Symantec: Out of the Box, Vista Prone to Legacy Threats

Updated: The company takes another swipe at the operating system in a series of papers that explore new security features in Vista as well as Microsoft's overhauls of older technologies.

Symantec Security Response has spent months throwing every hack but the kitchen sink at Microsofts Vista operating system, and on Feb. 28 it released a series of papers that showed just how bloodied or victorious Vista remained.

The result: "There are existing codes that can survive Vista without being modified— [certain] keyloggers, worms, Trojans, and spyware are able to survive," said Symantec Research Scientist Ollie Whitehouse in an interview with eWEEK.

The current threat level of the Vista security-resistant malware is "relatively low," Whitehouse said, but he said that out of box, Vista already has several legacy threats. "It wont take much for [those] to evolve," he said.

This is in spite of Microsofts years of work and investments in new security technologies, which Symantec predicted will result in "fewer instances of widespread worms that target core Windows operating system vulnerabilities," researchers wrote in one report, "Microsoft Windows Vista and Security."

The papers form one of the latest swipes at Vista security taken by security vendors including Symantec, who suddenly found Microsoft to be a large and fearsome competitor when the software giant leapt into the security software game.

The papers explore new security features in Vista, including UAC (User Access Control), as well as Microsofts overhauls of older technologies, including the stack itself. The research also focused on whether Vista can withstand being assaulted by todays breed of malware threats, as well as what it would take for malware authors to evolve their techniques to be Vista-compatible.

Symantec has also been picking apart Vistas GS compiler, which aims to catch software developer flaws that spawn buffer overflows, as well as Vistas new defense against memory manipulation, called ASLR (Address Space Layout Randomization). These last two Vista security components, GS and ASLR, are the subject of a presentation Whitehouse will be delivering Feb. 28 at Black Hat Federal in Arlington, Va.

The synopsis of Whitehouses Black Hat presentation promises some "surprising results" when it comes to ASLR.

ASLRs job is to "shuffle" the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec found that although when implemented correctly ASLR is "extremely effective" at mitigation memory corruption attacks, ASLRs randomization was "not as random as expected."

"One of the randomized components was not randomized consistently, resulting in a reduced degree of randomness in the layout of an applications memory," the paper reports. "This reduction does increase the likelihood that an attacker can guess the correct address to target."

Microsoft has acknowledged Symantecs findings and said it will address the issue in Windows Vista SP1.

/zimages/6/28571.gifClick here to listen to a podcast about Core Security Technologies exploit testing for applications running on Vista.

Symantec also looked at one of Vistas most controversial kernel protection technologies, PatchGuard. PatchGuard, as its name implies, protects the kernel from being patched or extended in kernel memory—tampering that can give malicious code a way to load into the heart of the operating system. However, the paper points out, rootkit writers use the same techniques as PatchGuard to ensure their actions arent detected.

Only the 64-bit version of Vista is equipped with this technology, while the 32-bit—likely to be the standard deployment for some years to come—is not.

Next Page: Hackers "can and will subvert PatchGuard."