Are Windows Vista security features up to par?

Are Windows Vista security features up to par?

A reader recently asked platform security expert Michael Cobb, "Do the methods recently discovered to bypass Windows Vista memory protections reflect a lack of security in Vista, or an inability for any operating system to be completely safe?" Below, Michael Cobb explains what may be another question worth asking:

The Windows Vista operating system certainly doesn't lack security. In fact, it has bundles of new security features. When Vista was released, former Microsoft co-president Jim Allchin even told the press that the No. 1 reason for upgrading to Vista is that it's far more secure than previous versions of Windows operating systems.

With Vista, Microsoft has looked to develop a set of layered mitigations to provide defense-in-depth protection -- making it a more secure operating system than its predecessors. New security features include: User Account Control, BitLocker Drive Encryption, Data Execution Prevention, Network Access Protection and Windows Service Hardening, to name a few. So, again, Vista certainly doesn't lack security. Maybe in light of the recent

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

research presented at the Black Hat USA 2008 security conference by Mark Dowd and Alexander Sotirov, the question should be "Is Vista's security up to par?"

Dowd and Sotirov demonstrated techniques to bypass the memory protection safeguards in the Vista operating system by exploiting flaws in a browser application. The demo led to some dramatic headlines about how effective the Vista security upgrade is, particularly as the attacks are not based on any new or specific vulnerabilities in either Internet Explorer or Vista, but instead are a way of defeating the security mechanisms put in place to protect the operating system. Let's look at the attack in a little more detail to see if we can answer the second part of the question regarding an operating system ever being completely safe.

More on Windows security

Contibutor Davey Winder offers his best tips and tricks for securing Windows in the enterprise.
In Windows XP SP2, a set of hardware and software technologies called Data Execution Protection (DEP) was introduced. DEP performs additional checks on memory to help prevent malicious code from running from a non-executable memory region. With DEP enabled, each block of memory in a process must be explicitly marked "executable" before the processor can run any instructions stored in that block. The primary aim of DEP is to prevent an easy exploitation of memory-corruption attacks, such as buffer overflows. Hackers, however, discovered that by passing control not to their own executable code, but instead to one of the system DLLs loaded into the process, DEP protection could be circumvented. In Vista, DEP has been reinforced by the introduction of ASLR, or Address Space Layout Randomization. ASLR loads system files at random addresses in memory to make it harder for malicious code to know where privileged system functions are located.

What Dowd and Sotirov have shown is different techniques for bypassing DEP and ASLR. One technique is to use a plug-in to fill large amounts of memory with the malicious executable code so the attacker can still be sure that the malicious code is where he or she needs it to be, despite the presence of ASLR. This hole can easily be fixed and is ineffective on a 64-bit system.

In my mind, the primary issue is that Vista's protections are not always "active." To start, not all applications are DEP-compliant. Internet Explorer 7 and Firefox 2 actually opt out of DEP, while many third-party libraries such as the Flash plug-in opt out of ASLR. Java is another problem altogether, as it marks all of its memory as executable, meaning that a Java applet can place into memory executable code that's immune to DEP protection. Also, a large proportion of the software that we run still doesn't use "safe" programming languages, such as Java and .NET, which prevent buffer overflows.

The conclusion I draw from this is that it is virtually impossible to build a completely safe operating system that accommodates literally hundreds of thousands of different programs, scripts, applets, etc., written by many different vendors whose developers may be good or average. Take browser applications, for example. The architecture of browsers means that all code runs in the same process, providing no isolation between different components. This can lead to holes in memory protections and the plug-in architecture. An operating system cannot stop such problems -- research points to ways around ALSR and DEP on all OSes -- but it can make it less likely to execute malicious code.

If you have an OS running on a locked-down box, isolated in a secure room with no network connections, and it is running a single application, then most of today's OSes can be considered secure. But most OSes don't operate in that environment. Security protection in Vista perhaps isn't as comprehensive as was first thought, and is unlikely to ever be unbreakable, but the layers of protection used in Vista are still effective at mitigating many attacks and preventing the exploitation of vulnerabilities in server processes.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

This was first published in February 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top