Microsoft Vista is Doomed

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.



  1. #1 Dan McKinley
    August 9, 2008

    The paper is here, if you’re interested:

  2. #2 Flaky
    August 10, 2008

    This just shows that you can’t have security by voodoo. There’s nothing wrong with having all these extra security features, but they don’t fix the underlying problems, like the fact that even today, programmers at Microsoft are able to write code with uncaught buffer overflows and other similar bugs, even though compilers have been able to automatically generate boundary checks for decades.

    Until programmers at Microsoft and elsewhere start using tools that don’t allow them to make such elementary mistakes, there will be no end to remote code execution exploits.

  3. #3 Reginald
    August 10, 2008

    Hackers will always be able to exploit any Operating System and any browser if you give them enough time to do research, that’s why they’re hackers. No offense, but it’s just ‘I can always spot a bad toupee’ logic. You don’t hear about this kind of stuff for Linux or Macs because the world runs Microsoft. That said, if any hacker used any of the exploits these guys detailed, they’d have to leave their fingerprints all over it.

  4. #4 greg laden
    August 10, 2008

    Reg: Linux and *nix like systems are less virus-ridden and less often attacked than Microsoft for a number of different reasons, but two reasons stand out as being very opposite each other and very relevant. Both belie the notion that Microsoft isn’t any less secure.

    The first (and less important) is the “they’re asking for it” reason. Microsoft isn’t a target of attackers (not hackers … that’s the wrong term) because people don’t like Microsoft because of their corporate practices. They are truly asking for it. Now, that does not justify cyber attacks, and especially does not justify victimizing individuals or entities that were not “asking for it.” But if you were going to hire a security guard, would you pick the one that, say, owes a lot of money to the mob and is slated for removal, or the one that is not likely to get slammed for reasons you have nothing to do with.

    The second reason (and probably the more important one, in the long run) is that *nix is inherently more secure because of the way it is made and (typically) deployed.

  5. #5 Dan McKinley
    August 10, 2008

    @Greg assuming that you meant to write “Microsoft IS a target … ” – the bad guys writing original exploits generally have concrete reasons for doing so, directly connected to monetary gain. There may be script kids out there that do this for ideology but these are generally not the sharpest knives in the box. Let’s get serious here, if your aim is to enlist legions of zombie machines in your spamming operation, your personal feelings about Linus, Steve, or Bill are not going to influence you significantly.

    Second point is basically right, the amount of damage that you can do with a buffer overflow on Windows is generally much worse than what can be accomplished if you find one on a *nix system. You can wipe a user’s home directory, but you can’t install a root kit.

    But it’s not that the attacks that are possible on *nix aren’t potentially devastating to users. There’s no way to justify a complacent attitude here.

    The techniques outlined in the paper are all very interesting but some of the attacks that really nullify ASLR rely on IE-specific browser functionality that is not popular (embedding .NET controls in web pages). I am clueless as to the level of adoption that this has in the corporate intranet world, but if I were Microsoft I’d contemplate just removing the feature. Unless IE gets back to above 95% of the browser market this feature will never be used legitimately on a public-facing site.

  6. #6 greg laden
    August 10, 2008

    if your aim is to enlist legions of zombie machines in your spamming operation, your personal feelings about Linus, Steve, or Bill are not going to influence you significantly.

    Good point, and it might be true. But it might not be. Although I do think that the more effective criminals, like the more effective business people, are as close to rational free actors as one usually gets (as opposed to, say, consumers and workers) I’m not prepared to assume that there is no ‘cultural behavior’ going on here until I see a study or three showing this.

    There’s no way to justify a complacent attitude here.

    Yes. And note my (parenthetical) use of “typically” … Typically may be the wrong word. I mean “supposed to be” … which includes always updating with security patches and setting security options correctly (and not un-setting defaults).

  7. #7 Bri Jeni
    August 12, 2008

    I’m inclined to agree with Reginald. There is ALWAYS a way, and since Microsoft is the chosen OS for the majority of hacker targets, they will always be the focus of said hackers. Hmmm… a little more incentive for techies to stick to Mac in the meantime.

  8. #8 Andrew
    August 12, 2008

    You mean Linux