Daily Archives: August 11, 2008

Chicken Little Reportage

Peter Bright calls out some of the reporting on the Vista Security Bypass issue that was discussed at the recent Black Hat conference. He labels some of the reporting “Chicken Little runs amok” and asserts that the sky is not falling:

This is certainly unfortunate. The great thing about these protection mechanisms is that they provided a degree of safety even when applications contained bugs. That will no longer be the case, at least for web browsers (programs that do not support third-party plugins (or apply more stringent checks to those plugins) might continue to benefit from the protections). Unfortunate, yes, but not-as was reported in the immediate aftermath of the presentation-evidence that Vista’s security is useless, nor does this work constitute a major security issue. And it’s not game over, either. Sensationalism sells, and there’s no news like bad news, but sometimes-particularly when covering security issues-it would be nice to see accuracy and level-headedness instead. Alarmism helps no one. Responsible vulnerability disclosure is a big concern in the security industry; it would be good to see it coupled with responsible reporting.

The work done by Dowd and Sotirov focuses on making buffer overflows that were previously not exploitable on Vista exploitable. These are buffer overflows that would be exploitable on Windows XP anyway; after all, there’s no need to defeat ASLR if an OS does not have ASLR at all. Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista’s (in)famous UAC restrictions. DEP, ASLR, and the other mitigation features in Vista are unlikely to ever be unbreakable, especially in an application like a web browser that can run both scripts and plugins of an attacker’s choosing. Rather, their purpose is to make exploitation more difficult. Microsoft has a solution for those wanting to make it impossible-use .NET. These protections are there for when that’s not an option, to reduce-but not eliminate-the vulnerability caused by such programming errors. Even with DEP and ASLR, the coding errors that result in buffer overflows still ought to be fixed; it is only through fixing the errors that the flaws can truly be eliminated.

Peter makes a very good point here. Alarmism doesn’t help.