An IBM X-Force security researcher has promised to exploit massive holes in Windows Vista's defences at the upcoming Black Hat security conference in Las Vegas.

Operating system defences used by Windows Vista — such as Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and Structured Exception Handling (SHE) — have changed the game for hackers, according to IBM X-Force security researcher Mark Dowd.

"[Microsoft] has come along way since the previous release and each subsequent release looks further into securing the base operating system in two ways. First by ironing out vulnerabilities, and second, by having security features within the OS that make things a lot more difficult to exploit vulnerabilities — if they exist," Dowd told ZDNet.com.au. "When you find vulnerabilities now, it doesn't mean you can automatically exploit them."

In 2006 Microsoft revealed that Vista would contain a feature called Address Space Layout Randomisation (ASLR), which is used in some form by Linux, OpenBSD and Mac OS X, to make it more difficult to take over a system following a buffer overrun error.

Prior versions of Windows were more susceptible to buffer overrun flaws because malware writers knew exactly where in a system's addressable memory they could insert "alternative instructions". ASLR randomly changes these address locations identified, the ability to exploit it is significantly reduced.

"It is not a panacea, it is not a replacement for insecure code," Michael Howard, a senior security program manager at Microsoft, wrote at the time of announcing Vista's adoption of ALSR. "It is a useful defence, because it makes Windows systems look 'different' to malware, making automated attacks harder."

Other security features in Vista include Data Execution Prevention (DEP), which stops an application executing from certain memory areas. Structured Exception Handling avoids issues arising from a division by zero, or attempts to access invalid areas of memory.

These features may have significantly reduced the success of certain attacks but Dowd predicts attackers will increasingly target these layers of defence to improve the effectiveness of their malware.

"As [these defences] become more prevalent in the base operating system, they are becoming more important to defeat, so people in the future will be scrutinising these protections more than they are at the moment," he said.

In April, Dowd led Adobe to patch a Flash memory flaw that caused the application to mishandle certain maliciously crafted Shockwave Flash files.

Dowd is scheduled to present a talk titled How to impress girls with browser memory protection bypasses at this year's Black Hat conference where he will reveal his exploits.

"We're going to show a couple of ways you can tip the odds in your favour so vulnerabilities can be easily exploited by techniques that bypass these protection mechanisms.

"Some completely obliterate the protections," he added.

Written by Liam Tung

Original Story

This entry was posted by Annette King on Tuesday, June 24. 2008 at 18:00.