In what seems to be a sensational / tabloid article inspirationally named Vista's Security Rendered Completely Useless by New Exploit, Neowin reports that "this week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System."
Whether you should you start worrying about your Vista system remains to be seen, but as presented the techniques "are being seen as an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks".
Update - As Ars Technica mentions in a very interesting article The sky isn't falling: a look at a new Vista security bypass, "Sensationalism sells, and there's no news like bad news, but sometimes—particularly when covering security issues—it would be nice to see accuracy and level-headedness instead. Alarmism helps no one". They add that "Even with the attacks described in the paper, Vista has many worthwhile security improvements compared to XP. Internet Explorer on Vista runs in a highly restricted environment, so that even when it is running malicious code it cannot harm the system. Stories suggesting that Vista's security is now irredeemably broken are far off the mark; the truth is merely that some of its automatic security protection is less effective than it was before".
Recent comments
14 years 14 weeks ago
14 years 14 weeks ago
14 years 14 weeks ago
14 years 14 weeks ago
14 years 15 weeks ago
14 years 32 weeks ago
16 years 4 weeks ago
16 years 5 weeks ago
16 years 21 weeks ago
16 years 21 weeks ago