote][/quote]