Earlier today I published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas. (See Windows security rendered useless? Uh, not exactly...) As I noted in that post:
It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. ...Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.
This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:
Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.
Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won't take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.
I just got off the phone with Alex, who took time out of his busy schedule to answer a few follow-up questions:
What was the atmosphere like at Black Hat? How was your paper received by people in the audience?
Positive. A lot of people in the audience seemed to really like the paper. A lot of them came up and asked more questions afterward. Everybody who talked to me said it was pretty impressive.
Did you get any reaction from Microsoft?
Microsoft had contacted us before Black Hat. We had some conference calls and sent them an early draft a few weeks ago. In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. It was a very positive experience working with Microsoft. Our research is helping them learn where they need to focus their resources and where they need to improve. We did not take any of the vendors by surprise. Also through Microsoft, both Adobe and Sun were notified about the paper. We haven't spoken to them directly, but the Microsoft people have, I believe.
Is there any exploit code or proof of concept code available yet for the techniques you describe?
Well, we only gave the paper last week, so I doubt that anyone is using any of these techniques right now. What we presented is weaknesses in the protection mechanism. It still requires the attacker to have a vulnerability. Without the presence of a vulnerability these techniques don’t really [accomplish] anything. We used the ANI cursor vulnerability that had been patched. We chose this example because it worked on XP and Vista, but the example we used would not work [in the real world] because this issue was patched already.
Do you have any advice for Windows users today? Should they be alarmed?
As long as they follow standard security practices -- use antivirus products and other typical things that are good standard policy -- they shouldn't have anything to worry about. Our research is to some extent academic. The articles that describe Vista security as “broken” or “done for,” with “unfixable vulnerabilities” are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we're bypassing don't even exist. XP is even less secure than Vista in this respect. [What we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.
Your research focuses on weaknesses in browsers. Does the movement to doing more in the browser mean the danger is increasing?
Browsers are used more widely than they were five years ago. A lot more businesses rely on browsers now to do [everyday work]. Businesses could have blocked access to the web five years ago, but with widespread use of the web as an interface, the importance of the browser has increased. It’s a lot harder to tell people they cannot use a browser. The possibility of a vulnerability in the browser affects their security.
One last question. Your paper was entitled "How to Impress Girls with Browser Memory Protection Bypasses." In a blog post, your partner Mark Dowd said you were going to be conducting "ongoing research" on this subject in Las Vegas. Did you really flood your hot tub at Caesars Palace?
Uh… [pause] Yeah.
Thanks for your time.