[alexander]

in a securityfocus article titled "Owning Vista from the Boot" (fund here )

Federico Biancuzzi interviews Nitin and Vipin Kumar. Read it, its very interesting, but basically they have come up with a proof of concept security exploit that can be stored in memory, in the bios or on the hd in the boot loader, and basically is a program that runs before the boot loader, then starte the boot loader, modifies system executables, attatches to their processes and gives an gets user-level access to the machine (and we all know how hard it is to do privilage escalation in windows, besides you can keylog or even blatantly change the ntlm hash to gain admin, and then rule the box. The interesting thing is that this boot kit can be basically made to do anything, including creating a pxe boot server and sending magic packets to the rest of the network to wake up machines to boot them to the boot kit. The way the the current vista one is written it shows up on boot and intentionaly shows up in speciffic places in ram, now if you were to take away those two things, it would be 99.9% stealthy and only a very long detailed scan of used and unused memory could reveal the "virus".

The beauty is that it can run completely in ram and once you shut down the system, the boot kit is no longer physically there, leaving no trace of any kind. This is something too look at and follow in the near future as it may spawn a whole new type of attack tools and viruses that may be lots more dangerous then anyone can currently expect. Also the brothers are not releasing their code, but basically they did describe how they do it, so its only a matter of time before someone else will write similar code, and it may not be a security researcher...

[Pyrotex]

Be afraid.
Be very afraid.
Buy a Mac.

[alexander]

actually i got a better solution (bout twice as cheap as a mac).

go to ZaReason, Inc. and buy a 100% supported linux laptop for under $1500

That is the next laptop I'm getting for sure, and their support is amazing, my friend had a problem with his laptop not playing the dvds, and it turns out that zareason does not set dvd region code because they ship all over the world, so he's on at like 10 at knight, and he emailed the tech support his problem, within 5 minutes he had a reply detailing how to set region codes or make the dvd drive region free. Quick and proffesional, and the hardware is 100% supported. Basically they take an acer laptop, tare it down and rebuild it with linux certified parts, then install ubuntu on it, make sure all the hardware is operating propperly and then you get it

sorry if i made this sound like an ad, i do not work for them and therefore will get no revenue if i was ad spamming or anything. Just thought i would share my hours of research into the best linux laptop i could find for the money, and now i actually have a friend with one of those, they do make good product...

[Pyrotex]

actually, I got an inferior solution.

go to these guys -- select the Microsoft page -- and get the
MS Windows XP Pro Sp2 + MS Office XP 2003 Pro All in 1 CD (Bonus Edition) Bundle.

Now you're set with the latest (and maybe the last) fast and reliable MS operating system and its matching suite of Office applications.

$73. Not bad.

[Tormod]

Pyrotex said:

$73. Not bad.

And oh so legal...

[Pyrotex]

Tormod said:

And oh so legal...

Yeah. I was gonna say that.

Well, it's quasi-legal. Microsoft knows about this site and has declined to even request its demise. So I have been told.

[CraigD]

Please nobody take me for a Microsoft apologist, but the boot time exploit described in the securityfocus article is in a family of pretty OS-independent exploits. As the Kumars note in the article, the only way to protect against such an exploit is to have good physical security – basically, don’t let a box on your network boot from external media - which is easier said than done, given the state of the art in enterprise box case locks – but that’s a subject for another thread. Likewise, PXE exploits should be pretty OS-independent (I’ve personally not seen PXE effectively implemented, but understand that brave & pioneering sorts are doing it somewhere right now).

Coming from a pre-tpc/ip network background (which is another way of saying I’m old, as IT technical sorts go), almost every box I have anything to do with presently seems to me pathetically insecure. I remember being involved in heated debate over the safety of allowing any box with a CPU - In particular, the Motorola 6800-based, apparently google-proof (this bio of Jule Meyn is the only reference to it I could find on the whole www!) Datamedia IS250 terminal - to accept executable code from a host. I was on the (ultimately winning) “it’s too cool, damn the risk” side of the debate.

Security’s a deep issue. I don’t think any modern OS is good at it, (goodness equating mostly to obscurity – that which is unpolular and unknown is little attacked) due not to evil intentions or technical negligence, but because the modern OS/application paradigm is inherently insecure – but again, that’s a subject for another thread.

[Jay-qu]

Sounds like good news for Xp users, since its no longer microsofts flagship OS virus writers focus will shift to attack the new threat of people feeling safe and sercure

[Boerseun]

Had a enormous virus breakout at a client's office the other day. He's got Vista on one machine, and all the other machines in the office runs XP. The XP boxes have all moaned about being bombed by this virus, and the Vista machine idled along without saying a word. Problem is, the XP boxes were being bombed from the Vista machine, and the Vista box didn't even notice it was infected. So, I went on the hunt and cleaned all the XP boxes. Unplugged the Vista machine from the network, and set about cleaning it manually. I could see all the .exe's being created by the virus, and ran plenty virus checks and scans, and still the Vista machine said it was completely virus free. Meantime, the hard-drive was busy writing and duplicating the .exe's the virus was creating like crazy.
So, had to go to the command line to really get stuck in. And I've never even worked on a Vista box before. So, my friend told me the biggest screw-up in Vista (as far as he was concerned) was that there wasn't a run command or a command prompt in Vista. So I created a new shortcut on the desktop and simply called it "cmd". And what happened? The command prompt opened up! And the OS structure is identical to XP.

