Are Windows Vista security features up to par?

The Windows Vista operating system certainly doesn't lack security. In fact, it has bundles of new security features. When Vista was released, former Microsoft co-president Jim Allchin even told the press that the No. 1 reason for upgrading to Vista is that it's far more secure than previous versions of Windows operating systems.

With Vista, Microsoft has looked to develop a set of layered mitigations to provide defense-in-depth protection -- making it a more secure operating system than its predecessors. New security features include: User Account Control, BitLocker Drive Encryption, Data Execution Prevention, Network Access Protection and Windows Service Hardening, to name a few. So, again, Vista certainly doesn't lack security. Maybe in light of the recent research presented at the Black Hat USA 2008 security conference by Mark Dowd and Alexander Sotirov, the question should be "Is Vista's security up to par?"

Dowd and Sotirov demonstrated techniques to bypass the memory protection safeguards in the Vista operating system by exploiting flaws in a browser application. The demo led to some dramatic headlines about how effective the Vista security upgrade is, particularly as the attacks are not based on any new or specific vulnerabilities in either Internet Explorer or Vista, but instead are a way of defeating the security mechanisms put in place to protect the operating system. Let's look at the attack in a little more detail to see if we can answer the second part of the question regarding an operating system ever being completely safe.

More on Windows security Contibutor Davey Winder offers his best tips and tricks for securing Windows in the enterprise.

In Windows XP SP2, a set of hardware and software technologies called Data Execution Protection (DEP) was introduced. DEP performs additional checks on memory to help prevent malicious code from running from a non-executable memory region. With DEP enabled, each block of memory in a process must be explicitly marked "executable" before the processor can run any instructions stored in that block. The primary aim of DEP is to prevent an easy exploitation of memory-corruption attacks, such as buffer overflows. Hackers, however, discovered that by passing control not to their own executable code, but instead to one of the system DLLs loaded into the process, DEP protection could be circumvented. In Vista, DEP has been reinforced by the introduction of ASLR, or Address Space Layout Randomization. ASLR loads system files at random addresses in memory to make it harder for malicious code to know where privileged system functions are located.

What Dowd and Sotirov have shown is different techniques for bypassing DEP and ASLR. One technique is to use a plug-in to fill large amounts of memory with the malicious executable code so the attacker can still be sure that the malicious code is where he or she needs it to be, despite the presence of ASLR. This hole can easily be fixed and is ineffective on a 64-bit system.

In my mind, the primary issue is that Vista's protections are not always "active." To start, not all applications are DEP-compliant. Internet Explorer 7 and Firefox 2 actually opt out of DEP, while many third-party libraries such as the Flash plug-in opt out of ASLR. Java is another problem altogether, as it marks all of its memory as executable, meaning that a Java applet can place into memory executable code that's immune to DEP protection. Also, a large proportion of the software that we run still doesn't use "safe" programming languages, such as Java and .NET, which prevent buffer overflows.

The conclusion I draw from this is that it is virtually impossible to build a completely safe operating system that accommodates literally hundreds of thousands of different programs, scripts, applets, etc., written by many different vendors whose developers may be good or average. Take browser applications, for example. The architecture of browsers means that all code runs in the same process, providing no isolation between different components. This can lead to holes in memory protections and the plug-in architecture. An operating system cannot stop such problems -- research points to ways around ALSR and DEP on all OSes -- but it can make it less likely to execute malicious code.

If you have an OS running on a locked-down box, isolated in a secure room with no network connections, and it is running a single application, then most of today's OSes can be considered secure. But most OSes don't operate in that environment. Security protection in Vista perhaps isn't as comprehensive as was first thought, and is unlikely to ever be unbreakable, but the layers of protection used in Vista are still effective at mitigating many attacks and preventing the exploitation of vulnerabilities in server processes.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threats and security advisories Preventing phishing attacks: Enterprise best practices The value of booting from a VHD in Windows 7 What to do with network penetration test results How to prevent memory dump attacks How to prevent phishing attacks with social engineering tests Cyberwarfare and the enterprise: Is the threat real? How to avoid botnet attacks How to ensure the validity of Microsoft Windows updates How to defend against rogue DHCP server malware Mac OS memory flaws pose challenges for enterprise endpoint protection Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.