Why Didn’t You Exploit IE?

At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?

“It’s really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program.  Firefox on Mac is pretty easy too.  The underlying OS doesn’t have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be.  There’s no randomization. I know when I jump there, the code is there and I can execute it there.  On Windows, the code might show up but I don’t know where it is.  Even if I get to the code, it’s not executable.  Those are two hurdles that Macs don’t have.”

This is a commentary on Windows more than Internet Explorer. As Miller pointed out, “it’s more about the operating system than the program”. This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.

Miller even goes on to suggest that Firefox, and particularly Google’s Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft’s efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.

Follow me on Twitter


Forefront Security for OCS

Forefront Client Security and other Forefront Server Security products, such as Forefront Security for Exchange Server and Forefront Security for Sharepoint, have been around for some time now. Microsoft’s Forefront Security for Office Communications Server seems to have taken a painstakingly long time to get developed, make it through Beta testing, and finally now released to manufacturing (RTM). But, that day has finally arrived.

Check out this post for more details about the new Forefront offering: Forefront Security for OCS Finally Reaches RTM

Follow me on Twitter

IE8 Compatibility

I have been using Internet Explorer 8 (IE8) almost exclusively since the first Beta became available. Now, my primary OS is the Windows 7 Beta, so IE8 is built-in as my default browser. I have run into my share of page compatibility issues. The most notable for me- which has since been addressed by Microsoft, Google, or both- was that Google Maps just flat out did not work in native IE8 or in compatible mode. I guess that should have been a red flag clue that IE8 compatibility mode does not equal IE7. Obviously there are still things that are different between IE7 and IE8 compatibility mode or any site that worked in IE7 would work the same in compatibility mode.

Now that it is in Release Candidate (RC) mode, with an official release rumored to be on the imminent horizon, most of those types of issues have been resolved. However, there are still issues created by changes made by Microsoft in IE8. Web developers who have developed their sites to work in IE7, Firefox, Opera, Safari, or whatever else may very well have to modify the underlying code in order to make it work in IE8- even in compatibility mode.

To Microsoft’s credit, the IE8 team posted a detailed breakdown comparing IE8 compatibility mode to IE7, and comparing IE8 standard mode to IE8 compatibility mode along with code descriptions of the issues and suggestions or recommendations for how to modify code to make it work or workarounds to make sites functional in IE8. Judging from the comments in response to the post, the reaction is quite mixed. Some praised Microsoft for the improvements they have made and for writing this post to help developers embrace the changes, while many attacked Microsoft for not simply playing by the same rules that seem to be working just fine for every other browser, as well as for taking so long to develop and release new versions.

They claim that because Microsoft has a dominant share of the Web Browser market that their lack of coordination with other browsers and lack of cutting edge development hinder the potential of the Web as a whole. I still prefer IE8 to Firefox or Chrome and will continue to use IE8, but some of the points seem to make sense. I am curious to know what other users, and especially what web developers, think of Internet Explorer in general, and IE8 specifically.

Follow me on Twitter

Paving The Way for DirectAccess

Windows 7 has a lot of exciting features both for consumers and enterprises. One of the most promising features for enterprises is DirectAccess. DirectAccess makes VPN connections obsolete and provides seamless connectivity between the internal enterprise network and remote clients roaming wherever they may be. As long as the remote computer has an Internet connection it is able to access network resources as if it was connected directly to the enterprise network. Conversely, the IT admin can manage the remote computers over DirectAccess as long as there is an Internet connection even if the user is not logged in. Unfortunately, Windows 7 is still in Beta so it will be awhile before it will hit the streets in its officially released version.

For enterprises that are looking forward to DirectAccess though, there is no need to sit back and wait. Windows 7 is not the only piece of the puzzle. Implementing DirectAccess also requires Windows Server 2008 and some specific technologies and configuration that enterprises can proactively put in place in anticipation of the release of Windows 7. Check out ‘Paving The Way for DirectAccess’ to see what the DirectAccess requirements are and what you can do now to prepare your network to take advantage of DirectAccess when Windows 7 becomes available.

Follow me on Twitter

SP2 Release Candidate Available for Vista / Windows Server 2008

The next major Service Pack release for Windows Vista and Windows Server 2008 is one step closer to its official release. Service Pack 2 (SP2) has moved from Beta to RC (Release Candidate). You can download the SP2 RC from the Microsoft Springboard site.

