Era of zero day attacks dawns

From now on, once an exploit is found you will be attacked straight away

Breaking into your computers, no, your entire IT systems, is big business. Organised crime is busy compromising systems for money — FBI estimates put the amount in the US alone at US$400 billion, a sum larger than the GDP of many countries.

With so much cash feeding cyber crime, the gloves are off. There are no more courtesies like warnings that give vendors and security specialists respite — from now on, once an exploit is found you will be attacked straight away. In American parlance, this is known as a “zero day attack” and you can expect it to become the norm rather than the exception.

The target with a bull’s eye painted on its bum is the market leader, Windows. In just two weeks, we have had the Vector Markup Language (VML) exploit and after that, the SetSlice hole.

In both cases, it’s fair to say that Microsoft was caught napping. VML was a failed attempt by Microsoft to set a standard, yet it decided to keep support for a feature that nobody actually uses in both Internet Explorer and Office. Microsoft has released a patch for the VML exploit, but not before many users’ computers were compromised.

SetSlice chews through a hole in the WebViewFolderIcon ActiveX control by overflowing an integer with a large negative number, and it’s being remotely exploited on a large scale at the moment. It works on Windows 2000, XP and Server 2004 — all Service Pack Levels.

A patch from Microsoft is expected out on October 10, but the SetSlice exploit was made public in July already. Over two months later, and Microsoft still hasn’t plugged a serious, remotely exploitable security hole that can be triggered by simply visiting the wrong website. This begs the question: is Microsoft able to keep up with the malware writers despite its commitment to security?

Signs are that while the Redmondians are now security-motivated, Microsoft is up against an army of of money-motivated criminals who will always be a few steps ahead of them. The forthcoming Vista operating system has a bundle of new security features that are said to harden it against attacks, but the analysts are already finding flaws in them.

For instance, researchers Sysdream in France have found that the address space layout randomisation (ASLR) feature in Vista, used to make it harder for malware writers to work out where data structures are located in RAM, is in fact predictable. Ali Rahbar of Sysdream worked out that Microsoft is only using five of eight possible bits of randomisation, providing a mere and easy to guess 32 possibilities instead of 256.

ASLR forms a cornerstone of Vista’s new security architecture, and it’s already being shown up as flawed. There is no time for Microsoft to sort this out either before manufacturing, because Vista is already testing partners and financial analysts’ patience thanks to excessive release delays.

In light of this, Microsoft’s decision to cordon off parts of Vista’s internals from security companies isn’t a good one. Microsoft’s record in security is flawed almost beyond redemption and there’s no reason to believe that Vista, Longhorn Server and other new products will be any more safe from attacks than past versions.

While Microsoft has a point in that its former partners and now direct competitors Symantec and McAfee both have commercial axes to grind, it would be better off focusing on improving its products, rather than trying to monopolise yet more markets.

Update Microsoft's senior director of security engineering, Matt Thomlinson, contacted Computerworld to point out that Sysdream's research produced incorrect results.

Ali Rahbar of Sysdream writes in a note to his paper:

"After working with Microsoft's security engineers on this topic this note has been added to reflect the changes that have been introduced in Vista's RC1 and the reason why the entropy was so low in my tests.

"Firstly I want to mention that in contrast to the 5472 build, stack randomisation is not activated by default in RC1 and you should link your program with /dynamicbase to activate it.

"Secondly, my analysis was based on the value EBP (Execution Breakpoint) at the creation of the process. On further inspection it turns out there is a second source of entropy. In the first stage of randomisation which is analysed in this article they [Microsoft] only use 32 values for randomisation. This is done to prevent excessive address space fragmentation. After that they [Microsoft] randomise ESP [sic]. This randomisation is processor dependent but on 32 bits processors they [Microsoft] have 9 bits of entropy, which, with the abovementioned f bits, gives us a total of 14 bits of entropy."

The 14 bits of entropy provides, Thomlinson says, 16,384 possibilities, not just 256.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about FBIMcAfee AustraliaMicrosoftSymantec

Show Comments