Researchers use browser to elude Vista memory protections

Researchers use browser to elude Vista memory protections

By Dennis Fisher, Executive Editor | Aug 7, 2008

Thumbnail: 

LAS VEGAS -- Two security researchers have developed new techniques that bypass the memory protection safeguards in the Windows Vista operating system through the use of browser exploits.

In a presentation at the Black Hat briefings, Mark Dowd and Alexander Sotirov demonstrated the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

In their presentation at Black Hat., Dowd and Sotirov stressed that despite their advances in getting around the Vista memory protections, there are still a number of security mechanisms in place in the operating system to mitigate attacks. Internet Explorer running in Protected Mode, for example, can protect against attacks that overwrite some files. Also, some of the pair's attacks will be addressed in future versions of third-party software, including Flash, which will opt into ASLR in its next release.

The message that emerged from Dowd and Sotirov's presentation is that although Microsoft, of Redmond, Wash., went to great lengths to upgrade the security of Vista over that of Windows XP, there are still ways in. 'The protection mechanisms in Windows Vista are not very effective at preventing browser exploits,' Sotirov said in the presentation. 'The game has changed and browsers are now the major threat. Even on Vista where ASLR is enabled, we're able to put our data where we want.'

'The genius of this is that it's completely reusable,' said Dino Dai Zovi, a well-known security researcher and author. 'They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. What this means is that almost any vulnerability in the browser is trivially exploitable.'

Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process's stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd's and Sotirov's methods, it would be of no use.

'This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,' Dai Zovi said. 'If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.'

In the paper on which their presentation was based, Dowd and Sotirov say that while their attacks may give attackers the upper hand right now, they expect Microsoft and other vendors to respond quickly.

'In this paper we demonstrated that the memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a good chance of being able to bypass them. Two factors contribute to this problem: the degree to which the browser state is controlled by the attacker; and the extensible plugin architecture of
modern browsers. The authors expect these problems to be addressed in future releases of Windows and browser plugins shipped by third parties,' they say in their conclusion.

'This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,' Dai Zovi said. 'I definitely think this will get reused soon, sort of like heap spraying was.'

This story was updated and corrected to include more accurate information on Dowd and Sotirov's attacks from their paper and their session at Black Hat.

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Today's top security priorities
Attacks based on vulnerabilities in websites are skyrocketing, and not many solutions are available to protect organizations against them. How do you deal with this and other key security issues today?
Taking a holistic business-centric approach to security
Today’s CIOs face multiple challenges, including the need to innovate in an extremely competitive business climate, address highly dynamic regulatory and compliance challenges, speed ROI to counter shrinking IT budgets, and secure their organizations against a wide barrage of sophisticated threats.
 
 
 
UTM product offers Logansport Savings Bank superior protection
Astaro Security Gateway’s IPS was able to block attacks that other intrusion prevention systems (IPS) missed at Logansport Savings Bank.
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
 
 
 

Recent popular content

Most Read
Merging SIM and IAM systems
DNSSEC predictions optimistic
WhiteHat Security reveals top 10 Web hacking techniques
Social networking sites are phishing traps
RSA conference tackles social networking

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS