Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:00 AM
Connect Directly

Hackers Train Sights on Vista, Forefront

Despite all advance testing, hackers aren't worried Microsoft's new security products will cut into their livelihood

This is the final in a series of articles on Microsoft's security play.

Got a visual of hackers snickering at Microsoft's Windows Vista and security tools and effortlessly hacking away at them from their workstations? Or, maybe of exhausted, caffeine-guzzling hackers pounding their fists in frustration at the newly fortressed Vista that has them locked out?

Either way, you've got the picture all wrong.

White-hat hackers, or researchers, aren't dissing Microsoft's security plans, nor are they particularly worried about it cutting into their livelihood, they said in recent interviews with Dark Reading. Instead, they give Microsoft credit for raising the bar with Vista's built-in security features, and they're mostly ambivalent about Microsoft's new Forefront Client Security antivirus and anti-spyware tool. (See 800-Pound Gorilla Sits on AV, Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)

Vista -- which officially gets launched next week, on November 30 -- is no pushover, with its built-in firewall, user account control, and kernel patch protection, they say. "It's now a lot harder -- you've got to be able to do kernel programming and debugging," says researcher Jon Ellch, a.k.a. johnny cache, who is most famous for his wireless exploits and fingerprinting tool. "This severely ups the ante." (See New Tool Dusts for Fingerprints.)

Forefront, however, will be more of a hurdle for script kiddies and other novice hacker types, Ellch says, not for skilled researchers. "Hackers don't give a damn about antivirus software," Ellch says. "It gets you caught once you're already in. If you haven't been caught by AV before, you didn't have to worry about it. AV protects you from script kiddies" only.

HD Moore, director of security research for BreakingPoint Systems and the creator of the popular Metasploit hacking tool, agrees. "Forefront Client Security does nothing to solve the core problem of vulnerabilities. It just shuts out the third-party anti-spyware/rootkit/malware/antivirus vendors."

But if Forefront is better, cheaper, and easier to get and maintain than existing AV tools, it could keep hackers on their toes, according to Moore. "Then it might raise the bar on pen-tests and drive-by download-type attacks."

Moore says Forefront could be a boon for hackers if, as third-party security vendors fear, they eventually get shut out of the market by Microsoft. He says fewer vendors would simplify the task of finding holes, since there would be fewer tools (including Microsoft's) left standing. "The [fewer] security solutions that are out there, the easier it is for me."

Vista will be a tougher nut to crack, however, hackers say, although most say they haven't wasted their energy hammering on the beta version. "Microsoft has made a lot of good improvements to security with Vista, but it's really too early to tell how things will go," says Marc Maiffret, CTO and chief hacking officer at eEye Digital Security. "We have taken a look at it from a product and overall architecture perspective, but we've not yet started to look for any bugs."

Microsoft put Vista under the hacker microscope during the development process, says Dan Kaminsky, director of penetration testing for IOActive, and one of the researchers who looked for potential hacker holes in Vista during its development. "I spent most of '06 working on Vista and working on problems hackers might be looking for," he says. "There were things we found and things we got closed... Certainly, Vista has closed lot of holes that have been around for a very long time."

Still, Kaminsky says, there will be Vista exploits. "But it will be a harder target, no argument about that."

Microsoft applauded the feedback it has received from researchers on Vista. "Security researcher feedback on Windows Vista has been unprecedented. That said, it’s important to remember that no software is 100 percent secure," says a Microsoft spokesperson. "Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off."

And researchers agree there's no such thing as a bulletproof OS or client machine. "They [Microsoft] can't eliminate vulnerabilities, but they can make it trivial to find old vulnerabilities," says Thomas Ptacek, a researcher with Matasano Security. "Microsoft makes it harder for them [researchers], but that creates a whole new slew of Black Hat talks."

Hackers aren't worried that Vista's security will slow their business. "Every new release brings new challenges and new opportunities for employment," says Mark Loveless, a.k.a. simple nomad, and security architect for Vernier Networks.

"I think if you asked most researchers, they'd say that they want the bar raised," Ptacek says. "Writing an exploit for a well-known vulnerability is a commodity skill. Teenagers can do it. And they charge less than we do."

Meanwhile, the irony of Microsoft elbowing out competitors that have been securing Windows desktop products for years isn't lost on the research community.

"I think the funniest part is how Microsoft gets to play both sides," Moore says. "Take advantage of the poor security record of their products and at the same time shut out all the third-party solutions, all to sell something new."

And hackers respect the constant game of catch-up that Microsoft is forced to play with them.

"It's an arms race and the attackers definitely have the advantage," says Loveless. "Microsoft has the disadvantage because they have to patch every single hole, and hackers only have to open one at a time."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BreakingPoint Systems
  • Microsoft Corp. (Nasdaq: MSFT)
  • eEye Digital Security
  • IOActive
  • Vernier Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-13
    Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
    PUBLISHED: 2019-10-13
    Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
    PUBLISHED: 2019-10-13
    Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
    PUBLISHED: 2019-10-13
    Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
    PUBLISHED: 2019-10-13
    Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.