1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Concerned about Window$ 7 and security?

Discussion in 'Windows XP' started by Greg Russell, Mar 27, 2010.

  1. Greg Russell

    Greg Russell Flightless Bird

    March 25, 2010 (Computerworld) Two researchers yesterday won $10,000 each at
    the Pwn2Own hacking contest by bypassing important security measures of
    Windows 7.

    Both Peter Vreugdenhil of the Netherlands and a German researcher who would
    only identify himself by the first name Nils found ways to disable DEP (data
    execution prevention) and ASLR (address space layout randomization), which
    are two of Windows 7's most vaunted anti-exploit features. Each contestant
    faced down the fully-patched 64-bit version of Windows 7 and came out a
    winner.

    Vreugdenhil used a two-exploit combination to circumvent first ASLR and then
    DEP to successfully hack IE8. A half-hour later, Nils bypassed the same
    defensive mechanisms to exploit Mozilla's Firefox 3.6. For their efforts,
    each was awarded the notebook they attacked, $10,000 in cash and a paid trip
    to the DefCon hackers conference in Las Vegas this July.

    "Every exploit today has been top-notch," said Aaron Portnoy, security
    research team lead at 3Com's TippingPoint security unit, the sponsor of the
    contest, in an interview at the end of the day Wednesday. "The one on IE8
    was particularly impressive."

    Vreugdenhil, a freelance vulnerability researcher, explained how he bypassed
    DEP and ASLR. To outwit ASLR -- which randomly shuffles the positions of key
    memory areas to make it much more difficult for hackers to predict whether
    their attack code will actually run -- Vreugdenhil used a heap overflow
    vulnerability that allowed him to obtain the base address of a .dll module
    that IE8 loads into memory. He then used that to run his DEP-skirting
    exploit.

    DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2,
    prevents malicious code from executing in sections of memory not intended
    for code execution and is a defense against, among other things,
    buffer-overflow attacks.

    "[The exploit] reuses Microsoft's own code to disable DEP," said
    Vreugdenhil. "You can reuse Microsoft's own code to disable memory
    protection."

    In a paper he published today, Vreugdenhil spelled out in more detail how he
    evaded both ASLR and DEP.

    "It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I
    could have done it with one, but it would have taken too long." Using the
    double-exploit technique gave him control of the machine in a little over
    two minutes; if he had used only one exploit, the task would have required
    50 to 60 minutes.

    "I didn't know how much time I would have at Pwn2Own," he said, referring to
    the constraints of the contest, where hackers had limited time slots. And he
    didn't want to bore his audience. "I put some eye candy in the exploit," he
    said, referring to a progress bar he inserted that read "Please be patient
    while you are being exploited..."

    "It feels great," said Vreugdenhil of winning. "But I was nervous. I was
    convinced that there would be other exploits for IE8." This year's Pwn2Own
    was a first-come, first-served contest: The first researcher to hack each
    browser would win $10,000, but the second would take home nothing.

    Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest
    version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded
    the notebook and $10,000. This was Nils' second Pwn2Own victory; last year
    he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.

    "As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy,
    who is the organizer of the Pwn2Own contest.

    TippingPoint purchased the rights to the flaws and attack code from
    Vreugdenhil, Nils and the other Pwn2Own winners. It will turn over that
    information to Microsoft, Mozilla and other affected vendors on Friday at
    the conclusion of the contest. Until vendors patch their vulnerabilities,
    TippingPoint will not disclose any technical information about the bugs.

    Both Microsoft Corp. and Mozilla Corp. had representatives on hand during
    the contest.

    Later, Jerry Bryant, a senior manager with the Microsoft Security Research
    Center (MSRC) acknowledged the vulnerabilities exploited by Vreugdenhil, but
    little else. "Microsoft is aware of a new vulnerability in Internet Explorer
    introduced at CanSecWest in the Pwn2own contest," Bryant said in an e-mail
    Wednesday. "We are investigating the issue and we will take appropriate
    steps to protect customers when the investigation is complete."

