In-Depth
The Verdict on Vista Security: A Mixed Bag
Symantec Corp.’s Advanced Threat Research team reports that Windows Vista does deliver tangible security improvements—but Vista is still far from invulnerable.
Microsoft Corp. contends that Windows Vista is its most secure operating system to date. It’s a audacious claim, to be sure, but there just might be something to it, too. According to Symantec Corp.’s Advanced Threat Research (ATR) team, Windows Vista does deliver tangible security improvements—although Vista itself is still far from invulnerable, Symantec researchers stress.
Vista uses a number of technologies to help mitigate several classic attack vectors, such as generic exploits (e.g., by means of stack buffer overflows or structured exception handler overwrites); system integrity or DoS exploits (using privilege elevation, for example); and kernel integrity or DoS exploits (through poorly coded or malicious drivers). In the former category, Symantec researchers cite both developer-controlled and operating-system-wide improvements that, they say, successfully inhibit the exploitation of memory corruption and memory manipulation vulnerabilities.
“The technologies introduced in Windows Vista are very effective at protecting the core Windows operating system as well as Microsoft-compiled applications,” write Symantec ATR researchers in a new whitepaper.
Just how effective? Enough, according to the ATR team, to have effectually slammed the door on Code Red, Code Blue, SQL Slammer, and other infamous worms: “They serve to make the exploitation of traditional vulnerabilities infeasible, including those leveraged by well-known widespread worms observed earlier this decade. As a result, the overall impact of some code-level flaws, even when introduced by a Microsoft software engineer, is greatly diminished.”
In addition, the Symantec team cites a number of developer-controlled Vista niceties, including pointer obfuscation, GS, Safe Structured Exception Handlers (SafeSEH), Address Space Layout Randomization (ASLR), and Terminate on Heap Corruption. To a degree, researchers acknowledge, these enhancements also help protect Windows Vista against attack from without.
At the same time, however, they all have a single Achilles heel. “One barrier to the success of these technologies is the requirement for third-party software vendors to explicitly leverage them. Software engineers must utilize the latest version of Microsoft’s development tools in a specific manner,” the Symantec researchers write. “Only by doing so can they enable the functionality that is designed to inhibit or minimize the impact of the different exploitation techniques.”
In most cases, existing applications must be recompiled to exploit Vista niceties such as User Account Control (UAC) or Mandatory Integrity Control (MIC). In other cases, developers must make actual changes to their source code to take advantage of certain features—such as pointer obfuscation.
A case in point occurred just last month, when security researcher Core Security Technologies claimed that flaws in third-party software could allow attackers to take complete control over compromised Vista systems (see (http://entmag.com/news/article.asp?EditorialsID=8212). Core’s proof-of-concept involved several pre-Vista versions of backup software from Computer Associates International Inc. (CA).
The point, said Russ Cooper, director of publishing with security specialist CyberTrust, is that pre-Vista software can't take advantage of security niceties such as UAC or Vista's Mandatory Integrity Confirmation (MIC) routines. “Vista is built so that services that need to have elevated privileges don't run constantly with those elevated privileges," Cooper noted at the time. "If it was written properly for Vista—as opposed to a [case where a] researcher, for example, upgrades Windows XP to Vista and then says 'Look, the [ARCserve] software still runs!'—it shouldn't pose a significant problem.”
Security Inconsistency
The issue is muddied still further by Vista’s own inconsistency in this regard. In some cases, Symantec researchers note, even core Windows Vista components fail to properly exploit its built-in security enhancements. The reason for this, they say, is that a small percentage of the 32-bit edition of Windows Vista wasn’t compiled using Visual Studio 2005’s GS technology.
“The reason for the exclusion of these applications from the protection afforded by this technology is unclear. It is acknowledged that these components pose a greater risk than those that are protected,” the researchers write. “Consequently, these components of Windows Vista are not protected against the aforementioned class of memory corruption and memory manipulation vulnerabilities. While the exposure to risk resulting from this circumstance is low, it does serve to increase the potential attack surface for Windows Vista. Symantec expects attackers to identify these vulnerable points and investigate their potential.”
Operating-system-wide enhancements—such as SafeSEH, ASLR, and terminate on heap corruption—likewise require support from third-party software developers. Other enhancements, such as the heap manager improvement, are either applied by default to Vista as a whole, or—in the case of DEP (which was first introduced in Windows XP SP 2)—enabled only for core Vista components.
While a technology like ASLR can provide critical protection against some of today’s most common attack vectors, Symantec’s ATR team says its Randomization routine isn’t quite random.
