Researchers attending RSA Conference 2007 yesterday announced a new vulnerability — with a working exploit — that they said demonstrates Microsoft's Windows Vista's weakest link: its third-party software.
Engineers from Core Security Technologies told SCMagazine.com Tuesday that a previously disclosed flaw in CA’s BrightStor ARCserve Backup could act as an attack vector that would enable remote compromise of Vista systems.
As developers of Core Impact, a penetration testing product, these researchers believe they have an inside look into the threat landscape. They said that this particular vulnerability will be the first of many third-party vulnerabilities that will affect Vista users.
"Our continuing work demonstrates that the new operating system (OS) is only as secure as the third-party applications that run on it. As they say, a chain always breaks at the weakest link, and unfortunately a new OS is no exception to this rule," said Iván Arce, CTO at Core Security. "To enable customers to take full advantage of Vista’s new security mechanisms, independent software vendors must be diligent in updating their products.
According to Max Caceres, director of product management for Core Security, Microsoft has made great strides in improving its security features and hardening the Windows OS. He said that the problem is that many third-party software developers have not caught on fast enough to take advantage of the platform’s new functionalities. In the case of CA’s BrightStor vulnerability, Caceres said that because the software doesn’t take advantage of address space layout ran (ASLR). Designed to move function-entry points around in memory so they are in unpredictable locations, ASLR is one of the added features in Vista designed to thwart buffer overflow attacks by making it difficult to guess .dll or .exe file addresses in an automated attack.
"These features are not supposed to prevent buffer overflows, they just make it really hard for the attackers to execute them," Caceres said. "But third-party applications aren’t using them yet."
Microsoft executives told SCMagazine.com today that it wasn’t surprised that Core Security’s engineers were able to exploit this vulnerability, as this is an older version of BrightStor that CA itself no longer recommends to customers.
"This is a case where it is much ado about nothing," said Stephen Toulouse, senior product manager with the Microsoft Security Technology Unit. "We’re kind of confused about the motivation of making an announcement about an older, unpatched version that the vendor itself doesn’t recommend. There are probably more vulnerabilities beyond this CA case if you are going to look at unpatched third-party software. Vista was never designed to automatically fix third-party software."
Toulouse specifically addressed the issue of ASLR in the case of CA’s BrightStor.
"They are saying that this is a circumvention of ASLR, but ASLR was designed to prevent buffer overflow attacks against the operating system itself," he said.
He also said that he took exception to what he perceived as claims from Core Security that it would be difficult to build ASLR capabilities into third-party applications. He says that it is simply a matter of adding a simple command and recompiling the code.
"If any of our developers find it difficult to do that, we encourage them to contact us for help," he said.
But Caceres said that he believes it will take some time for independent software vendors to catch on to all of the security capabilities of Vista — including ASLR — with newer, more secure versions of their applications. He explained that the motivation behind yesterday’s announcement was to inform users that their existing applications will still be a risk no matter how secure the Vista operating system may be.
"It is dangerous if people believe they are protected," he said. "Users need to be aware of the risks, because at the end of the day, how they get into the system doesn’t really matter."