Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/20/2006
07:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hackers Train Sights on Vista, Forefront

Despite all advance testing, hackers aren't worried Microsoft's new security products will cut into their livelihood

This is the final in a series of articles on Microsoft's security play.

Got a visual of hackers snickering at Microsoft's Windows Vista and security tools and effortlessly hacking away at them from their workstations? Or, maybe of exhausted, caffeine-guzzling hackers pounding their fists in frustration at the newly fortressed Vista that has them locked out?

Either way, you've got the picture all wrong.

White-hat hackers, or researchers, aren't dissing Microsoft's security plans, nor are they particularly worried about it cutting into their livelihood, they said in recent interviews with Dark Reading. Instead, they give Microsoft credit for raising the bar with Vista's built-in security features, and they're mostly ambivalent about Microsoft's new Forefront Client Security antivirus and anti-spyware tool. (See 800-Pound Gorilla Sits on AV, Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)

Vista -- which officially gets launched next week, on November 30 -- is no pushover, with its built-in firewall, user account control, and kernel patch protection, they say. "It's now a lot harder -- you've got to be able to do kernel programming and debugging," says researcher Jon Ellch, a.k.a. johnny cache, who is most famous for his wireless exploits and fingerprinting tool. "This severely ups the ante." (See New Tool Dusts for Fingerprints.)

Forefront, however, will be more of a hurdle for script kiddies and other novice hacker types, Ellch says, not for skilled researchers. "Hackers don't give a damn about antivirus software," Ellch says. "It gets you caught once you're already in. If you haven't been caught by AV before, you didn't have to worry about it. AV protects you from script kiddies" only.

HD Moore, director of security research for BreakingPoint Systems and the creator of the popular Metasploit hacking tool, agrees. "Forefront Client Security does nothing to solve the core problem of vulnerabilities. It just shuts out the third-party anti-spyware/rootkit/malware/antivirus vendors."

But if Forefront is better, cheaper, and easier to get and maintain than existing AV tools, it could keep hackers on their toes, according to Moore. "Then it might raise the bar on pen-tests and drive-by download-type attacks."

Moore says Forefront could be a boon for hackers if, as third-party security vendors fear, they eventually get shut out of the market by Microsoft. He says fewer vendors would simplify the task of finding holes, since there would be fewer tools (including Microsoft's) left standing. "The [fewer] security solutions that are out there, the easier it is for me."

Vista will be a tougher nut to crack, however, hackers say, although most say they haven't wasted their energy hammering on the beta version. "Microsoft has made a lot of good improvements to security with Vista, but it's really too early to tell how things will go," says Marc Maiffret, CTO and chief hacking officer at eEye Digital Security. "We have taken a look at it from a product and overall architecture perspective, but we've not yet started to look for any bugs."

Microsoft put Vista under the hacker microscope during the development process, says Dan Kaminsky, director of penetration testing for IOActive, and one of the researchers who looked for potential hacker holes in Vista during its development. "I spent most of '06 working on Vista and working on problems hackers might be looking for," he says. "There were things we found and things we got closed... Certainly, Vista has closed lot of holes that have been around for a very long time."

Still, Kaminsky says, there will be Vista exploits. "But it will be a harder target, no argument about that."

Microsoft applauded the feedback it has received from researchers on Vista. "Security researcher feedback on Windows Vista has been unprecedented. That said, it’s important to remember that no software is 100 percent secure," says a Microsoft spokesperson. "Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off."

And researchers agree there's no such thing as a bulletproof OS or client machine. "They [Microsoft] can't eliminate vulnerabilities, but they can make it trivial to find old vulnerabilities," says Thomas Ptacek, a researcher with Matasano Security. "Microsoft makes it harder for them [researchers], but that creates a whole new slew of Black Hat talks."

Hackers aren't worried that Vista's security will slow their business. "Every new release brings new challenges and new opportunities for employment," says Mark Loveless, a.k.a. simple nomad, and security architect for Vernier Networks.

"I think if you asked most researchers, they'd say that they want the bar raised," Ptacek says. "Writing an exploit for a well-known vulnerability is a commodity skill. Teenagers can do it. And they charge less than we do."

Meanwhile, the irony of Microsoft elbowing out competitors that have been securing Windows desktop products for years isn't lost on the research community.

"I think the funniest part is how Microsoft gets to play both sides," Moore says. "Take advantage of the poor security record of their products and at the same time shut out all the third-party solutions, all to sell something new."

And hackers respect the constant game of catch-up that Microsoft is forced to play with them.

"It's an arms race and the attackers definitely have the advantage," says Loveless. "Microsoft has the disadvantage because they have to patch every single hole, and hackers only have to open one at a time."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BreakingPoint Systems
  • Microsoft Corp. (Nasdaq: MSFT)
  • eEye Digital Security
  • IOActive
  • Vernier Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Human Nature vs. AI: A False Dichotomy?
    John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: -when I told you that our cyber-defense was from another age
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-15073
    PUBLISHED: 2019-11-20
    An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
    CVE-2019-15072
    PUBLISHED: 2019-11-20
    The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
    CVE-2019-15071
    PUBLISHED: 2019-11-20
    The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
    CVE-2019-6176
    PUBLISHED: 2019-11-20
    A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
    CVE-2019-6184
    PUBLISHED: 2019-11-20
    A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.