Posts tagged .Net
Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.
In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.
By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.
Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.
“The genius of this is that it’s completely reusable,” said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.
“What this means is that almost any vulnerability in the browser is trivially exploitable,” Dai Zovi added. “A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks.”
Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process’s stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd’s and Sotirov’s methods, it would be of no use.
“This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,” Dai Zovi said. “If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they’re safe because they’re .NET objects, you see that Microsoft didn’t think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.”
Microsoft officials have not responded to Dowd’s and Sotirov’s findings, but Mike Reavey, group manager of the Microsoft Security Response Center, said Wednesday that the company is aware of the research and is interested to see it once it becomes public.
Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.
“This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,” Dai Zovi said. “I definitely think this will get reused soon, sort of like heap spraying was.”
First, it was Windows XP SP1. Then Windows Vista SP3. Now it’s the Visual Studio and .NET Framework 3.5 SP1, due by the end of summer. The connection? Microsoft’s service packs keep growing in importance as a means of updating key products between official releases.
Promoting the first SP for Visual Studio 2008 and .NET Framework 3.5, officially launched just six months ago, Microsoft has said SP1 – like its predecessors – is no ordinary SP.
Ian Ellison-Taylor, general manager for Microsoft’s presentation platforms and tools team, called SP1 a “pretty big milestone” because it quickly connects web-side applications to databases through a new framework. SP1 also cuts the size of the .NET Framework 3.5, which was tailored for Windows Vista, by 85 per cent to make it easier to download and run on Windows XP machines.
“This is a big inflection point,” Ellison-Taylor promised The Reg. “The traditional SP is a bunch of bug fixes – good stuff but not headline stuff.”
SP1 is Microsoft’s attempt to make Visual Studio more suited to web-side development, and see off Adobe Systems’ Dreamweaver. “It’s much easier than using Dreamweaver 2004 for SQL Server connections,” Ellison-Taylor claimed.
What can we expect this time?
According to Ellison-Taylor, the SP introduces an ADO entity framework that lets you program using high-level objects, picking your database and tables, and that does the heavy lifting by connecting to and sucking in data. The framework talks to the database and pulls in the objects for connection to an ASP.NET template.
You edit data on the site, and changes will be updated inside the database. SP1 will reduce the amount of time spent manually coding and linking to connect, and then synchronize changes between the website and the server, so you can get on with scripting the interface.
Out of the box, SP1 will connect to SQL Server 2008, MySQL, IBM’s DB2 and Oracle, and there’s a pluggable framework for connection to other databases.
Mobile versions of .Net and Java currently lead the way as preferred platforms for wireless application developers, but newcomers in this space, Mac OS and Android, are expected to pick up steam, Evans Data said.
Results of a survey being released Tuesday by Evans have 43 percent of developers targeting Microsoft’s .Net Compact Framework and 42 percent opting for Java ME (Micro Edition). The survey gauged the views of 384 developers worldwide in May and June.
Also ranking in the survey were Windows Mobile 6.0, with 31 percent; and the following contenders: Linux, 25 percent; Nokia Series 80, 22 percent; Symbian, 20 percent; Windows Mobile 5.0; 19 percent; Java, 18 percent; Palm OS, 15 percent; RIM OS, 14 percent; Mac OS 10, 8 percent; and Android, 7 percent.
But Mac OS X development, which covers Apple’s popular iPhone device, and Android, the mobile platform project led by Google, are expected to grow in popularity, said John Andrews, Evans president and CEO, in an interview on Monday.
“We don’t see these numbers as negative. In fact, we see them [as a positive step since] they’re actually on the radar screen this early in their lifecycle,” Andrews said.
Android systems are not even on the market yet; they are due in the second half of this year. Android is under the jurisdiction of the Open Handset Alliance.
Evans does not expect Mac OS X and Android to displace any of the entrenched leaders. But gains in market share by these two platforms could come at the expense of platforms such as Symbian, Windows Mobile 5.0, or Palm OS, Andrews said.
Fifty percent of developers included in the survey were building browser- or Web content-based applications, while 30 percent were developing ecommerce applications, 24 percent were building wireless portal applications, and 24 percent were developing CRM systems.
Target hardware platforms cited in the survey included Nokia, sought after by 56 percent of respondents, followed by Motorola with 33 percent, and Sony Ericcson, at 29 percent.
Obstacles cited to building wireless applications include cross-platform testing requirements and lack of access to device APIs. Also, more than one-third of developers were building applications for external use by their company’s customers, Evans found. Additionally, the company learned that location-based information is used far more in development in Asia and Europe than North or South America.
Source : InfoWorld