how-to block ads
|
matunga
join:2003-07-26
1 edit |  Alarmed about Vista security? Don't be, you are very safe!
August 11th, 2008
Earlier today I published a lengthy blog post questioning some of the sensationalist conclusions raised in press coverage of a paper presented by Alexander Sotirov and Mark Dowd at last week’s Black Hat Conference in Las Vegas. (See Windows security rendered useless? Uh, not exactly…) As I noted in that post:
It’s a fascinating paper, rich in technical detail and hewing to the Black Hat tradition of providing clues that others can follow to discover, exploit, and ultimately fix vulnerabilities in widely used computer code. …Unfortunately, most people who read about Sotirov and Dowd’s work didn’t bother to read the technical paper. Instead, they relied on quick summaries [that were] wildly inaccurate and hopelessly sensationalized.
This afternoon, I received the following e-mail from Alex Sotirov and am reprinting it with his permission:
Thanks for your blog post about our research. I was horrified by the lack of understanding displayed by the tech press when they covered the paper Mark and I presented at BlackHat. You rightly point out that the sky is not falling and the flaws are not unfixable. In fact, the next versions of Flash and Java will contain specific measures that limit the impact of the techniques we presented. We expect Microsoft to follow suit as well.
Exploitation is a cat and mouse game. The paper we presented puts the offensive side at a slight advantage, but it won’t take long for the defenses to catch up. Our intention was always to nudge the software vendors into improving their defenses and I hope we will succeed.
I just got off the phone with Alex, who took time out of his busy schedule to answer a few follow-up questions:
What was the atmosphere like at Black Hat? How was your paper received by people in the audience?
Positive. A lot of people in the audience seemed to really like the paper. A lot of them came up and asked more questions afterward. Everybody who talked to me said it was pretty impressive.
Did you get any reaction from Microsoft?
Microsoft had contacted us before Black Hat. We had some conference calls and sent them an early draft a few weeks ago. In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. It was a very positive experience working with Microsoft. Our research is helping them learn where they need to focus their resources and where they need to improve. We did not take any of the vendors by surprise. Also through Microsoft, both Adobe and Sun were notified about the paper. We haven’t spoken to them directly, but the Microsoft people have, I believe.
Is there any exploit code or proof of concept code available yet for the techniques you describe?
Well, we only gave the paper last week, so I doubt that anyone is using any of these techniques right now. What we presented is weaknesses in the protection mechanism. It still requires the attacker to have a vulnerability. Without the presence of a vulnerability these techniques don’t really [accomplish] anything. We used the ANI cursor vulnerability that had been patched. We chose this example because it worked on XP and Vista, but the example we used would not work [in the real world] because this issue was patched already.
Do you have any advice for Windows users today? Should they be alarmed?
As long as they follow standard security practices — use antivirus products and other typical things that are good standard policy — they shouldn’t have anything to worry about. Our research is to some extent academic. The articles that describe Vista security as “broken” or “done for,” with “unfixable vulnerabilities” are completely inaccurate. One of the suggestions I saw in many of the discussions was that people should just use Windows XP. In fact, in XP a lot of those protections we’re bypassing don’t even exist. XP is even less secure than Vista in this respect. [What we established is that the security advantage of Vista over XP is not as great as [previously] thought. Vista is still very good at preventing vulnerabilities.
Your research focuses on weaknesses in browsers. Does the movement to doing more in the browser mean the danger is increasing?
Browsers are used more widely than they were five years ago. A lot more businesses rely on browsers now to do [everyday work]. Businesses could have blocked access to the web five years ago, but with widespread use of the web as an interface, the importance of the browser has increased. It’s a lot harder to tell people they cannot use a browser. The possibility of a vulnerability in the browser affects their security.
One last question. Your paper was entitled “How to Impress Girls with Browser Memory Protection Bypasses.” In a blog post, your partner Mark Dowd said you were going to be conducting “ongoing research” on this subject in Las Vegas. Did you really flood your hot tub at Caesars Palace?
Uh… [pause] Yeah.
Thanks for your time.
You’re welcome
»blogs.zdnet.com/Bott/?p=513 | |
|  
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA | Re: Alarmed about Vista security? Don't be, you are very safe! Those of us who actually understand this technology and care about getting it right said more or less the same thing already. | |
| jp10558
Premium
join:2005-06-24
Willseyville, NY
| said by matunga  :
[What we established is that the security advantage of Vista over XP is not as great as [previously] thought.
But this is indeed another part of the very slim reasons to upgrade to Vista gone. I think with third party additions / precautions, you'll still have little reason to be interested in Vista...
In this case, just like for Win2k, it's the waning hardware support pushing upgrades, not that users or IT staff really want the new OS.
--
Opera 9.51(Build 10081); Windows XP Pro SP3;Intel C2Q6600; 3GB DDR2 1066; 1M/128k DSL; Antivir Personal; Comodo Firewall Pro 3;Proxomitron 4.5j Sidki 2008beta,GPG ID:0x0A1C6EE3 | |
| | SUMware
Premium
join:2002-05-21
| From Bloomberg
August 18, 2008 - quote:
Microsoft Corp., the world's largest software maker, is being probed by Taiwan's Fair Trade Commission after an activist group filed a complaint saying consumers are being forced to buy its Windows Vista operating system.
``We have received the complaint and are now conducting our own investigation, which may last around six months,'' Chou Ya- shu, the antitrust regulator's spokeswoman, said in a telephone interview today. Microsoft can face fines of as much as NT$25 million ($796,000) and be ordered to halt illicit practices if found guilty of fair-trade breaches, she said.
Sophia Chang, a spokeswoman for Microsoft in Taipei, denied the company forces people to buy Vista and declined to comment further on the case.
Microsoft should be fined for using its monopoly to force consumers to adopt Vista after the company ended sales of Windows XP in June, Taiwan's Consumer Foundation, a non-profit group, said in its complaint posted on its Web site on Aug. 15.
Microsoft, based in Redmond, Washington, stopped selling XP individually and pre-installing the operating system in most computers in June to spur Vista sales. Vista, which was released for consumers in January last year, requires more memory capacity and greater processing power than XP.
``It would be a very unusual and creative interpretation of antitrust law to say that a company is obliged to keep selling a product,'' said Brendon Carr, an attorney who advises multinational companies on antitrust issues at the law firm Hwang Mok Park in Seoul.
Demand For XP
The Consumer Foundation said its research showed 56 percent of consumers buying a computer with Vista would reinstall XP, while 67 percent oppose Microsoft ending the sale of the earlier operating system. Windows XP remains available preinstalled in some low-cost computers such as Acer Inc.'s Aspire One laptop.
Under Taiwan's Fair Trade Act, a company may not ``use incentives or other devious means to induce a business to alter a consumer's shopping choices,'' the foundation said in the statement.
``The Fair Trade Commission should fine Microsoft a large enough amount that would strip away its profits from selling Vista,'' the foundation said.
| |
| | | |
|
·
·