Bypassing protection
Bruce Schneier: “Bypassing Microsoft Vista’s memory protection.” Update: Govind responds with a verbatim quote from one of the authors of the paper.
Bruce Schneier: “Bypassing Microsoft Vista’s memory protection.” Update: Govind responds with a verbatim quote from one of the authors of the paper.
Have days become so bad that - Bruce stooped to the yellow journalism
for eye ball grabbing entries.
If you are little technical - you will see the focus is on browser(any browser) and btw technique can be applied on every os which will support plugins/access mechanisms.
Pasting the response of the author verbatim - “I am one of the authors of the paper referenced in the post above. First of all, I’d like to apologize for the sensationalism of the press coverage. Most of the articles about our work are completely inaccurate and full of ridiculous statements. Mark and I had nothing to do with these articles and were not contacted by their authors.
Please read our slides and paper (available from http://taossa.com/) before making any judgements about their content.
What we’ve done is show that the exploitation prevention mechanisms implemented in Windows Vista (including DEP and ASLR) are ineffective at preventing the exploitation of browser memory corruption vulnerabilities, due to the following factors:
1) the amount of contol an attacker has over the state of the browser process
2) the plugin architecture that allows third party plugins (Java, Flash, Acrobat) which often weaken these protections
3) the architecture of the browsers which run all code in the same process and have no isolation between different components
Our research is focused only on browsers. The protection mechanisms in Vista are still effective at preventing the exploitation of vulnerabilities in server processes, which is why I believe that Vista is still more secure than any previous version of Windows. ”
Premise is broken flash/acrobat or another plugin inside any browser.
If you are like me and run sandboxed browser of either kind and do not click and install everything that is slightly excitable, you will be allright.
Buffer overflows that are exploitable on X can also be exploited on Y if the RIGHT compromised plugins are available.
Vista includes a number of mechanisms designed to make it harder to exploit buffer overflows.
Repeat - No the exploit does not bypass UAC, sandbox browser. It can/will happen on every os/browser with similar kind of vulnerable plugins .
Why IE 7 ran without DEP?
At the time of shipping, current versions of Sun’s Java plugin crashed with DEP enabled. XP SP2 was released in 2004; hmmm jvm software needs to be DEP compatible. How does one convince JVM vendor to release it.
Why Flash is not ASLR-unaware or ignorant of SafeSEH.
Becuase they chose to be :).
IL - ASLR needs more votes (not marketing) to do right thing.
Third party plugins have lot to catch up to do with technology landscape change. MS needs to push third party vendors of these plugins utilize the technology to prevent these problems (this paper would not have been possible if DEP/ASLR/safeSEH etc was utilized for the plugins).
Aug 14, 08 at 08:21