Aug 12, 2008

Vista Security Rendered Useless?

Perhaps the most explosive presentation at last week's Black Hat hacker conference in Las Vegas was that of Alexander Sotirov and Mark Dowd. The paper they presented delves deep into security technologies in Windows Vista which protect against abuses of memory and seeks out weaknesses in them. Among these technologies are DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). The authors found many interesting attack techniques.

Some of the industry press on this presentation has been on the hysterical side: Neowin started it all with the hyperbolic "Vista's Security Rendered Completely Useless by New Exploit" followed by a TechTarget article here. The TechTarget article was updated later to tone it down some. These articles fed the fires of credulousness in those who want to believe the worst about Vista. Even the respected Bruce Schneier blogged tersely, but with great concern, about the severity of it all.

But even Sotirov himself argues that "...the sky is not falling and the flaws are not unfixable..." Thanks to Ed Bott for bringing all this out in his blog. As Sotirov says, exploitation is always a cat and mouse game, and it won't take long for Microsoft and others to respond. He adds "The articles that describe Vista security as 'broken' or 'done for,' with 'unfixable vulnerabilities' are completely inaccurate." In fact, Microsoft provided feedback on the paper to Sotirov and Dowd.

ASLR and DEP are opt-in technologies; they aren't turned on by default and a developer has to specifically build their program (with special linker switches) to opt in to the protections. Many of the attacks in the paper rely on the common software, especially Java, which does not opt in. Even Microsoft doesn't uniformly use them. Over time one can expect more programs to opt in and that aspect of the problem will tend to resolve.

The research is top stuff for sure, a good example of how independent vulnerability research can help improve products. As a general matter, if users follow common sense security practices and run a decent anti-malware package and keep everything updated they should be in good shape, even with the revelations described in this paper.

(full story)

No comments: