VISTA.BLORGE
TECH.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 8, 2008 |

Vista security could be fundamentally flawed

By John Lister





Vista security could be fundamentally flawed Two security researchers claim they’ve found a foolproof way to exploit a basic security flaw in the way Vista operates.

In a presentation to the Black Hat security conference in Las Vegas, IBM’s Mark Dowd and VMare’s Alexander Sotirov (pictured left) said they’d found a loophole in Vista’s memory protection system.

This is the system which controls how much memory each application can use, and is mainly designed to stop one program hogging all the memory and causing everything else to seize up. However, it’s also serves an important security purpose by stopping rogue software accessing the entire system.

The security features of memory protection tend to be based around looking out for common attack methods, and checking for any suspicious behaviour. However, Dowd and Sotirov say some of these features are not switched on by default in Vista. It appears this was a compromise to avoid compatibility problems.

The result is that hackers have a much easier time gaining control of a system through internet browsers. The flaw causes particular vulnerabilities in Java and Flash, which aren’t subject to a potential back-up security measure known as Address Space Layout Randomisation (ASLR) which randomly arranges some of the most important data behind software’s operations.

The flaw’s effect is equivalent to every pinprick in browser security becoming a gaping hole in the entire system. Or to put it another way, it’s like locking all the doors and windows in your home but leaving your valuables in an unlocked safe.

If Dowd and Sotirov are to be believed, it’s not something that can be fixed with a patch, because it’s an underlying problem in Vista itself.

Microsoft hasn’t commented on the specifics of the flaw, but a senior security figure said the firm is aware of the research and will look into the details.

Sign up for the BLORGE email newsletter

Related:

  • Vista security not ‘broken’
  • Newsstand computer mag says Vista pretty much fixed
  • Free downloads can ease privacy concerns in Windows XP and Vista
  • Haxxed laptop with Vista attack code removed from Ebay
  • Russinovich in retreat over Windows Vista security claims


    • Entry was posted on Friday, August 8th, 2008 at 12:59 pm under Security, Vista, internet explorer. Print This Post Print This Post

    Read more entries by John Lister.



    One Response to “Vista security could be fundamentally flawed”

    1. N/A:
      September 11th, 2008

      In a presentation to the Black Hat security conference in Las Vegas, IBM’s Mark Dowd and VMare’s Alexander Sotirov (pictured left) said they’d found a loophole in Vista’s memory protection system
      If Dowd and Sotirov are to be believed, it’s not something that can be fixed with a patch, because it’s an underlying problem in Vista itself.

      go read:
      http://arstechnica.com/journals/microsoft.ars/2008/08/12/black-hats-alexander-sotirov-vista-security-is-not-broken

    Leave a Reply:

    Copyright © 2007 Engaging and compelling blogs that entertain and inform