March 04, 2010, 2:02 PM — Honest to God I don't go around trying to pick on Windows for its security problems, but the hackers keep finding new ways to break into it. And, this time, they've found a doozie. Berend-Jan Wever, aka "Skylined," a Google security software engineer has busted DEP (data execution prevention), one of the few significant security improvements Microsoft has made to Windows.
DEP, which was added to Windows back in August 2004 in XP SP2. It addressed the very common hacking technique of buffer overflows. In a buffer overflow attack, a malicious program tries to overwrite the buffer, the amount of memory a program has been allocated for running its code in. By so doing, a buffer overflow overwrites memory that may or may not have been allocated to other programs. In either case, it can then use this overwritten memory for its own purposes. Usually this means running malware or even taking over the computer itself.
While this problem isn't unique to Windows, it can happen to almost any operating system without strict memory management controls, even with DEP, Windows has been prone to such attacks. Now, though, with DEP busted, it's become even easier for a buffer attack to strike home.
DEP works, or I guess I should say 'worked' now, by working with the CPU to mark all memory locations in a process as non-executable unless it explicitly contained executable code. That way, even if there was a buffer overflow, the malicious code couldn't run in whatever memory it happened to find itself.
Unfortunately, Wever, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever's latest trick, the attacking code looks for clues on where to find memory that's allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.
While the attack code isn't ready to go for any script-kiddie, as Wever himself points out, he has given enough information on how to defeat DEP that it's only a matter of time before a competent cracker uses the code to start enabling new attacks.
While Wever doesn't say that this technique can be used to defeat Microsoft's other significant security improvement in recent years, ASLR (address space layout randomization). But, it seems pretty clear to me that this kind of attack could be improved upon and then used to do exactly that. ASLR, which is used in other operating systems such as Linux and has been in Windows since SP2, works by randomizing where program's executable code is ran in memory. This way a hacker can't make an attack by simply assuming that any given program will live in a particular chunk of memory.
Wever wrote, "I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms. 32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location. "
In short, if you're running 32-bit Windows of any sort-XP, Vista, 7, Server 2008-you can look 'forward' to being even more vulnerable to attacks. Have I mentioned lately that I tend to do most of my desktop computing with Linux? Well, I am. This exploit opens up a new and huge hole in Windows' already vulnerable defenses.
