Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [funsec] Microsoft's Real Test with Vista is Vulnerabilities
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Wed, 28 Jun 2006 06:00:45 -0400

Just to be clear Joanna says
"I would like to make it clear, that the Blue Pill technology does not rely
on any bug of the underlying operating system. I have implemented a working
prototype for Vista x64, but I see no reasons why it should not be possible
to port it to other operating systems, like Linux or BSD which can be run on
x64 platform." 

It seems to abuse AMD's SVM/Pacifica feature.

Larry Seltzer
eWEEK.com Security Center Editor
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of thomas48
Sent: Tuesday, June 27, 2006 11:30 PM
To: Gadi Evron
Cc: funsec () linuxbox org; full-disclosure () lists grok org uk;
bugtraq () securityfocus com
Subject: Re: [funsec] Microsoft's Real Test with Vista is Vulnerabilities


Joanna Rutkowska has already found a way to subvert the Vista kernel and
injecting arbitrary code into it. Guess what? no implementation bug and no
system reboot required. she will be presenting her finding in
SyScan'06 (www.syscan.org)

Gadi Evron wrote:

Vista, the solution to all our problems: Microsoft portrays Vista as 
anything from the end of software vulnerabilities to the end of spyware.

In my opinion, that is irrelevant as both problems are not going to go 
away. They are part of how software systems and the Internet work, and 
that's that. The Bad Guys with their ROI won't give up that easily.
What is going to happen though is that creating and exploiting these 
would become more difficult.

*Vista is not the Holy Grail or some "silver bullet". It is a test for 
Microsoft. It will be a clear indication of how far Microsoft has 
advanced in the realm of developing secure software, if at all*.

How so...?

In the past I posted claims that stated Microsoft has advanced 
considerably in recent years, and today, it has become very difficult 
to find vulnerabilities in Microsoft products. Naturally this doesn't 
apply to Internet Explorer. :)

Their code is very professional and heavily reviewed. Unless you spend 
significant resources and time on the task, you are not likely to find 
even Denial of Service vulnerabilities, not to mention Code Execution 
vulnerabilities in their code.

When you do find one, the vulnerability will most likely be a logical 
flaw. Microsoft has no problem committing incredible resources to code 

However, we need to take into account the Excel case:
Last December Noam wrote of eBay bids on an Excel 0day vulnerability, 
which later on were also announced on the Full-disclosure mailing list.
The issue of bidding for exploits on eBay lead to a heated discussion 
and many blog entries.

In the coming months after that, Microsoft announced in it's monthly 
security patches release (Patch Tuesday a.k.a. Black Tuesday) several 
Excel vulnerabilities.

In this last month, it happened again.

Then the first (but not last!) of the Excel 0days was disclosed. Here 
is what Juha had to say about it.

What does this mean, and how does this work with what every decent 
reverse engineer will tell you: Microsoft's code is very professional.

The answer is divided into two:
1. QA.
2. Untouched code-base.

Microsoft is basically using legacy code that has been reviewed and 
attacked countless times by countless people since Windows NT if not, 
in some cases Windows 3.1 (gdi32.dll anyone?).

Is it any wonder new vulnerabilities are so difficult to come by? 
Everyone in the industry has been trying for, at the very least, over a 
decade. We can't tell if their code is that good due to their ability.

Excel on the other hand is code-base which didn't in the past receive 
that same kind of scrutiny very often. When the kiddie on 
Full-disclosure and eBay issued his challenge, what happened was that 
many people started aiming at Excel.

Much like it often happens with vendor advisories with little to no 
details, new vulnerabilities were found other than the one the kiddie 
(whoever or whatever he really was) supposedly found.

Several patch releases with official bullet-ins, several 0days... fun, 
ain't it? Not related you say? Maybe.

So.. yes. Microsoft's code is very professional, but we can't really 
rank their ability on it due to the immense efforts by everyone outside 
of Microsoft to do their QA for them.

When Vista comes out, regardless of all the cute security features it 
will have. some of which will raise the bar for security researchers, 
*WILL* have vulnerabilities.. and not too long after the release.

The amount of vulnerabilities and their complexity will tell us more of 
Microsoft's real ability with security today, than anything else.

Microsoft can claim Vista is the Holy Grail all they like, and indeed, 
some of these security features are intriguing... in my opinion though, 
the real question is what Vista will show us:
1. It's a new untested code-base out for play.
2. Microsoft supposedly learned a thing or two since Windows 95.

Your guess is as good as mine and the results of this test will be very 

      Gadi Evron.

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.


Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]