In a presentation at the Black Hat briefings, Mark Dowd and Alexander Sotirov demonstrated the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.
By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.
In their presentation at Black Hat., Dowd and Sotirov stressed that despite their advances in getting around the Vista memory protections, there are still a number of security mechanisms in place in the operating system to mitigate attacks. Internet Explorer running in Protected Mode, for example, can protect against attacks that overwrite some files. Also, some of the pair's attacks will be addressed in future versions of third-party software, including Flash, which will opt into ASLR in its next release.
The message that emerged from Dowd and Sotirov's presentation is that although Microsoft, of Redmond, Wash., went to great lengths to upgrade the security of Vista over that of Windows XP, there are still ways in. "The protection mechanisms in Windows Vista are not very effective at preventing browser exploits," Sotirov said in the presentation. "The game has changed and browsers are now the major threat. Even on Vista where ASLR is enabled, we're able to put our data where we want."
"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. What this means is that almost any vulnerability in the browser is trivially exploitable."
Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process's stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd's and Sotirov's methods, it would be of no use.
"This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," Dai Zovi said. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
In the paper on which their presentation was based, Dowd and Sotirov say that while their attacks may give attackers the upper hand right now, they expect Microsoft and other vendors to respond quickly.
"In this paper we demonstrated that the memory protection mechanisms available in the latest versions of Windows are not always effective when it comes to preventing the exploitation of memory corruption vulnerabilities in browsers. They raise the bar, but the attacker still has a good chance of being able to bypass them. Two factors contribute to this problem: the degree to which the browser state is controlled by the attacker; and the extensible plugin architecture of modern browsers. The authors expect these problems to be addressed in future releases of Windows and browser plugins shipped by third parties," they say in their conclusion.
"This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon, sort of like heap spraying was."
This story was updated and corrected to include more accurate information on Dowd and Sotirov's attacks from their paper and their session at Black Hat.