Hacker comment on Vista: Security? Far from enough!

Microsoft said that "Vista is the safest version of Windows. Now, we may want to hear more about what hackers say? In short, hackers think this is an improvement, but in the final analysis, it is still like other products they have analyzed in the past, it can also be broken.

Only USD 500 for passing Certification

"Vista cannot detect all buckets ." Famous hacker H.D Moore (H.D. moore) pointed out, "let's look at how a hacker can gain access: I just made Metasploit pass Microsoft's automated processing authentication, and it took only $500 in total." Moore, founder of Metasploit Project and core developer of Metasploit Framework (a leading open-source Vulnerability Development Platform), is also the director of BreakingPoint Systems security research. In his words, Vista blindly trusts all Microsoft-certified programs-even if these programs may include a hacker vulnerability platform, to pass the front-door program, you only need $500 for the partition to pass the approval.

The March 14 Security Summit held in New York in 2007 attracted a large number of White Hat hackers. This conference was fully a seminar on Vista security, and Moore was one of them. The topic of the seminar is "Vista: How secure are we ?", Presented by David Tan, co-founder and chief technology officer of CHIPS Computer Consulting. At the same time, Moore attended the prestigious hacker-COSEINC security researcher Joanna. joanna Rutkowska and Jon "Johnny Cache" Ellch, author of Hacking Exposed Wireless ).

Rutteska said she personally agreed with Moore's view: indeed, one way to take over a Vista system is to authenticate rootkit; but if you only want a system with hidden risks, you don't even have to waste time or money to pass the authentication. "For example, a video card driver with a stupid bug," she said. "You have no choice. You cannot accuse the video card supplier of this bug. You cannot even prove that this is intentional ."

In addition, rutesica also said that Vista will be a potential attack target until Microsoft and some security vendors have sorted out a blacklist with a bug driver. Of course, some people think that the bugs can always be detected in the memory, right? Don't hold on to this expectation. rutke's Black Hat conference a few weeks ago proved that vulnerability exploitation programs can actually use memory patching methods to hide their footprints.

David. tang also pointed out the security vulnerabilities of Vista before, but in the face of many hackers attending the Conference, he still said that the new operating system has indeed made some improvements in security functions. He expressed appreciation for the Trustworthy Computing launched by Microsoft and the re-developed development cycle. He evaluated that many products produced in this development cycle were "effective ", for example, a database version of SQL Server 2005 has not found a major security vulnerability or defect so far. He said: "Microsoft is undoubtedly commendable.
UAC is annoying

Besides, David. tang also said that with the increasing security concerns, Microsoft has added a series of security functions to Vista in terms of system protection and data protection that will inevitably concern the client operating system. These features include UAC (user access control), which forces users to use accounts with limited permissions to replace the existing Windows users with system administrator permissions. On Vista, The UAC function is activated by default for all users, and even the Administrator account can only obtain medium-level full permissions. Of course, you can still disable it.

However, some people have criticized the UAC warning box as annoying: first, UAC uses a very abrupt color. Orange indicates an alarm, and blue indicates security; second, if the user wants to continue the behavior that has been warned, it will always ask for confirmation. However, rutteska totally does not agree with this comment on UAC. She wrote in her blog: "Although UAC is the most important security mechanism introduced in Vista, however, you can still bypass it in many ways." Ruteska's view was soon followed by Symantec's research scientist Ollie Whitehouse. The post was published on July 15, February 20 and titled "Why cannot I always trust Vista's UAC prompt?" he wrote that this is because it is easy to bypass UAC, only using social engineering can fool users to approve privilege escalation for illegal users.

Tang also expressed his concern during his presentation: the frequent UAC consultation dialog box will lead to a situation where "Click here to start working. "Will the frequent appearance of UAC consultation dialog box force the user to turn off this function ?" He said. "If this affects users' daily activities, it is possible to leave users alone ."

