Symantec Security Response has spent months throwing every hack but the kitchen sink at Microsofts Vista operating system, and on Feb. 28 it released a series of papers that showed just how bloodied or victorious Vista remained.
The result: “There are existing codes that can survive Vista without being modified— [certain] keyloggers, worms, Trojans, and spyware are able to survive,” said Symantec Research Scientist Ollie Whitehouse in an interview with eWEEK.
The current threat level of the Vista security-resistant malware is “relatively low,” Whitehouse said, but he said that out of box, Vista already has several legacy threats. “It wont take much for [those] to evolve,” he said.
This is in spite of Microsofts years of work and investments in new security technologies, which Symantec predicted will result in “fewer instances of widespread worms that target core Windows operating system vulnerabilities,” researchers wrote in one report, “Microsoft Windows Vista and Security.”
The papers form one of the latest swipes at Vista security taken by security vendors including Symantec, who suddenly found Microsoft to be a large and fearsome competitor when the software giant leapt into the security software game.
The papers explore new security features in Vista, including UAC (User Access Control), as well as Microsofts overhauls of older technologies, including the stack itself. The research also focused on whether Vista can withstand being assaulted by todays breed of malware threats, as well as what it would take for malware authors to evolve their techniques to be Vista-compatible.
Symantec has also been picking apart Vistas GS compiler, which aims to catch software developer flaws that spawn buffer overflows, as well as Vistas new defense against memory manipulation, called ASLR (Address Space Layout Randomization). These last two Vista security components, GS and ASLR, are the subject of a presentation Whitehouse will be delivering Feb. 28 at Black Hat Federal in Arlington, Va.
The synopsis of Whitehouses Black Hat presentation promises some “surprising results” when it comes to ASLR.
ASLRs job is to “shuffle” the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec found that although when implemented correctly ASLR is “extremely effective” at mitigation memory corruption attacks, ASLRs randomization was “not as random as expected.”
“One of the randomized components was not randomized consistently, resulting in a reduced degree of randomness in the layout of an applications memory,” the paper reports. “This reduction does increase the likelihood that an attacker can guess the correct address to target.”
Microsoft has acknowledged Symantecs findings and said it will address the issue in Windows Vista SP1.
Symantec also looked at one of Vistas most controversial kernel protection technologies, PatchGuard. PatchGuard, as its name implies, protects the kernel from being patched or extended in kernel memory—tampering that can give malicious code a way to load into the heart of the operating system. However, the paper points out, rootkit writers use the same techniques as PatchGuard to ensure their actions arent detected.
Only the 64-bit version of Vista is equipped with this technology, while the 32-bit—likely to be the standard deployment for some years to come—is not.
Next Page: Hackers “can and will subvert PatchGuard.”
Symantec confirmed in the paper what was demonstrated during Vistas development: that hackers “can and will subvert PatchGuard.” “The kernel integrity protection mechanisms that are present on 64-bit Windows Vista can only be described as a bump in the road,” it said. “While these technologies may slow down an attacker, they do not provide a meaningful defense against a determined attacker.”
Symantec researchers in fact managed to disable all three of Vistas primary kernel protections: driver signing, code integrity and PatchGuard. “Results have shown that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort,” the paper said. “A potential victim need make only one mistake to become infected by such a threat. The result: All new security technologies are stripped from their Windows Vista installation in their entirety.”
As for Microsofts UAC (User Account Control), a prompt that requires user approval when an application attempts to escalate privileges, Whitehouse had earlier this month posted a way to trick Vista into allowing a malicious prompt to come off as legitimate by posing as a Windows system component. Microsoft isnt recognizing this as a vulnerability, given that UAC isnt considered a hard security boundary, as is a firewall, for example. Rather, Microsoft says, UAC is a chance to verify an attack before it happens.
All told, about 2,000 malicious code samples, extracted from Symantecs virus library, were thrown at Vista in Symantecs testing. The anti-virus vendor found that 3 percent of backdoors could execute and survive a system restart without any code change. Four percent of keyloggers successfully survived system restart, while 4 percent of mass mailers, 2 percent of Trojans, 2 percent of spyware and 2 percent of adware did. No kernel-based rootkits were able to install themselves, however, thanks to Vistas default limiting of application privilege. These code samples will evolve to accommodate Vistas security technologies, Symantec maintained, allowing malwares success to grow over time.
In hindsight, it would seem like many of Vistas vulnerabilities would have been obvious to address in the operating systems years of development. However, Whitehouse pointed out, constructing an operating system does in fact take years, and Microsofts Vista team of course had to rely on the state of security knowledge and malware evolution as it stood historically.
“Id bet [Microsofts malware code samples] were probably 4 or 5 years old” when Vista development was ongoing, Whitehouse said. As a response to Symantecs findings, Microsoft provided this statement:
“We remain confident that Windows Vista is the most secure version of Windows to date and are encouraged by similar feedback weve received from Symantec and others in the industry. It is important to note that none of the security features in Windows Vista, either individually or collectively, are intended as a Silver Bullet solution to the problem of computer security. Instead, our defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure.
“Security is about making choices. Make it too restrictive and users will have to interact with the software more to do what they want. Conversely, focus on ease of use by making the default settings less stringent and increase the chance that a system can be attacked. We believe Microsoft has developed the right balance and made the right decisions when evaluating the tradeoffs between usability and security. This report does not properly address the fact that many of the Window Vista security technologies have numerous options that allow for a user to make their own judgments as to their need for security balanced against usability.
“That said, we are evaluating the information provided by Symantec in these reports that details methods an attacker could potentially use to circumvent security features in Windows Vista, specifically about the GS Flag and Address Space Layout Randomization, and will take any action, if needed, to help make these features stronger or more resilient.”
Editors Note: This story was updated to include Microsofts response.