J
Jeff
Oops,
Sorry Edward; mixed up your name
Jeff
Sorry Edward; mixed up your name
Jeff
Edward Ray said:
E
Edward Ray
Jeff said:
When it comes to someone commenting on my education yes I am.
From what I saw at Blackhat, and so far after 24 hours of Vista RC1, I am
not too impressed. From Paul Thurrott's Website:
I have to give Microsoft some credit: Last week, the company invited hackers
at the Black Hat USA 2006 security conference in Las Vegas to hack into
Windows Vista after giving them a tour of the upcoming OS's new security
features. Hackers at the show came away impressed with both Microsoft's
candor and some of the new security features, although many of them added
that the improvements were long overdue.
But the real news from the show is that Vista was actually successfully
hacked the very day that Microsoft made its Black Hat presentation. And that
news has to have Microsoft's customers worried.
Sure, Vista's still in beta, but we're in the release candidate (RC) phase
of development now and that supposedly means that the next potential Vista
milestone is a build of the product that Microsoft considers a candidate for
the final release version. (Reality update:
In a bit of name bending, the Vista RC1, still expected this month, will
have more in common with a beta release than the final shipping
version.)
Here's the thing. Vista is feature complete and has been since early this
year. Microsoft will no doubt change Vista's security features to prevent
the kind of hack that was demonstrated during Black Hat (in which a Polish
security researcher used virtualization technologies to bypass Vista's
security). But this is exactly the kind of reactive security measure that
Microsoft's newly minted and much-ballyhooed security code review was
supposed to prevent. It's not hard to imagine other security flaws being
exposed after Vista is finalized. What happens then? A monthly deluge of
security updates, just like happened with Windows XP.
Joanna Rutkowska, the researcher who demonstrated how to bypass Vista's
security, made an interesting comment that pretty much sums up my
expectations. "The fact that this mechanism was bypassed does not mean that
Vista is completely insecure," she said. "It's just not as secure as
advertised. [But] iIt's very difficult to implement a 100 percent-efficient
kernel protection." In other words, Vista will be more secure than XP, but
will still face security problems. Thus, the status quo is likely to
continue. That's a bad sign.
Rutkowska calls her hack Blue Pill, and it uses AMD's Pacifica
virtualization technologies, plus a bit of user interaction-- bypassing User
Account Protection (UAP) by pressing the Accept button in a dialog box--to
pull off its magic. Some people might argue that such a complex series of
steps speaks well of Vista's security. But in my experience, most of the
best hacks are bootstrapped by user error. Humans are pretty much the
weakest link in the security chain.
It's no wonder, when you think about it, that many of Vista's security
features--such as Microsoft Internet Explorer 7 Protected Mode, UAC, and
Address Space Layer Randomization (ASLR)--are ultimately designed to help
protect us from ourselves.
Security aside, Vista is nowhere near the shape it needs to be in at this
stage in the game. Thus, I'm recommending that Microsoft hold off on
releasing Vista until the product is really ready rather than releasing it
in October to meet an arbitrary release to manufacturing
(RTM) date. Microsoft, you can always grandfather in Software Assurance (SA)
customers who were counting on getting Vista licenses this year. Do the
right thing.
I've also written a tongue-in-cheek overview of my feelings about the
readiness of Vista in an article called Is Windows Vista Ready? You might
find it entertaining.
This article originally appeared in the August 8, 2006 issue of Windows IT
Pro UPDATE.
--Paul Thurrott
August 8, 2006
Hacking Windows Vista Revisited
In my original Hacking Windows Vista commentary (see above), I described
Joanna Rutkowska's efforts to bypass Windows Vista security during the Black
Hat USA 2006 conference, held recently in Las Vegas.
Her hack, called Blue Pill (ostensibly a reference to a scene from "The
Matrix"), used AMD's Pacifica virtualization technologies, plus a heaping
helping of the oldest hack of all time--human error--to work its magic.
Because of these last two points, a number of readers cried foul at my
attempts to label this event a valid Vista hack.
Microsoft, as you might expect, was quick to disagree as well.
In a posting on the Windows Vista Security blog, Austin Wilson, a director
in Microsoft's Windows Client Business Group, described the Blue Pill
demonstration as an example of why there is no "silver bullet" when it comes
to security. "It's very difficult to protect against an attacker that is
sitting at the console of your computer with an administrator command window
open," he wrote. "Both [demos that were shown] started by assuming that the
person trying to execute the code already had administrative privileges on
the computer ... She [demonstrated] a way for someone who has admin level
access to attempt to insert unsigned code into the kernel on the x64
versions of Windows Vista."
Wilson says that Microsoft is investigating whether Rutkowska's hack
requires the company to make any changes to Vista prior to launch.
But Wilson makes a good point: Vista is designed to ensure that users don't
typically have administrator-level access, so this sort of hack won't be
very common.
Fair enough. My point in publicizing the Black Hat episode wasn't so much to
point out that Vista was already successfully hacked, but rather to
emphasize that Vista, like Windows XP before it, will be a primary attack
vector for hackers because of its popularity. The question, of course, is
whether Vista will suffer from the same withering array of electronic
attacks that dogs XP today. The Black Hat episode is simply a warning that
the bad guys will be looking very closely at Vista indeed.
But there is more evidence that Vista won't be impervious to attack.
Last week, Microsoft actually released two critical security updates for
Vista Beta 2 and later. The software maker attempted to paint these releases
in a positive note, with Microsoft's Alex Heaton noting that "Windows Vista
is the first major Microsoft product release that will be serviced with
security updates throughout the beta process ... Of the seven critical
Windows updates released in August, only two (MS06-042 and MS06-051) also
affect Vista Beta 2 or later."
"Only" two? I mean no offense, but was that meant to be funny? If so, then
customers might also find it hilarious that Microsoft doesn't include
information about beta products in formal security bulletins.
Fortunately, you can find out a bit about them in the Microsoft article,
Available updates for Microsoft Windows Vista Beta 2, which highlights all
Vista updates that Microsoft has released since Beta 2.
My point here is simple: Although Vista is a huge step up from XP from a
security standpoint--honestly, an absolutely necessary and commendable
upgrade--it shouldn't be viewed as a panacea of any kind.
If this summer's handful of Vista critical security updates is any
indication, Microsoft's corporate customers will be justified in making a
slow, measured migration to Vista. Service Pack 1 (SP1) anyone?
J
Jeff
Edward,
No arguments about your education;or your opinion; just a comment;
you never really know if you are making more money than someone; unless you
personally know them
Could be Bill gates e-mail alias!! LOL
Jeff
No arguments about your education;or your opinion; just a comment;
you never really know if you are making more money than someone; unless you
personally know them
Could be Bill gates e-mail alias!! LOL
Jeff
Edward Ray said:
E
Edward Ray
Ray was closeJeff said:
C
Chaucer
If you don't like it no one is forcing to use it. Stop trolling.
Edward Ray said:
E
Edward Ray
I waited until RC1 to use it. No one is forcing me except my career andChaucer said:
customers who want an evalution for possible deployment. If I were trolling
I would say use OS X. Which I do for penetration testing.