Vista is simply XP with extra, unnecessary bells and whistles. It's a cynical attempt to suck money from a largely naive client base by draping a six-year old operating system in a new cloak and creating a media frenzy about it being a totally new OS.

I buy and install an OS to create a platform for my applications to run on. I don't buy an OS to be anything more than a facilitator between software and hardware. I hope to all the gods (both current and those of antiquity) that f**king idiots like Microshaft can understand and comprehend this. Stop worrying about eye candy and start worrying about why your OS continually crashes perfectly good hardware for no good reason, continiously, world-wide, daily, hourly, every minute. Did my dad die because the ventilator he was connected to blue-screened? If your software isn't up to snuff, don't pretend that you can compete seriously on any level other than Solitaire and maybe typing stuff that won't destroy the world if the machine dies mid-sentence. Come on. Vista is about as clever as a toaster strapped to a wheelbarrow. So now you can make toast while pushing the wheelbarrow. But that is not what a wheelbarrow is for, you see. And all these unnecessary fancy bells and whistles than have been the hallmark of Microsoft's OS's ever since the last edition of DOS (their last and final good product) achieves exactly the same as said toaster on said wheelbarrow. If you bought a wheelbarrow because you like toast, well then, Vista should be right up your alley.

But I buy wheelbarrows because I have to push stuff somewhere.

[alexander]

Jay said:

Sounds like good news for Xp users

Lol i do admire your optimism, but not to rain on your parade or anything, the boot kit for XP is actually out to public already...

craig said:

pretty OS-independent exploits

yep, but its up to grub/lilo developers to check what's running in mem before they load the boot loader, willing to bet that ms is not gonna act on it till first viruses are devastating the world.

Actually not a problem with only 3 major companies: apple (no what you would call bios or real boot loader, its all EFI), sun (spark architecture and boot process = very very weird) and SGI (MIPS is also very weird with boot process)

Quote

(I’ve personally not seen PXE effectively implemented, but understand that brave & pioneering sorts are doing it somewhere right now)

I have Actually the college i go to has a successful implementation of PXE big time, every time you reboot they have a PXE service that checks the HD's MD5 and reimages the machine if there is any change. We have successfuly implemented PXE with a hacked gentoo live cd to set up installation over a group of PCs via porter (project my friend was and still is working on, its actually really cool, automated, admin defined and fully configurable gentoo installer over a large amount of hardware profiles)

Quote

which is another way of saying I’m old

How did you guys get to the internet before they invented electricity?
(joking ofcourse)

Quote

I don’t think any modern OS is good at it

No, there are some that are better then others though... But current exploit trend is to not look at OS security, but rather at other attack vectors, this is how you got to wifi fuzzing and firmware exploits, boot kits and others, and its not OS dependent, but as a result you get owned.


This thread is turning sort of in Windows vs Linux debate and on that topic i have found a well-written article detailing a view on software that most people just dont think about, read it here:
Windows Is Free (A TLUG Article)

[alexander]

Pyro said:

actually, I got an inferior solution.

Whats inferior about windows again?

[Pyrotex]

alexander said:

Whats inferior about windows again?

What???
You missed The Tonight Show special last week???
You didn't see

"The Top Ten Reasons Why Windows is Inferior"???

Hint: number 7 was, "The Blue Screen of Death".

[alexander]

no i did not actually, would have been interesting though, i can see already

[Boerseun]

Read on a random page on the net in the last couple'o days that the Vista code was shown to be 6,000 per cent bigger than needed!

This points to one thing only: Sloppy programming.

Problem with all of Microsoft's products is that it's driven by salespeople committing themselves to delivery dates. The programmers then come from behind saying things like "Hey, dude - the schedule is simply too tight; we'll never be able to do this!" And the salespeople, of course, says "Never fear, dear friends! We'll deliver crappy software and then eventually drop a Service Pack to cover our sloppy tracks!"

The result, of course, is that code gets duplicated, ending up in things like Vista being overinflated to the point of ridiculousness.

Did you know, for instance, that Windows98 was simply a fix for Windows95?

- But, of course, Microshaft had you pay for it. Same with Vista. Vista is simply an incredibly sloppy fix for XP, with more bells and whistles that can break, where MS expects you to pay for software which simply fixes and patches the crap you paid for a few years ago, in any case.

[C1ay]

CoumputerWorld UK said:

The majority of IT professionals worry that migrating to Windows Vista will make their networks less stable and more complex, according to a new survey.

Ninety percent of 961 IT professionals surveyed said they have concerns about migrating to Vista and more than half said they have no plans to deploy Vista.

"The concerns about Vista specified by participants were overwhelmingly related to stability. Stability in general was frequently cited, as well as compatibility with the business software that would need to run on Vista," said Diane Hagglund of King Research, which conducted the survey for systems management vendor Kace. "Cost was also cited as a concern by some respondents."

The survey, echoing one from Forrester last week, shows most IT professionals are worried about Vista and that 44% have considered non-Windows operating systems, such as Linux and Macintosh, to avoid the Microsoft migration.

More here...

Vista reminds me of the problem that Ford had with the tires on its Explorer series....