Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Windows
Showing posts in English
Ollie Whitehouse | 12 Mar 2007 07:00:00 GMT | 0 comments

Code Signing and UAC in Windows Vista havea relationship that should not be underestimated. Code Signing allowsUAC to provide a user with the details of an application's publisherand, thus, permits the user to ensure it is trusted before allowing itto elevate to full administrative privileges. Therefore, my recentobservation has left me dumbfounded.

The observation was this: if a signed binary is modified on diskand, thus, the code signing signature invalidated, you don’t get a bigklaxon going off with the computer screaming, “Danger Will Robinson!Danger!” Instead, the binary is simply treated as if it isn’t signed.Why is this an issue? The simple reason is that if, for example, youhave a world of poor file permissions (looking squarely at third-partysoftware here) and the user running as a restricted administrator canmodify a binary that is allowed to elevate, you could end up in asticky situation. That is, if a user is familiar with the fact that anapplication needs...

Jim Hoagland | 07 Mar 2007 08:00:00 GMT | 0 comments

Greetings. For the last four months we have been busy taking a lookat the release (RTM) version of Windows Vista in an effort to updateour Windows Vista Network Attack Surface Analysis report fromlast July, which covered beta builds of Vista. To broaden and deepenour research, we have retested the results in the first report andexpanded our investigation of certain topics.

As of today, the new reportis available to you. The paper is 118 pages long, but don't worry, youdon't have to read it all! You can skip to the parts you are mostinterested in, or take a look at the 13 pages that summarize theresults in the paper. In addition, the appendices provide details ofour methodology and results. We hope you find this report useful as aWindows Vista network reference, and we hope you find value in both thedetailed security analysis and in the broad overview.

Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

The media surrounding the effectiveness of Windows Vista's newsecurity features has (in my opinion) just begun. Microsoft's reach iswell beyond that of any other software vendor in the world, and withthis achievement comes fame, power, and a corporate life under amicroscope. To honor this tradition, I previously posted an entryabout the effects of malicious code executed under a default Vistaenvironment; if you haven't read it, you are certainly encouraged to.This research has now been completed and this new entry should serve asa compliment to my previous post. A paper detailing the full researchhas been made available here.

The outcome of the research:

In my previous blog, I mentioned that about seventy...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Oliver Friedrichs | 28 Feb 2007 08:00:00 GMT | 0 comments

Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.

Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...

Ollie Whitehouse | 20 Feb 2007 08:00:00 GMT | 0 comments

People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...

James O'Connor | 16 Feb 2007 08:00:00 GMT | 0 comments

There has been much talk recently about thelaunch of Windows Vista, and one feature in particular: SpeechRecognition. Speech Recognition allows the user to dictate arbitrarytext to the computer (a letter for example) using speech instead of thekeyboard. It also allows the user to carry out normal computing tasksvia a choice of pre-defined commands. There are commands such as"delete that," "press escape key," and "what can I say?" This last oneshows the user what kinds of command they can use in the currentsituation. If Speech Recognition is running, but sleeping, the usersays "start listening" to activate it.

It has been suggested that Speech Recognition could be subverted fornefarious purposes using malicious audio clips. The scenario would beas follows:

• The user is browsing the Web, with Speech Recognition enabled.
• They visit a Web site, with a background audio clip that plays as soon as the site is opened.
• The audio clip contains commands that...