Windows Vista Network Attack Surface Analysis: An Update

Greetings. For the last four months we have been busy taking a lookat the release (RTM) version of Windows Vista in an effort to updateour Windows Vista Network Attack Surface Analysis report fromlast July, which covered beta builds of Vista. To broaden and deepenour research, we have retested the results in the first report andexpanded our investigation of certain topics.

As of today, the new reportis available to you. The paper is 118 pages long, but don't worry, youdon't have to read it all! You can skip to the parts you are mostinterested in, or take a look at the 13 pages that summarize theresults in the paper. In addition, the appendices provide details ofour methodology and results. We hope you find this report useful as aWindows Vista network reference, and we hope you find value in both thedetailed security analysis and in the broad overview.

As you may know know, the network stack in Vista was completelyrewritten and many new protocols are introduced (not the least of whichis IPv6). That means that Vista is quite different from a networkperspective, and is something interesting to study.

The paper Windows Vista Network Attack Surface Analysisincludes an analysis of the Teredo implementation on Vista. You mayhave seen our platform-independent assessment of the securityimplications of Teredo back in November. If not, please see the blog entry that introduced it. In any case, we recently made some improvements to the paper, and have made the new version available today.

While the main security concerns with Teredo (network securitycontrol bypass and unexpected global accessibility) are platformindependent, we wanted to analyze the Vista implementation. Teredo isenabled by default on Vista and it may not be uncommon to find it inuse. We were disappointed that Vista's ping test nonce strength waslower than what the (Microsoft-sponsored) Teredo RFC recommends. On theother hand, Microsoft has implemented some measures that should makeVista Teredo addresses 4096 times harder to guess than they otherwisewould be, and Vista requires that a firewall be on before Teredo can beused.

We also dove deeply in to Microsoft's new protocol to discover thetopology of a small network, LLTD. We found this protocol welldocumented and not subject to many common classes of attack. However,it is possible to spoof information to have it appear in the resultingnetwork map and even to trick a user into visiting an Internet Web pageimpersonating a local device. In our investigation, we found signs ofMicrosoft following their Secure Development Life-cycle—from design toimplementation.

Additional deeper investigations includes Windows Firewall, MS-RPC,and IPv4/IPv6 fragmentation reassembly behavior. We also studied ARP,NDP, IGMP, MLD, ICMPv6, TCP, UDP, and various aspects of IPv4 and IPv6.You can read about these topics and more in the Windows Vista Network Attack Surface Analysis paper.

Further reading:
More research papers about Windows Vista security can be found at:
http://www.symantec.com/enterprise/theme.jsp?themeid=vista_research