Ron Schenone

Vista Security Goes Down In Flames …..Again

Posted by on Aug 9, 2008 | 5 Comments

Over at the Black Hat convention being held in Las Vegas two researches have hacked though the security features that Microsoft had put in place for Windows Vista. It is unfortunate that the Redmond giant is going to be embarrassed once again, but heh people, what did we really expect? Did anyone with half a brain really think that Vista was going to be more secure than Windows XP? Or am I being too negative? In this article it states:

 LAS VEGAS — Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

“The genius of this is that it’s completely reusable,” said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.

I think we Windows users just need to accept the fact that the word ‘security’ in Windows is a joke and Microsft will never be able to secure their operating system.  Microsoft is going to struggle getting businessess to take the bait and switch to Vista.

What do you think? Are you feeling all warm and fuzzy for having switched to Vista? Or are you glad you stayed with XP?

Comments welcome.

Source.

  • leftystrat

    I’m glad I use linux.
    Pbthllllllllt.

    Just wait a few minutes and someone will accuse you of Windows-bashing.

  • Florian

    Hello,

    I switched to Vista with the release of SP1, and I’m really not “warm and fuzzy” about it, as it has been nearly a forced change (damned Windows installer corrupted update…).

    Vista gave me a mixed impression. On one hand, Vista has interesting improvements, the three that I noticed the most, upgrading from XP SP2, being memory management (no more unnecessary swapping with my 3Go of RAM…), Aero of course and enhanced security (protected mode, virtualisation and UAC). On the other hand however, some Vista features can be a hassle to live with, especially that cursed UAC (can’t do anything without having a prompt, even launch a game just because it is not signed…and I’m supposed to be admin…). And it really needs a lot of RAM to do the same thing as XP in my opinion (two times more than my optimized XP even after some tweaking…).

    Personally, I’m now considering the switch to a non-Microsoft operating system for my next computer, as Vista has just managed to disgust me of Windows. As such, reading that Vista’s security features has been hacked just comfort me in my choice, so my next computer will definitely not be Windows-based (well, have yet to decide if it will be a Linux-based one or a Mac though, as I like the look of Mac OS but also like free software a lot…).

  • Bobzilla

    There is no totally secure OS, all have weak points and all can be hacked. Ninety percent of all computers run the weakest, least secure OS available. You guessed it, good ol’ Windows. Let me make it clear, I’m not a Vista fanboy. However, Vista is much more secure than XP, so if you _ must _ run Windows…. from a security standpoint Vista is better than XP. Some of the things that many users find annoying about Vista is the very things that make it more secure.

    At this point in time Linux is the most secure OS available, with Mac running a close second.

    Last word… computer security is not all about the OS. The most secure system in the world can be trashed with bad habits and just a few key strokes of a careless user.

  • tbsteph

    There appears to be a crediblity issue building here. It has now been 4 days since this story appeared. Yet, nothing about it has shown up in the larger news sources. Either the gang at Black Hat has overstated the issue or, the MSM has kept it under wraps. One would think such a invidious security hole (Assuming it does exist) would be widely reported.

  • http://wp3.lockergnome.com/nexus/blade/ Ron Schenone

    Good point.