Windows broken ... I'm surprised it took this long

So, in a stroke, two security researchers (Mark Dowd of IBM and Alexander Sotirov or VMware) at Black Hat have set browser security back 10 years and rendered Vista's security next to useless (PDF of paper here - site currently Slashdotted ...).

Some random thoughts in no particular order ...

• First off, I'm surprised that it took this long for the walls to come tumbling down, but I have to admit I didn't expect all of them to come down at once like that! After boasting about Vista's heightened security, Microsoft is now left with a serious amount of egg on its face.
• While there's a lot of cool stuff discussed in the paper, many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same.
• The sky isn't falling in, but this does make things a lot easier for the bad guys.
• You can't trust software to protect itself, and we need to combine hardware and software. One example - under Vista DEP (Data Execution Prevention) isn't enforced well enough. It's only partially enabled and if switched fully on too many applications fail. This is unacceptable. I'm sure that DEP isn't perfect either, but it's another layer that hackers have to get through.
• It'll be interesting to see how Microsoft spins this. The paper has huge implications and fixing these issues is going to be tricky. Given how long we can expect Vista to be around I expect that Microsoft will try to fix things in a future service pack. These issues are going to haunt Windows for years.
• Where does this leave Windows 7? I would have expected Microsoft to have ported the security features from Vista into 7, but this paper kinda makes that obsolete. If Microsoft is going to make a stab at fixing these issues then this could very well delay Windows 7.
• Now that Vista's defenses have been crippled, we're back to relying on third-party security applications to detect malicious code ... some things don't change.

[UPDATED: Source code here.]

[UPDATE: Since Ed Bott has picked up on this issue and has disagreed with some point I made, I'll post my response to his post here too:

... I know you read the paper because I sent you the PDF, but it seems you failed to notice a few things.

You accuse me of "alarming oversimplification" with the "set browser security back 10 years" quote yet you seemed to have overlooked that the authors themselves used that has the sub heading to the paper.

Also, you seem to emphasis that Vista's memory protection features were supposed to make attacks "more difficult," not "impossible"(a viewpoint that I agree with) but you don't follow on from that to the logical conclusion of this paper - that these defenses have, in part at any rate, been undone so the "more difficult" argument is now quickly becoming moot.

Also, you seem to have been selective in choosing quotes. From page 1 of the paper:

"We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers."

And the paper goes on to back that up ... in spades. This isn't an issue about defense in depth, it's about the quality of those defenses. From the paper again:

"Since real-world exploitation requires bypassing multiple memory protections, we will present several ways in which these techniques can be combined to achieve remote code execution."

Defense in depth is a non-starter if the bad guys can bypass enough of them to achieve their nefarious goals.

You said: "If you read the authors' actual words, not the sensationalist and wildly inaccurate news accounts, you get a completely different story."

Quote directly from the paper:

- "Setting back browser security by 10 years"

- "We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers."

- "The design and implementation of the memory protection mechanisms in Windows have a number of limitations that reduce their effectiveness."

- There are dozens more to choose from ... but I think that the conclusion is worth repeating: "In this paper we demonstrated that the memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a good chance of being able to bypass them." ... defense in depth shot down in flames.

You said: "One of the biggest targets of the work by Sotirov and Dowd is Address Space Layout Randomization (ASLR)."

GS, SafeSEH, heap protection and DEP are also covered. These are separate from ASLR.

You said: "The idea that they've been completely blindsided by the revelations in a single Black Hat paper and that they'll have to scrap the entire architecture of the Windows platform is naive, to put it charitably."

Good for Microsoft, Ed, but tell me how this helps me in the now better protect systems?

Sure, this paper doesn't foretell of the apocalypse, but it's enough for me, personally, to begin asking myself which OS is best to protect me and mine from the bad guys out there.

Link to Ed Bott's post.]

[UPDATED: Bruce Schnier's take on this. Three words: "This is huge."

Now when it comes to this kind of stuff, Schneier is one of the smartest on the planet, and when he speaks, I for one am going to sit up and pay attention.]

[UPDATED: Further commentary by Schneier:

"Here's commentary that says this isn't such a big deal after all. I'm not convinced; I think this will turn out to be a bigger problem than that."

Again, I have to choose a side to believe here (Schneier vs. Ars Technica), I'm siding with Schneier.]

Thoughts?