Security risks cannot be ignored. Three system vulnerabilities cannot be solved so far.

Talking to Danny Allan, Director of Security Research at Watchire, a Web security application company, he concluded that this was the first time in the past few years that people walked out of the main conference venue and shook their heads and said they were helpless, because there are some vulnerabilities, there is still no solution.

The first is the Blue Pill virtual rootkit of Joanna Rutkowska. Blue Pill aroused widespread discussion at last year's hackers' conference, from the very beginning to the present, new research and proven detection methods are ineffective. Matasano's Tom Ptacek and Nate Lawson decided to do a challenging job one morning, trying to prove that nothing is 100% impossible to detect. This job named "don't tell Joanno, the virtual Rootkit is dead ".

However, Rutkowska tested all the Blue Pill detection methods and found that all of them ended in failure. It cannot be said that Rutkowska adds salt to the wound, but after testing the Matasano test solution, it still fails.

In any case, Blue Pill is a form of attack with no feasible defense methods. Fortunately, Blue Pill-based attacks have not yet been discovered, but Windows Vista users are worried, no one wants this status to continue. More and more hackers are discussing Blue Pill. It is only a matter of time to use it as a weapon to attack.

The second solution is the anti-DNS pinning attack, which was invented by David Byrne. Dan Kaminsky, IOActive penetration testing Director, also came to the same conclusion from another perspective that the attack carries forward the DNS rebonding vulnerability. Kaminisky believes that, if you want to bypass the firewall, penetrate the VPN, or remotely obtain any resources, you only need to pop up an infected Web browser through anti-DNS pinning.

DNS and XSTL (Extended table language deformation) Problems (which can execute arbitrary code) share the same point, that is, the attack carrier is "pure ", that is to say, they did not take advantage of any bugs or errors. Their attack ideas are in line with the original design intention.

The last thing that no medicine can save is JavaScript malware. There is no feasible defense method on the client side.

These attack methods are not introduced in depth here. The focus of today is: the only solution to these potential attacks is to develop good software and write good code. For Blue Pill, write the kernel. As a consumer, this is powerless.

For the first time in a few days, hackers are like opening Pandora box. Are we really willing to understand these unsolvable attacks? Yes, we do. If the investigator did not discover these details and did not discuss them so fiercely, the unfriendly person would first discover them. In fact, Blue Pill is a good example. Rutkowska has published details about potential threats, which has aroused heated discussions long before the threat becomes a reality. This foresight can help researchers build defenses before they can cause major problems.