PaulSpoerry.com

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others. Essentially they’ve figured out a way to hack Vista using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

What they are indicating is that they have revealed a fatal flaw in Windows Vista which potentially blows the OS wide open and in such a way that it cannot be fixed. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process’s stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd’s and Sotirov’s methods, it would be of no use.

“This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,” Dai Zovi said. “If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they’re safe because they’re .NET objects, you see that Microsoft didn’t think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.”

They go on to imply the approach can also potentially be applied to other operating systems such as Windows XP and Mac OSX (but not with this specific technique).

Read more at TechTarget or TrustedReviews

Net Applications, published some interesting data about Mozilla’s Firefox in this month’s newsletter. Specifically, they’re projecting that users of the world’s favorite alternative browser will account for 20% of all web traffic sometime in July.

“Net Applications Global Internet Usage Market Share for May 2008 shows Firefox gaining more momentum,” said Vince Vizzaccaro, executive vice president, marketing. “Firefox market share for May was 18.41% up from 17.76% in April. If recent trends continue, Firefox should achieve 20% market share some time in July.”

Source: Net Applications

It’s all in the timing

However, with Firefox 3 RC 1 already in circulation and the full release expected soon, Mozilla may be able to steal a march and shoot past 20% before the end of June.

Firefox 3 RC 1 has been my browser of choice, I love the thing. Already, prerelease versions of Firefox 3 account for close to 1% of web traffic as measured by Net Applications

Lastly, SpreadFirefox.com is planning a major marketing push for the release of Firefox 3 with the Download Day 2008 promotion, whereby backers hope to break the single-day record for the number of downloads for a single piece of software.

Whereas Firefox growth to date has been slow and steady, it seems to me that the time may be right for a major surge in adoption.

With recent news about Internet Explorer 8’s imminent beta, Microsoft’s long and checkered history with web standards compliance has been hurled back into the harsh, unflattering spotlight. Even though IE8 will have a new “standards compliant” mode, it won’t be perfect, stirring up a new wave of grumbling about Microsoft’s attitude and position in the browser market.

Opera CTO Håkon Wium Lie has weighed in with a new editorial at The Register about “How to fix Microsoft’s browser issues.” He begins by stating that because of Microsoft’s monopolistic practices, no real browser market exists, and the company doesn’t feel the need to actually listen to its users. “A monopoly doesn’t have to consider its customers’ wants or needs. In a functioning market, vendors must consider such things in order to compete successfully. But the market isn’t functioning,” Lie wrote.

Lie has a number of suggestions for Microsoft that he believes would improve both the IE experience and the overall browser market. For one, he says that IE needs to support Acid2 and Acid3 by default—without requiring users to select standards mode first—and that Microsoft should commit to supporting the underlying specifications of the Acid tests. He also demands a publicly-available set of documentation for exactly which standards IE uses, limitations, bugs, and extensions.

Finally, Lie calls for an end to mode switching in the future and a commitment to interoperability. “If two or more major web browsers, in official shipping versions, add standards-related functionality that’s generally considered useful to the progress of the web, and described in a publicly available specification, Microsoft must add the same functionality,” he said.

Read the rest of this entry �