SP2 will only work with Windows Vista SP1 or Windows Server 2008 SP1, so if you have either of these operating systems and have not yet installed SP1, you should download and install that first. If you’re curious what changes you can expect with SP2, you can read Notable Changes in Windows Server 2008 SP2 RC and Windows Vista SP2 RC. Here are some highlights of the changes in SP2:

  • integrates the Windows Vista Feature Pack for Wireless, which contains support for Bluetooth v2.1 and Windows Connect Now (WCN) Wi-Fi Configuration. Bluetooth v2.1 is the most recent specification for Bluetooth wireless technology.
  • improves performance for Wi-Fi connections after resuming from sleep mode.
  • includes updates to the RSS feeds sidebar for improved performance and responsiveness.
  • includes ability to record data to Blu-Ray Disc media.
  • SP2 provides an improved power management (both on the server and the desktop), which includes the ability to manage these settings via Group Policy.
  • Provides better error handling and descriptive error messages where possible
  •  If you have the prior version of Service Pack 2 installed (Beta build 16497) you will need to un-install it before installing the newer RC build (16670) from the links on the Microsoft Springboard site.

    Follow me on Twitter

    Windows 7: Overview of DirectAccess

    For businesses with remote users that rely on VPN connections to securely access data and resources on the corporate network, DirectAccess offers a very compelling business case for Windows 7. VPN connections can be complex and cumbersome for users. Conversely, the organization can not effectively manage or maintain remote computers. DirectAccess provides a seamless connection between the internal network and the remote computer no matter where it may be as long as there is an Internet connection.

    Check out the Windows 7 and Windows Server 2008 R2 DirectAccess Executive Overview for a brief, high-level look at the benefits that DirectAccess provides.

    Follow me on Twitter

    Windows 7 Manageability Overview

    Combined with Windows Server 2008, Windows 7 will provide enterprises with unprecedented manageability and whole new methods for networking and administering clients. Microsoft has put together a white paper providing a detailed look at the new management features with Windows 7. Here is an excerpt from the white paper providing an overview of the information you can find in the white paper:

    Windows 7 introduces a number of manageability improvements that can reduce total cost of ownership by helping to increase automation, improve user productivity, and provide flexible administrative control to meet compliance requirements. This paper provides an overview of each of these improvements.

    IT professionals are often responsible for repetitive and time-consuming tasks. Windows 7’s comprehensive scripting abilities enhance the productivity of IT professionals by automating those tasks, which reduces errors while improving administrative efficiency:

    • Microsoft Windows PowerShell 2.0 enables IT professionals to easily create and run scripts on a local PC or on remote PCs across the network. Complex tasks or repetitive management and troubleshooting tasks are automated.
    • Group Policy scripting enables IT professionals to manage Group Policy Objects (GPOs) an registry-based settings in an automated manner, thus improving the efficiency and accuracy of GPO management.

    In addition to its powerful scripting capabilities, Windows 7 includes several features that improve user productivity and reduce costs:

    • Built-in Windows Troubleshooting Packs enable end-users to solve many common problems on their own, and IT professionals can create custom Troubleshooting Packs, thus extending this capability to internal applications.
    • Improvements to the System Restore tool inform users of applications that might be affecte when returning Windows to an earlier state.
    • The new Problem Steps Recorder enables users to record screenshots, click-by-click, that reproduce a problem so IT can troubleshoot solutions.
    • Improvements to the Resource Monitor and Reliability Monitor enable IT professionals to more quickly diagnose performance, compatibility, and resource limitation problems.

    For IT departments to address their ever-increasing security needs and meet compliance requirements, Windows 7 also supports the following features:

    • AppLocker enables IT professionals to more flexibly set policy on which applications and scripts users can run or install, providing a more secure and manageable desktop.
    • Auditing improvements enable I professionals to use Group Policy to configure more comprehensive auditing of files and registry access.
    • Administrators can require users to encrypt removable storage devices with BitLocker To Go via Group Policy.
    • Group Policy Preferences define the default configuration, which users can change, and provide centralized management of mapped network drives, scheduled tasks, and other Windows components that are not Group Policy-aware.
    • DirectAccess seamlessly connects mobile computers to the internal network, allowing IT professionals to manage them if the user has an Internet connection.

    Altogether, the improvements introduced by Windows 7 can reduce the time IT professionals spend maintaining and troubleshooting, improve user productivity, and enable IT departments to better meet compliance requirements.

    Download the white paper to learn about all of these features in more detail. Feel free to comment here if you have thoughts or questions about the Windows 7 manageability features.

    Follow me on Twitter