    Bryant did not say when Microsoft would patch the flaws Vreugdenhil used.
    The company's next scheduled Patch Tuesday is April 13, but Microsoft
    typically takes much longer to produce its fixes, with testing time alone
    often running 30 to 60 days.

    The lesson from this year's Pwn2Own is pretty simple, suggested Charlie
    Miller, another of Wednesday's winners. "What you can see at Pwn2Own is that
    bugs are still in software, and exploit mitigations like DEP and ASLR don't
    work. Even as [defensive measures] improve, researchers still end up
    winning."
     
  2. VanguardLH

    VanguardLH Flightless Bird

    Greg Russell wrote:

    > March 25, 2010 (Computerworld) Two researchers yesterday won $10,000 each at
    > the Pwn2Own hacking contest by bypassing important security measures of
    > Windows 7.

    <snipped the article that greg violates copyright by a FULL copy here rather
    than give the URL>
    <snip - Greg never asks his question in his Subject header. He lies.>

    Not only did YOU have nothing to add nor did you actually ask the question
    you posed in your Subject header, you can't even figure out where to post
    regarding Windows 7. This newsgroup discusses Windows XP. Duh! Oh, and of
    course, we were supposed to miss that you were here to slam right off the
    bat in your Subject header.

    The Microsoft community for Windows 7 is found at:
    http://social.technet.microsoft.com/Forums/en/category/w7itpro
     
  3. Greg Russell

    Greg Russell Flightless Bird

    In news:holknr$iff$1@news.albasani.net,
    VanguardLH <V@nguard.LH> typed:

    > This newsgroup discusses Windows XP. Duh!


    So does the article (but your "Duh!" indicates a vast intellectual void on
    your part):

    DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2,
    prevents malicious code from executing in sections of memory not intended
    for code execution and is a defense against, among other things,
    buffer-overflow attacks.

    "[The exploit] reuses Microsoft's own code to disable DEP," said
    Vreugdenhil. "You can reuse Microsoft's own code to disable memory
    protection."
     
  4. Jim

    Jim Flightless Bird

    <big snip>
    Since I am running XP, and may never need to use Windows 7, my answer is no.
    Jim
     
  5. LD55ZRA

    LD55ZRA Flightless Bird

    This is really worrying considering the fact that M$ has already pushed
    out nearly 135 update patches for Win7. These M$ patches are simply
    waste of time because they are creating more holes in the systems by
    announcing these patches and so hackers who didn't know about them do
    indeed become aware of them and they get thrill out of hacking into
    newly patched machines.

    My policy of not updating WinXP, Win Vista and Win7 seems to have been
    vindicated by this article.

    Keep up the good work Greg. We need to be informed of these exploits!

