Security pros completely bypass Vista's now "useless" security

About all those fancy security measures Microsoft put into Windows Vista... well, they're now pretty much useless, according to security experts from IBM and VMware presenting a new attack methodology at this week's Black Hat security conference.

The details of the latest attack are complicated to explain, but they essentially outline ways to use .NET, Java, and Microsoft's ActiveX system to bypass Vista's security via a web browser. Any browser can be used, but Internet Explorer makes the security bypass even easier, letting an attacker insert data into a running machine at any place he chooses. The researchers note that the attack doesn't exploit any new vulnerability in Vista but rather takes advantage of the architecture of the OS and the way Windows tends to trust code fragments. In broad terms, if one component of Windows trusts a piece of code, for example, and passes it on to another component, then that second component will often automatically trust the code too, and so on. Browsers are increasingly being seen as the easiest "way in" for malware.

While this initial round of attacks focuses on Vista, the potential exists for a similar exploits to be fashioned against other operating systems, too, both older versions of Windows and even non-Microsoft OSes.

The full paper outlining the security risk is available here, but as I write this the site is offline due to heavy traffic.

It's important to note that this is a brand new exploit and has not yet been taken advantage of by any real world attack. The best advice until Microsoft responds is to make sure your standard antivirus and antispyware software is up to date and active: Third-party security systems should still be able to detect malicious code through traditional scanning means.

LINK: Windows Vista security 'rendered useless' by researchers