August 25, 2008, 1:43 PM — A New Zealand security researcher is exploring several scenarios in which Windows Vista could be attacked and warns more protection is needed for users.
Ben Hawkes presented his findings at the Black Hat conference, held in Las Vegas this month, and will also present them at the Kiwicon conference, to be held in Wellington in the end of September.
Hawkes' research has uncovered hacking techniques for attacking the Vista heap, which is a dynamic memory management component, used by every single application, from Microsoft Word to web applications, he says.
There is a type of bug in these applications called the memory corruption bug, he says. Historically, these bugs have been a fairly severe security problem because people could turn them into arbitrary code execution -- allowing attackers to run code, for example a back door or keylogger, says Hawkes.
Microsoft is trying to prevent malicious hackers from targeting memory corruption. When it introduced Windows Vista, it also introduced several security enhancements to the operating system, Hawkes says. But more protection is needed.
Hawkes was in touch with Microsoft two weeks before Black Hat, sending the company a copy of his slides and presentation called "Attacking the Vista heap."
"They were quite interested in my research and passed it around internally to a few select people," he says.
Hawkes got a little bit of feedback from the software giant, generally positive.
"I had a fairly good experience," he says.
He is not sure what Microsoft's next steps will be to deal with this issue.
"They may end up introducing some of the protection mechanisms I have suggested in my research," he says.
Hawkes says the kind of research he is performing does not pose an immediate threat; it does not present a vulnerability, he says. Rather, an attacker could use his research as a tool to leverage a vulnerability. It is more likely that his findings will become an issue six months down the track when researchers, and attackers, may find vulnerabilities where they can use the attack techniques, he says.
"Microsoft has this time to step back, use their threat models and work out the best way to deal with this problem," he says.
In his Black Hat presentation, Hawkes suggested that Microsoft should add technical measures to prevent potential use of the techniques he has demonstrated. This could be, for example, adding guard pages and guarded mappings, he says. These suggestions are fairly simple and cheap to implement, he says.
Hawkes' findings do not change procedures for IT managers and system administrators, he says, as long as they keep patching and mitigating attacks. It is more of interest to the technical crowd, who are creating the attacks and doing the vulnerability research that results in patches, he says.
There are very few people in the world doing cutting edge research in that particular area, he says. Hawkes and another New Zealander, Brett Moore, are among those researchers. Moore has done similar research on Windows Server 2003, Hawkes says.
