Security pros completely bypass Vista's now "useless" security
Sat Aug 9, 2008 7:53PM EDT
See Comments (8)
About all those fancy security measures Microsoft put into Windows Vista... well, they're now pretty much useless, according to security experts from IBM and VMware presenting a new attack methodology at this week's Black Hat security conference.
The details of the latest attack are complicated to explain, but they essentially outline ways to use .NET, Java, and Microsoft's ActiveX system to bypass Vista's security via a web browser. Any browser can be used, but Internet Explorer makes the security bypass even easier, letting an attacker insert data into a running machine at any place he chooses. The researchers note that the attack doesn't exploit any new vulnerability in Vista but rather takes advantage of the architecture of the OS and the way Windows tends to trust code fragments. In broad terms, if one component of Windows trusts a piece of code, for example, and passes it on to another component, then that second component will often automatically trust the code too, and so on. Browsers are increasingly being seen as the easiest "way in" for malware.
While this initial round of attacks focuses on Vista, the potential exists for a similar exploits to be fashioned against other operating systems, too, both older versions of Windows and even non-Microsoft OSes.
The full paper outlining the security risk is available here, but as I write this the site is offline due to heavy traffic.
It's important to note that this is a brand new exploit and has not yet been taken advantage of by any real world attack. The best advice until Microsoft responds is to make sure your standard antivirus and antispyware software is up to date and active: Third-party security systems should still be able to detect malicious code through traditional scanning means.
LINK: Windows Vista security 'rendered useless' by researchers
Top 5 Posts
More About Windows Vista
Comments on Security pros completely bypass Vista's now "useless" security
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
2 Posted by rogueist on Thu Sep 3, 2009 8:49PM EDT Report Abuse
LOL, doing this isnt even new. This has been do-able every since Windows 95 and using ActiveX with IE. It's only become EASIER to do with the total integration that Microsoft likes to do between the OS and it's own programs - so it is no wonder that you can do it with .NET and Java and ActiveX. When a "program" is actually an extension of the base OS itself, there is no way it can be secure.
-
3 Posted by cnull on Thu Sep 3, 2009 3:27PM EDT Report Abuse
@alexgannis - Yes, Windows Vista can use Java. But the exploit isn't limited to Java, it's just one way in.
-
4 Posted by vanmo92 on Thu Sep 3, 2009 10:31PM EDT Report Abuse
Get a Mac, then you RARELY (if ever) need to worry about this crap.
-
5 Posted by alan_r_cam on Thu Sep 3, 2009 2:49PM EDT Report Abuse
If the Mac runs Java, then it should be susceptible...
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
1 Posted by alexgannis on Thu Sep 3, 2009 2:50PM EDT Report Abuse
Window Vista was never intented to take over security software, It just another flaw report just to make window vista look bad and oh by the way window vista doesn't use java since microsoft stop supporting it. Everone knows you need security software no matter what OS is on your machine and even security software aren't 100% so stop the window vista bashing it getting old.