Vista security to be 'obliterated' at Black Hat

Vista security to be 'obliterated' at Black Hat

Summary: An IBM X-Force security researcher has promised to exploit massive holes in Windows Vista's defences at the upcoming Black Hat security conference in Las Vegas.


An IBM X-Force security researcher has promised to exploit massive holes in Windows Vista's defences at the upcoming Black Hat security conference in Las Vegas.

Operating system defences used by Windows Vista — such as Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and Structured Exception Handling (SHE) — have changed the game for hackers, according to IBM X-Force security researcher Mark Dowd.

"[Microsoft] has come along way since the previous release and each subsequent release looks further into securing the base operating system in two ways. First by ironing out vulnerabilities, and second, by having security features within the OS that make things a lot more difficult to exploit vulnerabilities — if they exist," Dowd told "When you find vulnerabilities now, it doesn't mean you can automatically exploit them."

In 2006 Microsoft revealed that Vista would contain a feature called Address Space Layout Randomisation (ASLR), which is used in some form by Linux, OpenBSD and Mac OS X, to make it more difficult to take over a system following a buffer overrun error.

Prior versions of Windows were more susceptible to buffer overrun flaws because malware writers knew exactly where in a system's addressable memory they could insert "alternative instructions". ASLR randomly changes these address locations every time a PC starts, so when a buffer overrun flaw has been identified, the ability to exploit it is significantly reduced.

"It is not a panacea, it is not a replacement for insecure code," Michael Howard, a senior security program manager at Microsoft, wrote at the time of announcing Vista's adoption of ALSR. "It is a useful defence, because it makes Windows systems look 'different' to malware, making automated attacks harder."

Other security features in Vista include Data Execution Prevention (DEP), which stops an application executing from certain memory areas. Structured Exception Handling avoids issues arising from a division by zero, or attempts to access invalid areas of memory.

These features may have significantly reduced the success of certain attacks but Dowd predicts attackers will increasingly target these layers of defence to improve the effectiveness of their malware.

"As [these defences] become more prevalent in the base operating system, they are becoming more important to defeat, so people in the future will be scrutinising these protections more than they are at the moment," he said.

In April, Dowd led Adobe to patch a Flash memory flaw that caused the application to mishandle certain maliciously crafted Shockwave Flash files.

Dowd is scheduled to present a talk titled How to impress girls with browser memory protection bypasses at this year's Black Hat conference where he will reveal his exploits.

"We're going to show a couple of ways you can tip the odds in your favour so vulnerabilities can be easily exploited by techniques that bypass these protection mechanisms.

"Some completely obliterate the protections," he added.

Topics: IBM, Microsoft, Security, Software Development, AUSCERT, Windows

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The horror!

    Oh shock, horror! It makes me feel, well ... totally unsurprised. Another flaw in Windows. Thank the Open-Source heavens that I won't be using this incredibly damaged software for much longer. If I had a choice I'd never use it again but unfortunately my work uses this os. I used lowercase because it is a case of being less than.
  • Why not fix his own back yard first

    Lets hide IBM's own faults by pointing out windows as a target - lame as. Count the number of WebSphere issues, or IBM port of Java (which not only impacts its own OS but others as well) - try this one;
    "A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet".
    But of course they will make public disclosure of this at a major event as they are true honest citizens ...
  • great

    flame 'em I say, rub some more salt in the billion dollar screw-up. They deserve what they get thats for sure.
  • Hiding ibm's faults??

    How is this hiding IBM's faults? That is such an inane troll. Vista has flaws. This researching is shinning a spotlight on them. Don't try to confuse the issue.

    Obviously, you already know about the IBM flaws so why would he talk about them?
  • Nice pun

    shinning -

    I must be confused with your argument as well though, for if we all know of IBM's flaws and also those in Vista - why is one an example of "shining research" and the other an "inane troll"?