However, rutteska said she was confused about the endless discussion of the UAC dialog box. "I have been using Vista for two months now," she said. "Except for the last few days of installation, the UAC dialog box was hardly noticed at any time. In my opinion, UAC is a good technology. It is also a good security mechanism for general users ."

However, rutteska said that what she was not satisfied with was Microsoft's attitude. In the face of a wave of UAC buzz, Microsoft just began to emphasize that UAC is not a rigid security boundary like a firewall. It is a guiding tool in more sense. In this regard, rutesika pointed out that, unfortunately, Microsoft's attitude shows that the potential way Microsoft has not considered the attack is also a bug. "Illegal escalation from low-level to advanced [User Permissions] is not considered as a security bug ." "But in fact, this type of permission escalation is a good indicator, indicating that the device already has a hidden danger.
Vista's multiple security technologies are not complete.

Another function protected by Vista is Windows Defender, which was previously downloaded as a separate Windows function. Defender will detect and remove any apps that are not supposed to be in place and actively monitor protected areas. This feature can also be integrated with group policies to work with active directories (AD.

Another system protection function of Vista is the new Windows Firewall, which is extended based on Windows XP SP2 firewall and further improved by providing two-way protection. Earlier versions do not involve monitoring of outbound infections. They completely ignore that an infected device will continue spreading viruses out of the network.

The last system protection function added by Vista is the Windows Security Center, which checks and displays the status of the firewall, automatic updates, malware protection (such as Windows Defender), and other security settings, includes third-party security software (such as anti-virus programs ).

However, Tang criticized Vista's recognition of the installer, which checks the database compatibility, heuristic, and built-in list of a system, to declare to the operating system what is running. Tang said that Vista may have potential risks in processing the installer. All the installer programs run as administrator and have full access to the file system and registry, it also has the ability to load the kernel driver. "As soon as you click OK, this application has full administrator permissions, including downloading and installing rootkits," he said ."

Tang also criticized the version of Internet Explorer 7 running on Vista for not providing protection mode. Only with the protection mode can the browser run in a controlled sandbox. That is to say, the browser only has limited read access to system components, so as to ensure that Trojans or spyware are not downloaded from malicious sites.

The above is the new system protection function in Vista. Next we will talk about data protection. The new operating system features BitLocker Drive Encryption, which encrypts the entire Windows volume and prevents data theft when your laptop is stolen or lost. Tang believes that this function is the only disadvantage, so it is only applied to the enterprise and the final version of Vista, but not in the commercial version.

Other data protection functions of Vista include EFS (an encrypted file system), which can be used to encrypt files and folders; permission management service (RMS), which can be used to permanently encrypt files, without a dedicated server license, these files cannot be sent to enterprises by email; Device Control enables better management of plug-and-play devices (such as USB devices.

Tang also mentioned the PatchGuard technology, which can completely lock the kernel and lock some third-party applications, including anti-virus programs, out of the door. However, in addition to being dissatisfied with security software vendors, PatchGuard was cracked shortly after Vista was launched.

Tang said that there are some other imperfect Security Solutions in Vista. Microsoft absolutely needs to strengthen these aspects. For example, Windows Defender has poor performance. In the anti-Virus test, its fast scanning mode only intercepts 47% of spyware, while the OneCare security scanner is in Virus Bulletin (Virus Bulletin Board) in the VB100 % test, the performance was disappointing, and it failed in the AV-Comparative test.

In addition to all this, a high-risk remote code execution bug was released in Vista's Vector Markup Language (VML) in January 9; during the test of Vista's enhanced defense against old vulnerabilities, Vista was found to have vulnerabilities in each category except rootkits; the main enhancement to Vista security is only available on 64-bit platforms. To fully support Vista, a new hardware platform is required.

Although there are some unsatisfactory points. However, Tang and many hackers agreed at the end of the conference that great progress has been made in Vista security protection. "This is an improvement in security, not a revolution," Tang said. "Vista is not a security solution. It is at most a safer Windows version ."