Next Page >>
Windows Vista SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 SP2 for Itanium-based systems
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 x32
Windows Server 2008 x32 SP2
Windows Server 2003 x64 Edition SP 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista SP 1, and Windows Vista SP 2
Windows Vista x64 Edition, Windows Vista x64 Edition SP 1, and Windows
Vista x64 Edition SP 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
. Internet Explorer 6sp2 on Windows XP sp2
. Internet Explorer 6sp2 on Windows XP sp3
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
not using Enhanced Security Configuration
As somewhat indicated in the paper itself, these types of physical DMA attacks are possible against any PC-based OS, not just Windows. If that's true, why is the paper titled around Windows Vista?
I guess it makes headlines faster. But isn't as important, if not more important, to say all PC-based systems have the same underlying problem? That it's a broader problem needing a broader solution, instead of picking on one OS vendor to get headlines?
[Disclaimer: I'm a full-time Microsoft employee.]
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@abegetchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
-----Original Message-----
From: Abe Getchell [mailto:me@abegetchell.com]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq@securityfocus.com
Subject: RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
4.1. *Vulnerable platforms*
. Microsoft Windows 2000 up to and including Service Pack 4
. Microsoft Windows Server 2003 up to and including Service Pack 2
. Microsoft Windows XP up to and including Service Pack 3
. Windows Vista up to and including Service Pack 1 (not exploitable
with IE running with Protected mode on)
. Windows Server 2008
5. *Non-vulnerable packages*
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@abegetchell.com; Jim Harrison; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
--------------------
Affected Software
Application: Microsoft Outlook Express
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
Exploitation: Remote Exploitable
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
Microsoft VISTA TCP/IP stack buffer overflow
Summary
-----------------------------
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
Using the sample program it was possible to verify this issue on following operating systems and configurations:
> -----Original Message-----
> From: Abe Getchell [mailto:me@abegetchell.com]
> Sent: Saturday, July 19, 2008 12:33 AM
> To: 'Jim Harrison'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> As stated in my original e-mail to the list, I definitely don't think
> that
> this is a security vulnerability in a traditional sense. I completely
> agree
3. *Vulnerability Description*
Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.
A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
default file system ACLs, a non-administrative local attacker can launch
the attack against virtual machines where VMware Tools were installed on
non-default locations, e.g., on a non-system drive. Additionally, the
attack is always possible on pre- Windows XP systems such as Windows 2000.
* Windows XP (x86) SP3, IE 7
* Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
* Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
* Windows Vista (x86) SP2, IE 7
* Windows Vista (x86) SP2, IE 8
So far, I haven't been able to bypass the mitigation. I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
While 'abo2' is generally considered not exploitable on Windows
operating systems the 'vp_abo2_launcher'[6] proof-of-concept tool shown
below demonstrates that it is indeed exploitable when running in Windows
XP Mode on Windows 7 or an Windows XP SP3 or Windows Vista guest OS in
Virtual PC.
/-----
#include <windows.h>
a cascade of exceptions that culminates in a triple fault (reboot).
Fortunately, the critical window is small, and the exploit can take
steps to reduce these risks, and even relatively reckless exploitation
has proven to be reliable.
Windows Vista x64
As mentioned above, incrementing arbitrary kernel memory is not
possible on Windows Vista x64, because the "INC" instruction of
interest modifies a GS-relative DWORD directly (and therefore can only
increment a DWORD in user GS), rather than dereferencing a pointer
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
Vendor communication:
a cascade of exceptions that culminates in a triple fault (reboot).
Fortunately, the critical window is small, and the exploit can take
steps to reduce these risks, and even relatively reckless exploitation
has proven to be reliable.
Windows Vista x64
As mentioned above, incrementing arbitrary kernel memory is not
possible on Windows Vista x64, because the "INC" instruction of
interest modifies a GS-relative DWORD directly (and therefore can only
increment a DWORD in user GS), rather than dereferencing a pointer
2. Overwriting arbitrary kernel addresses.
:: Files affected
RTKVHDA.sys < 6.0.1.5605 (32-bit) Windows Vista
RTKVHDA64.sys (signed) < 6.0.1.5605 (64-bit) Windows Vista
:: Credits
Vulnerability discovered and researched by Ruben Santamarta.
1. General Information
Face Recognition feature is provided by Asus, Lenovo and Toshiba as
specialized software that is issued together with their laptops. This
feature is embedded into all laptop families having webcams and supporting
Windows Vista, XP operating system. Owners of laptops benefiting from this
technology do not have to type in their passwords or use their fingerprint
but to sit in front of their laptops to login.
Face-recognition is introduced by these vendors as a remarkable feature
which helps prevent unauthorized people breaking into laptops and ensure
Salut, Roger,
On Wed, 5 Mar 2008 16:30:35 -0500, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical
> DMA attacks are possible against any PC-based OS, not just Windows.
> If that's true, why is the paper titled around Windows Vista?
That's very easy: because the specific attack was against Windows
Vista's activation mechanism.
The deficiencies of Firewire with regard to direct memory access have
Some days ago i have discovered a DoS in Windows Vista. Here is the advisory with a detailed description about the vulnerability that will help to Microsoft (they have been already notified about the bug) to correct it as soon as possible, and it will help you if you need to add any rule for your firewall.
Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc
Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Correct. Power management in Windows Vista is apparently given a pass to
bypass local security policy, which is a bad thing, and sets a bad
precedence. I will leave it to others to exploit this security issue, given
that I know little about the programmatic aspect of power management in
Windows. There are people out there much more capable than me who, if they
feel it warranted, can research the issue further. I don't consider it, as
Jim Harrison would say, "wasting your time chasing things that 'might lead
to cats & dogs living together in sin'", but rather "security research" and
"sharing information". I don't consider Jim's reaction surprising at all,
though, as he works for Microsoft.
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Saturday, July 19, 2008 1:36 AM
> To: 'me@abegetchell.com'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> Abe,
>
> Other than a denial-of-service from the console (is the power switch
> now a security vuln, too?), what can you do with this bug? It's
heap. But, what is that pointer? Why does it increment everytime I press
the button? Let's see the technical analysis:
Inside CWindow's constructor (mshtml's standard) a variable "IDEvent",
is initialized to 1
Module: mshtml.dll Vista SP2
.text:7403EC0A mov dword ptr [ecx+30h], 1 ;
TimerID_Counter = 1
Next Page>>
|