    hth


    Greg Russell wrote:
    >
    > March 25, 2010 (Computerworld) Two researchers yesterday won $10,000 each at
    > the Pwn2Own hacking contest by bypassing important security measures of
    > Windows 7.
    >
    > Both Peter Vreugdenhil of the Netherlands and a German researcher who would
    > only identify himself by the first name Nils found ways to disable DEP (data
    > execution prevention) and ASLR (address space layout randomization), which
    > are two of Windows 7's most vaunted anti-exploit features. Each contestant
    > faced down the fully-patched 64-bit version of Windows 7 and came out a
    > winner.
    >
    > Vreugdenhil used a two-exploit combination to circumvent first ASLR and then
    > DEP to successfully hack IE8. A half-hour later, Nils bypassed the same
    > defensive mechanisms to exploit Mozilla's Firefox 3.6. For their efforts,
    > each was awarded the notebook they attacked, $10,000 in cash and a paid trip
    > to the DefCon hackers conference in Las Vegas this July.
    >
    > "Every exploit today has been top-notch," said Aaron Portnoy, security
    > research team lead at 3Com's TippingPoint security unit, the sponsor of the
    > contest, in an interview at the end of the day Wednesday. "The one on IE8
    > was particularly impressive."
    >
    > Vreugdenhil, a freelance vulnerability researcher, explained how he bypassed
    > DEP and ASLR. To outwit ASLR -- which randomly shuffles the positions of key
    > memory areas to make it much more difficult for hackers to predict whether
    > their attack code will actually run -- Vreugdenhil used a heap overflow
    > vulnerability that allowed him to obtain the base address of a .dll module
    > that IE8 loads into memory. He then used that to run his DEP-skirting
    > exploit.
    >
    > DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2,
    > prevents malicious code from executing in sections of memory not intended
    > for code execution and is a defense against, among other things,
    > buffer-overflow attacks.
    >
    > "[The exploit] reuses Microsoft's own code to disable DEP," said
    > Vreugdenhil. "You can reuse Microsoft's own code to disable memory
    > protection."
    >
    > In a paper he published today, Vreugdenhil spelled out in more detail how he
    > evaded both ASLR and DEP.
    >
    > "It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I
    > could have done it with one, but it would have taken too long." Using the
    > double-exploit technique gave him control of the machine in a little over
    > two minutes; if he had used only one exploit, the task would have required
    > 50 to 60 minutes.
    >
    > "I didn't know how much time I would have at Pwn2Own," he said, referring to
    > the constraints of the contest, where hackers had limited time slots. And he
    > didn't want to bore his audience. "I put some eye candy in the exploit," he
    > said, referring to a progress bar he inserted that read "Please be patient
    > while you are being exploited..."
    >
    > "It feels great," said Vreugdenhil of winning. "But I was nervous. I was
    > convinced that there would be other exploits for IE8." This year's Pwn2Own
    > was a first-come, first-served contest: The first researcher to hack each
    > browser would win $10,000, but the second would take home nothing.
    >
    > Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest
    > version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded
    > the notebook and $10,000. This was Nils' second Pwn2Own victory; last year
    > he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.
    >
    > "As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy,
    > who is the organizer of the Pwn2Own contest.
    >
    > TippingPoint purchased the rights to the flaws and attack code from
    > Vreugdenhil, Nils and the other Pwn2Own winners. It will turn over that
    > information to Microsoft, Mozilla and other affected vendors on Friday at
    > the conclusion of the contest. Until vendors patch their vulnerabilities,
    > TippingPoint will not disclose any technical information about the bugs.
    >
    > Both Microsoft Corp. and Mozilla Corp. had representatives on hand during
    > the contest.
    >
    > Later, Jerry Bryant, a senior manager with the Microsoft Security Research
    > Center (MSRC) acknowledged the vulnerabilities exploited by Vreugdenhil, but
    > little else. "Microsoft is aware of a new vulnerability in Internet Explorer
    > introduced at CanSecWest in the Pwn2own contest," Bryant said in an e-mail
    > Wednesday. "We are investigating the issue and we will take appropriate
    > steps to protect customers when the investigation is complete."
    >
    > Bryant did not say when Microsoft would patch the flaws Vreugdenhil used.
    > The company's next scheduled Patch Tuesday is April 13, but Microsoft
    > typically takes much longer to produce its fixes, with testing time alone
    > often running 30 to 60 days.
    >
    > The lesson from this year's Pwn2Own is pretty simple, suggested Charlie
    > Miller, another of Wednesday's winners. "What you can see at Pwn2Own is that
    > bugs are still in software, and exploit mitigations like DEP and ASLR don't
    > work. Even as [defensive measures] improve, researchers still end up
    > winning."


    --

    LVTravel <noone@none.com> is a convicted paedophilia from Johnstown, USA
    and has been outed under Megan's Law. Please report him to your local
    authorities if you see him near your kids.
     
  6. Greg Russell

    Greg Russell Flightless Bird

    In news:%23FwqO3ezKHA.5940@TK2MSFTNGP02.phx.gbl,
    Jim <j.n@invalid.invalid> typed:

    > Since I am running XP, and may never need to use Windows 7, my answer
    > is no.


    .... and yet the article implies that XP is also vulnerable due to the same
    security deficiency. Did you say your name was "Ostrich"?
     

Share This Page