Slashdot Mirror
Defeating XP SP2 Heap Protection
hobo2k writes "XP SP2 included canary values and hardware-implemented execution protection in order to avoid exploitable buffer overruns. Now Positive Technologies has released an article describing one way that protection could be bypassed. To solve the problem, they provide a program which disables the small allocation heap as described here. CNET reports that SP2 has been foiled."
The program disables the small allocation heap (meaning that the 1016 bytes of exploit code would be loaded into some other heap), which leads me to believe that perhaps the NX bit was only set for the small allocation heap pages. This will probably get fixed pretty quickly.
I'm surprised about the reporting that SP2 has been "foiled". SP2 is supposed to be a step to make xp more secure, not invincible. There's a lot more to SP2 than the heap protection.
I wonder what Nick McGrath's opinion on this is, and who is HE holding accountable?
Yeah. A bit sensationalist, I suppose. And SP2 did live up to the ideal of making Windows more secure, but the typical user mentality operates more in the realm of absolutes. "I want perfect security, and SP2 isn't perfect so therefore it's useless." Good security is a process, a continuing evolution, and that's true no matter what OS you use. Would I plug an XP SP2 box right into my cable modem? Not unless I was setting up a honeypot. But it is an improvement.
The higher the technology, the sharper that two-edged sword.
This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.
The CNET article states that they didn't report it to Microsoft until Dec 22. Which is close enough to the holidays that a substantial part of many businesses staff are out until the 1st of Jan.
Anything that modifies core memory access/rights such as this needs extensive testing. It's most likely an easy fix, but you should be well aware of the outrage that would occur if they released a fix that ended up breaking things. Recall the rushed fix to OpenSSH that was distributed only to be replaced days later with a proper fix, leading to all manner of confusion as to which versions were vulnerable and not?
Given that this is a relatively minor problem - the attacker would have to have another sucessful attack vector to be able to use this, I'm glad Microsoft is [theoretically] taking the time to do this right. If you're really that worried about it, you can run the software provided by a mostly unknown Russian company that they freely admit will affect the system negatively. And pray that there's no bugs in their code and that it's not malicious...
Actually:
Don't make it sound like Linux is problem free either. Just this morning, *11* Linux kernel vulnerabilities were posted to security focus. Yes, the number of vulnerabilities in Linux have historically been fewer in number, but no operating system is perfect. Windows does what it does well: Providing a stable (yes, XP is stable,) operating environment for beginning to advanced users.
Mythos : Logos
And how long will it take to fix the Linux problems, compared to the Windows problem descibed in the article?
Linux way of fixing things:
1) Discover there is a problem
2) Send a patch to kernel maintainers
3) Kernel is patched
Windows way of fixing things:
1) Discover problem
2) Tell Microsoft
3) Two months later, when Microsoft has done nothing, tell the world
4) Get possibly sued by Microsoft (if MS can to a Russian company)
5) After several viruses have exploited the vulnerability, Microsoft makes a patch that won't install correctly.