Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:00 AM
Connect Directly

Hackers Train Sights on Vista, Forefront

Despite all advance testing, hackers aren't worried Microsoft's new security products will cut into their livelihood

This is the final in a series of articles on Microsoft's security play.

Got a visual of hackers snickering at Microsoft's Windows Vista and security tools and effortlessly hacking away at them from their workstations? Or, maybe of exhausted, caffeine-guzzling hackers pounding their fists in frustration at the newly fortressed Vista that has them locked out?

Either way, you've got the picture all wrong.

White-hat hackers, or researchers, aren't dissing Microsoft's security plans, nor are they particularly worried about it cutting into their livelihood, they said in recent interviews with Dark Reading. Instead, they give Microsoft credit for raising the bar with Vista's built-in security features, and they're mostly ambivalent about Microsoft's new Forefront Client Security antivirus and anti-spyware tool. (See 800-Pound Gorilla Sits on AV, Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)

Vista -- which officially gets launched next week, on November 30 -- is no pushover, with its built-in firewall, user account control, and kernel patch protection, they say. "It's now a lot harder -- you've got to be able to do kernel programming and debugging," says researcher Jon Ellch, a.k.a. johnny cache, who is most famous for his wireless exploits and fingerprinting tool. "This severely ups the ante." (See New Tool Dusts for Fingerprints.)

Forefront, however, will be more of a hurdle for script kiddies and other novice hacker types, Ellch says, not for skilled researchers. "Hackers don't give a damn about antivirus software," Ellch says. "It gets you caught once you're already in. If you haven't been caught by AV before, you didn't have to worry about it. AV protects you from script kiddies" only.

HD Moore, director of security research for BreakingPoint Systems and the creator of the popular Metasploit hacking tool, agrees. "Forefront Client Security does nothing to solve the core problem of vulnerabilities. It just shuts out the third-party anti-spyware/rootkit/malware/antivirus vendors."

But if Forefront is better, cheaper, and easier to get and maintain than existing AV tools, it could keep hackers on their toes, according to Moore. "Then it might raise the bar on pen-tests and drive-by download-type attacks."

Moore says Forefront could be a boon for hackers if, as third-party security vendors fear, they eventually get shut out of the market by Microsoft. He says fewer vendors would simplify the task of finding holes, since there would be fewer tools (including Microsoft's) left standing. "The [fewer] security solutions that are out there, the easier it is for me."

Vista will be a tougher nut to crack, however, hackers say, although most say they haven't wasted their energy hammering on the beta version. "Microsoft has made a lot of good improvements to security with Vista, but it's really too early to tell how things will go," says Marc Maiffret, CTO and chief hacking officer at eEye Digital Security. "We have taken a look at it from a product and overall architecture perspective, but we've not yet started to look for any bugs."

Microsoft put Vista under the hacker microscope during the development process, says Dan Kaminsky, director of penetration testing for IOActive, and one of the researchers who looked for potential hacker holes in Vista during its development. "I spent most of '06 working on Vista and working on problems hackers might be looking for," he says. "There were things we found and things we got closed... Certainly, Vista has closed lot of holes that have been around for a very long time."

Still, Kaminsky says, there will be Vista exploits. "But it will be a harder target, no argument about that."

Microsoft applauded the feedback it has received from researchers on Vista. "Security researcher feedback on Windows Vista has been unprecedented. That said, it’s important to remember that no software is 100 percent secure," says a Microsoft spokesperson. "Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off."

And researchers agree there's no such thing as a bulletproof OS or client machine. "They [Microsoft] can't eliminate vulnerabilities, but they can make it trivial to find old vulnerabilities," says Thomas Ptacek, a researcher with Matasano Security. "Microsoft makes it harder for them [researchers], but that creates a whole new slew of Black Hat talks."

Hackers aren't worried that Vista's security will slow their business. "Every new release brings new challenges and new opportunities for employment," says Mark Loveless, a.k.a. simple nomad, and security architect for Vernier Networks.

"I think if you asked most researchers, they'd say that they want the bar raised," Ptacek says. "Writing an exploit for a well-known vulnerability is a commodity skill. Teenagers can do it. And they charge less than we do."

Meanwhile, the irony of Microsoft elbowing out competitors that have been securing Windows desktop products for years isn't lost on the research community.

"I think the funniest part is how Microsoft gets to play both sides," Moore says. "Take advantage of the poor security record of their products and at the same time shut out all the third-party solutions, all to sell something new."

And hackers respect the constant game of catch-up that Microsoft is forced to play with them.

"It's an arms race and the attackers definitely have the advantage," says Loveless. "Microsoft has the disadvantage because they have to patch every single hole, and hackers only have to open one at a time."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BreakingPoint Systems
  • Microsoft Corp. (Nasdaq: MSFT)
  • eEye Digital Security
  • IOActive
  • Vernier Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    4 Security Tips as the July 15 Tax-Day Extension Draws Near
    Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-10
    Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
    PUBLISHED: 2020-07-10
    In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
    PUBLISHED: 2020-07-10
    Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
    PUBLISHED: 2020-07-10
    osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
    PUBLISHED: 2020-07-10
    An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...