This week in Infosec - 2008-08-18
Black Hat/Defcon Coverage
Lots of analysis of the Black Hat presentation by Mark Dowd of IBM’s ISS and Alexander Sotirov of VMWare about circumventing Vista security.
Essentially, they discovered a way to completely subvert most of Vista’s built in low-level security systems.
Let’s hope Microsoft gets it right in their next OS…
Note, there’s some people saying it isn’t a big deal. Time will tell.
Here’s the summary from speaker’s list of Black Hat USA 2008:
Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.
This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.
More coverage:
- Bruce Schneier - Bypassing Microsoft Vista’s Memory Protection
- Search Security - Researchers use browser to elude Vista memory protections
Attack Trends
I keep up to date on the NIST’s National Vulnerability Database, updates to the milw0rm exploit database, and many others.
Though I don’t read all the alerts in detail (there are usually about 40 per day), I do try to scan enough to get an idea of what’s being disclosed.
The bulk seem to be SQL Injection Vulnerabilities or Cross Site Scripting (XSS).
These attacks can be very potent.
SQL injection can lead to information disclosure, unauthorized data modification, and data loss.
SQL injection attacks run through the browser and web server directly to the database.
XSS involves, generally, inserting script into URL’s or user input form fields that, when viewed by others, causes the script to run. The scripts can run in the context of the user’s browser security zone, and has access to all cookies and whatnot.
Both types of attacks are difficult to deal with using “security tools.” Most host-based intrusion detection systems (antivirus, anti-spiware, etc) are useless.
In both cases, application modifications need to be made. Additionally, layer 7 firewalls can be employed to try to prevent these types of attacks.
From a defense-in-depth perspective, both approaches should be employed.
On another front, attacks against social networking sites continue.
As more and more private data gets into these online resources, they become a more attractive target for attackers.
New Attack Vectors
Kris Kaspersky of Kaspersky labs has uncovered flaws in Intel processors that allow remote attackers to execute arbitrary code on any computer that uses the flawed processor.
Man, that’s crazy stuff…
I wrote a blog post about it, “Why agro the OS when you can pwn the hardware?”
Bill