As we told you last week, Microsoft rolled out two new security programs, Microsoft Active Protections Program and Microsoft Exploitability Index, during the Black Hat USA 2008 Conference. Unfortunately for Microsoft, the same conference saw a presentation by security experts Mark Dowd and Alexander Sotirov that renders these and other protections for Windows Vista, including its much-touted Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) features, effectively null and void.
How did they do it? The full presentation (available here in PDF format) is quite technical, but here's the short version. according to SC Magazine:
In explaining the problem, the researchers said that most memory protection mechanisms are based on two things: detecting corruption and stopping common exploit patterns, and attempts to reinforce these are integral to Vista. But in many cases, some of the built-in protection mechanisms in Vista are not enabled by default for compatibility reasons.
“At the desktop level, compromises had to be made because of compatibility issues. Exploiters have a lot more control over browsers,” Sotirov said.
And in many cases, third-party applications are not compiled to use the Vista memory protections. For example, Java and Flash are not compiled using the critical protection called ASLR.
What can be done? My take: Microsoft needs to rethink the balance of compatibility versus protection, do a better job of informing users of what's protected and what's not, and get third-party application vendors to take advantage of the protection features in Vista. What about ordinary users like us? Watch out for compromised legitimate websites, and, as always, as our own Will Smith says, think before you click.
What's your take on Vista and other browser security issues? See us after the jump for your chance to sound off.
MAPP provides advance notification to third-party security providers of vulnerabilities that are being addressed by Microsoft security updates, such as the ones rolled out each month on "Patch Tuesday." MAPP is designed to help stop exploits that are launched between the announcement of upcoming patches and the availability of patches. MAPP starts in October, according to eWeek.
Security providers can learn more about MAPP by downloading the fact sheet (MS Word 97-2003 format). For additional insight from a former military and government security specialist who now works for Microsoft, see Steve Adegbite's blog entry about MAPP.
The Microsoft Exploitability Index will provide ratings of how likely each vulnerability is to being successfully exploited. The index will rate each vulnerability at one of three levels:
Consistent exploit code likely
Inconsistent exploit code likely
Functioning exploit code unlikely
Microsoft's fact sheet suggests (MS Word 97-2003 format) that vulnerabilities with the "Consistent" rating should be treated as the most serious threats, followed by the others. To get more insight into the need for this index, see Microsoftie Mike Reavey's blog entry (Reavey is part of the Microsoft Security Response Center). The index will be included with each new security bulletin, also starting in October.
For your chance to sound off about Microsoft's newest security initiatives, see us after the jump.