I picked up an interesting story over at Neowin entitled “Vista’s Security Rendered Completely Useless by New Exploit” which reports on a new technique hat can “bypass all memory protection safeguards that Microsoft built into Windows Vista.”
The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
Instead of exploiting a security vulnerability the researchers Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. of the architecture of Windows Vista. Another researcher described the technique as “completely game over.”
It’s currently not known if other operating systems are vulnerable as well but it is very likely. The best against this attack would be an add-on like NoScript that would most likely prevent it completely.
Related posts:
- Microsoft releases security updates for XP and Vista
- New Windows Vulnerability Uncovered [Security]
- New Security Vulnerability Affects Windows Operating Systems
- Microsoft releases two security patches for Windows
- Internet Explorer Vulnerability Fix
- Windows Security Updates September 2008
- Windows Vista SP1 breaks applications
- Windows Vista Game Explorer Editor
Crap!
But I have NoScript on Firefox installed. Still use IE to test blogs and websites.
Still…CRAP!
(That’s a technical term.)
No fear, having a real antivirus saves you from all those troubles. It’s going to be fixed soon though much like the last linux root exploit.
Sorry to disappoint, darkkosmos. I went and checked out the reports from the BlackHat conference. It appears to use .net dlls and scripting (any type of scripting). This will bypass any antivirus out there. Antivirus programs are not designed for this.
And I’m pretty sure he’s using a Null Pointer hack to load the dlls.
Dante how does memory corruption stop an anti virus? My anti virus terminates any application/loaded dll that behaves strangely and purges it into the “bucket”, so even if it gets in it won’t work and this all depends on .Net which I don’t have and I think my anti virus scans memory too.
@ darkkosmos. Your anti-virus doesn’t stop behaviors. It stops programs with codes that match existing virus codes (signatures). Or it does a heuristic scan to see if it looks even remotely like a virus code. But your anti-virus does not know what is or is not proper program behavior.
This is why firewalls are recommended as a companion to anti-virus programs. They show any weird activities that your PC might have. Like suddenly dialing out to Russia.
And using a null pointer hack, a hacker can load legit functioning dll’s in memory. Than use it to write programs into harddrive and registry. All perfectly normal to an anti-virus program. At least, this is what I’m thinking this exploit is.
Of course, I’m not a hacker :)
Oh, sorry. Forgot something. You might be referring to anti-viruses blocking changes to the registry. But that’s only because the OS allows it to block the changes to registry. .Net dll’s will override that – for your own convenience of course.
No I mean it, sometimes my anti virus stops firefox (annoying). and explain to me how a legit looking dll can cause havoc on my system?
to “darkkosmos” that’s because the dll in question carries codes that match a virus signature. Or it is set to change your registry and it’s just warning you that the registry will change.
So what stops this “legit” looking dll from being marked as a virus? (+I don’t even have .net, this is a “if”)
If it uses activex controls everyone knows already those are the most popular form of virus on the net to screw your computer. I don’t dl them unless I need to go to a site for work.
A null pointer hack does not need activeX to succeed. And darkkosmos, if you have Vista, you have .Net :)