The Black Hat security conference had a bombshell dropped on it yesterday. Mark Dowd of IBM Internet Security Systems and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista:
“The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture. According to Dino Dai Zovi, a popular security researcher, “the genius of this is that it’s completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.””
From what I can tell, the hack takes advantage of the way Internet Explorer handles scripting languages. That implies that Firefox/Safari/Opera users are safe (or at least safer). Also, I would think it’s perfectly reasonable to assume that a rewrite of the affected portions of Vista will provide the fix if that is the case (that of course assumes that the cure isn’t worse than the disease). So to say that it’s broken and can’t be fixed is as much of a sure thing as saying it’s secure and can’t be hacked.
In any case, Microsoft is apparently aware of the research and wants to see it. Given all of the negative press that Vista has, you’d think Microsoft would have paid them to bury the research. In any case, it will be interesting to see how Microsoft responds to this.
UPDATE: Here’s another link with more detail.
UPDATE #2: Here’s a very detailed PDF from the two researchers on this issue.