Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Symantec: Out of the Box, Vista Prone to Legacy Threats

    By
    Lisa Vaas
    -
    February 28, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Symantec Security Response has spent months throwing every hack but the kitchen sink at Microsofts Vista operating system, and on Feb. 28 it released a series of papers that showed just how bloodied or victorious Vista remained.

      The result: “There are existing codes that can survive Vista without being modified— [certain] keyloggers, worms, Trojans, and spyware are able to survive,” said Symantec Research Scientist Ollie Whitehouse in an interview with eWEEK.

      The current threat level of the Vista security-resistant malware is “relatively low,” Whitehouse said, but he said that out of box, Vista already has several legacy threats. “It wont take much for [those] to evolve,” he said.

      This is in spite of Microsofts years of work and investments in new security technologies, which Symantec predicted will result in “fewer instances of widespread worms that target core Windows operating system vulnerabilities,” researchers wrote in one report, “Microsoft Windows Vista and Security.”

      The papers form one of the latest swipes at Vista security taken by security vendors including Symantec, who suddenly found Microsoft to be a large and fearsome competitor when the software giant leapt into the security software game.

      The papers explore new security features in Vista, including UAC (User Access Control), as well as Microsofts overhauls of older technologies, including the stack itself. The research also focused on whether Vista can withstand being assaulted by todays breed of malware threats, as well as what it would take for malware authors to evolve their techniques to be Vista-compatible.

      Symantec has also been picking apart Vistas GS compiler, which aims to catch software developer flaws that spawn buffer overflows, as well as Vistas new defense against memory manipulation, called ASLR (Address Space Layout Randomization). These last two Vista security components, GS and ASLR, are the subject of a presentation Whitehouse will be delivering Feb. 28 at Black Hat Federal in Arlington, Va.

      The synopsis of Whitehouses Black Hat presentation promises some “surprising results” when it comes to ASLR.

      ASLRs job is to “shuffle” the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec found that although when implemented correctly ASLR is “extremely effective” at mitigation memory corruption attacks, ASLRs randomization was “not as random as expected.”

      “One of the randomized components was not randomized consistently, resulting in a reduced degree of randomness in the layout of an applications memory,” the paper reports. “This reduction does increase the likelihood that an attacker can guess the correct address to target.”

      Microsoft has acknowledged Symantecs findings and said it will address the issue in Windows Vista SP1.

      /zimages/6/28571.gifClick here to listen to a podcast about Core Security Technologies exploit testing for applications running on Vista.

      Symantec also looked at one of Vistas most controversial kernel protection technologies, PatchGuard. PatchGuard, as its name implies, protects the kernel from being patched or extended in kernel memory—tampering that can give malicious code a way to load into the heart of the operating system. However, the paper points out, rootkit writers use the same techniques as PatchGuard to ensure their actions arent detected.

      Only the 64-bit version of Vista is equipped with this technology, while the 32-bit—likely to be the standard deployment for some years to come—is not.

      Next Page: Hackers “can and will subvert PatchGuard.”

      2

      Symantec confirmed in the paper what was demonstrated during Vistas development: that hackers “can and will subvert PatchGuard.” “The kernel integrity protection mechanisms that are present on 64-bit Windows Vista can only be described as a bump in the road,” it said. “While these technologies may slow down an attacker, they do not provide a meaningful defense against a determined attacker.”

      Symantec researchers in fact managed to disable all three of Vistas primary kernel protections: driver signing, code integrity and PatchGuard. “Results have shown that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort,” the paper said. “A potential victim need make only one mistake to become infected by such a threat. The result: All new security technologies are stripped from their Windows Vista installation in their entirety.”

      As for Microsofts UAC (User Account Control), a prompt that requires user approval when an application attempts to escalate privileges, Whitehouse had earlier this month posted a way to trick Vista into allowing a malicious prompt to come off as legitimate by posing as a Windows system component. Microsoft isnt recognizing this as a vulnerability, given that UAC isnt considered a hard security boundary, as is a firewall, for example. Rather, Microsoft says, UAC is a chance to verify an attack before it happens.

      /zimages/6/28571.gifSymantec says UAC is too chatty. Click here to read more.

      All told, about 2,000 malicious code samples, extracted from Symantecs virus library, were thrown at Vista in Symantecs testing. The anti-virus vendor found that 3 percent of backdoors could execute and survive a system restart without any code change. Four percent of keyloggers successfully survived system restart, while 4 percent of mass mailers, 2 percent of Trojans, 2 percent of spyware and 2 percent of adware did. No kernel-based rootkits were able to install themselves, however, thanks to Vistas default limiting of application privilege. These code samples will evolve to accommodate Vistas security technologies, Symantec maintained, allowing malwares success to grow over time.

      In hindsight, it would seem like many of Vistas vulnerabilities would have been obvious to address in the operating systems years of development. However, Whitehouse pointed out, constructing an operating system does in fact take years, and Microsofts Vista team of course had to rely on the state of security knowledge and malware evolution as it stood historically.

      “Id bet [Microsofts malware code samples] were probably 4 or 5 years old” when Vista development was ongoing, Whitehouse said. As a response to Symantecs findings, Microsoft provided this statement:

      “We remain confident that Windows Vista is the most secure version of Windows to date and are encouraged by similar feedback weve received from Symantec and others in the industry. It is important to note that none of the security features in Windows Vista, either individually or collectively, are intended as a Silver Bullet solution to the problem of computer security. Instead, our defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure.

      “Security is about making choices. Make it too restrictive and users will have to interact with the software more to do what they want. Conversely, focus on ease of use by making the default settings less stringent and increase the chance that a system can be attacked. We believe Microsoft has developed the right balance and made the right decisions when evaluating the tradeoffs between usability and security. This report does not properly address the fact that many of the Window Vista security technologies have numerous options that allow for a user to make their own judgments as to their need for security balanced against usability.

      “That said, we are evaluating the information provided by Symantec in these reports that details methods an attacker could potentially use to circumvent security features in Windows Vista, specifically about the GS Flag and Address Space Layout Randomization, and will take any action, if needed, to help make these features stronger or more resilient.”

      Editors Note: This story was updated to include Microsofts response.

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×