The Windows Vista operating system certainly doesn't lack security. In fact, it has bundles of new security features. When Vista was released, former Microsoft co-president Jim Allchin even told the press that the No. 1 reason for upgrading to Vista is that it's far more secure than previous versions of Windows operating systems.
Dowd and Sotirov demonstrated techniques to bypass the memory protection safeguards in the Vista operating system by exploiting flaws in a browser application. The demo led to some dramatic headlines about how effective the Vista security upgrade is, particularly as the attacks are not based on any new or specific vulnerabilities in either Internet Explorer or Vista, but instead are a way of defeating the security mechanisms put in place to protect the operating system. Let's look at the attack in a little more detail to see if we can answer the second part of the question regarding an operating system ever being completely safe.
In Windows XP SP2, a set of hardware and software technologies called Data Execution Protection (DEP) was introduced. DEP performs additional checks on memory to help prevent malicious code from running from a non-executable memory region. With DEP enabled, each block of memory in a process must be explicitly marked "executable" before the processor can run any instructions stored in that block. The primary aim of DEP is to prevent an easy exploitation of memory-corruption attacks, such as buffer overflows. Hackers, however, discovered that by passing control not to their own executable code, but instead to one of the system DLLs loaded into the process, DEP protection could be circumvented. In Vista, DEP has been reinforced by the introduction of ASLR, or Address Space Layout Randomization. ASLR loads system files at random addresses in memory to make it harder for malicious code to know where privileged system functions are located.
In my mind, the primary issue is that Vista's protections are not always "active." To start, not all applications are DEP-compliant. Internet Explorer 7 and Firefox 2 actually opt out of DEP, while many third-party libraries such as the Flash plug-in opt out of ASLR. Java is another problem altogether, as it marks all of its memory as executable, meaning that a Java applet can place into memory executable code that's immune to DEP protection. Also, a large proportion of the software that we run still doesn't use "safe" programming languages, such as Java and .NET, which prevent buffer overflows.
The conclusion I draw from this is that it is virtually impossible to build a completely safe operating system that accommodates literally hundreds of thousands of different programs, scripts, applets, etc., written by many different vendors whose developers may be good or average. Take browser applications, for example. The architecture of browsers means that all code runs in the same process, providing no isolation between different components. This can lead to holes in memory protections and the plug-in architecture. An operating system cannot stop such problems -- research points to ways around ALSR and DEP on all OSes -- but it can make it less likely to execute malicious code.
If you have an OS running on a locked-down box, isolated in a secure room with no network connections, and it is running a single application, then most of today's OSes can be considered secure. But most OSes don't operate in that environment. Security protection in Vista perhaps isn't as comprehensive as was first thought, and is unlikely to ever be unbreakable, but the layers of protection used in Vista are still effective at mitigating many attacks and preventing the exploitation of vulnerabilities in server processes.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in February 2009