“The purpose of this technology is to randomly locate programs in memory and, by doing so, enhance security,” the Symantec team writes. The reasoning behind ASLR is that if an attacker doesn’t know precisely what to target (and the location of that target) during the exploitation of a vulnerable program, he’ll be less likely to successfully trigger memory corruption or memory manipulation vulnerabilities.
That’s the reasoning, anyway. In practice, Symantec found, ASLR doesn’t quite live up to the hype: “[O]ne of the randomized components was not randomized consistently, resulting in a reduced degree of randomness in the layout of an application’s memory. While ASLR continues to be effective, this reduction does increase the likelihood that an attacker can guess the correct address to target.”
For the record, Symantec reports, Microsoft has confirmed its findings and plans to ship a fix for this issue with Windows Vista SP1.
A Mixed Bag at the Kernel Level
Microsoft’s kernel integrity technologies—namely, driver signing, Code Integrity, and PatchGuard—are also something of a mixed bag.
For one thing, Symantec researchers note, only the 64-bit version of Vista can actually benefit from these technologies. Secondly, PatchGuard, which is designed to protect key operating system structures, will almost certainly be circumvented at some point by enterprising hackers. Symantec researchers claim the same can be said about all three new kernel improvements.
“[H]ackers can and will subvert PatchGuard. The kernel integrity protection mechanisms that are present on 64-bit Windows Vista can only be described as a bump in the road,” they write. In other words, such technologies may initially stymie an intruder, but they won’t thwart a determined attacker. “Symantec researchers … [found] that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort. A potential victim need make only one mistake to become infected by a threat that does the same.”
Symantec researchers also tested Vista’s system integrity and user-mode defenses. The latter category includes both UAC and MIC, two highly touted Vista security enhancements. To a real degree, the ATR team concludes, Vista’s user-mode niceties really do deliver the goods.
“The implementation of these protections achieves many of the security goals that Microsoft had envisioned. Despite this increased protection, however, several risks continue to exist,” they write. At least one of these risks should seem awfully familiar—at least to Internet Explorer users: “[T]he lack of information provided by the many dialog boxes and prompts that appear during normal operating system use … [could] lead to indifference on the part of the user when presented with these prompts.”
More to the point, Symantec researchers write, not even Microsoft believes UAC constitute an effective “security boundary.” “[Microsoft] acknowledge[s] that there are methods to bypass these protections and do not consider these to be security issues. Microsoft actually states that this is the case in their consumer best practice guidance,” the team writes. “It’s very important to remember that UAC prompts are not a security boundary—they don’t offer direct protection. They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back.”
Elsewhere, Symantec finds that some Vista-native executables undermine UAC’s support for digital signatures. For example, researchers were able to execute an unsigned arbitrary library—even though they were presented with a dialog box which implied they were launching Microsoft-authored code.
Old Boss, Meet New Boss
In the final analysis, Symantec researchers say, Windows Vista is an evolutionary, not a revolutionary, release.
For one thing, they stress, many of its most exemplary security niceties aren’t even Vista-native enhancements: driver signing, SafeSEH, DEP, pointer obfuscation, PatchGuard, UAC, code signing, Windows Defender, and Windows Update all shipped with Windows XP, Windows XP SP2, or Windows XP 64-bit edition. Furthermore, support for Socket ACLs was introduced on Windows Server 2003 SP1.
“The inclusion of these technologies in … Windows XP and Windows Server 2003 … has already resulted in a decline in the number of attacks that focused on core operating system components,” the ATR team cautions. “As a result, Symantec has seen an increase in the number of attacks that focus on the applications that run on top of the operating system, such as office productivity suites and Web browsers. While Microsoft has invested heavily in protecting the core operating system, attackers have already moved on.”
Nor is Vista itself invulnerable to the vast profusion of existing hacks. Symantec researchers tested Vista against legacy malicious code and found that three percent of backdoor; four percent of keylogger and mass mailer; and two percent of Trojan, spyware, and adware applications were able to successfully execute and survive a Vista restart. That doesn’t bode well for Vista’s long-term impregnability, they caution.
“Symantec believes that these percentages would increase dramatically with only minor code changes to make these threats Windows Vista-aware, in turn allowing them to run successfully within the new Windows Vista security model,” the research team indicated.
Vista was much more resistant to malware on the kernel level: no existing kernel-based rootkits managed to successfully install themselves, for one thing. “This can be attributed to the fact that a reduced set of privileges are used to run user applications by default. On 32-bit Windows Vista, a threat can penetrate the Windows Vista kernel unimpeded … if it is able to elevate its privilege level to that of full administrator,” researchers conclude. To do so, however, an attacker must first circumvent Vista’s UAC watchdog—although techniques do exist to do just that, the Symantec ATR team acknowledges.