Windows has enough trouble these days. With the problems with the versions of the browser, and the general lack of performance of same, you might think that its hands would be full. Oh, and then there’s the protracted war it is fighting with Google, plus the stupid investment in Bing, and the buyout of Yahoo (yes, I know that is not what Ms. Bartz says it is, but let’s face it, when Microsoft gets through with Yahoo, Bartz and company will be standing around like two cents, waiting for change.)

Now according to a story in ComputerWorld, a Google engineer has posted a technique to remove any advantage that Data Execution Protection gives, something that was widely implemented in Windows XP Service Pack 2. It is a way to keep rogue code from being used, and Microsoft has relied upon it heavily. Now those “good times” may be over.

The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft’s newer operating systems

, researchers said today.

On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker “Skylined” when he posts exploit research, published proof-of-concept code that bypasses DEP, or data execution prevention, one of two major security

enhancements Microsoft has added to Windows since 2004. The other is ASLR, for address space layout randomization.

DEP prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.

Microsoft introduced DEP in Windows XP Service

Pack 2, the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.

“I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms,” said Wever in a post to his personal blog on Monday.

Wever should know about Windows: According to his LinkedIn profile, he worked for Microsoft as a security software engineer from 2006 to 2008.

In 2005, Wever helped popularize “heap spraying,” a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe’s Reader.

“This is pretty significant,” said David Sancho, a senior threat researcher at Trend Micro, when asked to peg the importance of Wever’s demonstration. “This can be used to further enhance exploits, and I expect that we’ll start seeing it being used within exploits fairly soon.”

Will this set a fire under Microsoft? That’s hard to tell, for sometimes Microsoft waits until actual exploits appear, rather than be proactive about something. The one problem we have is a lack of honesty when attacks and bugs appear, because Microsoft has a long history of denying everything until a fix is implemented, and sometimes the problems are never really acknowledged. It’s like Microsoft saying “You know we screwed up, we know that you know, so why admit anything anyway?” Because of this, it’s always been hard to tell, without a great deal of searching, how really bad any attack or exploit of a mistake has ever been.

There have been DEP work-arounds making the rounds, Sancho acknowledged. “But this is generic enough that it will work within any exploit,” he said.

Earlier today, another Trend Micro researcher also predicted that Wever’s disclosure will likely lead to attacks that regularly shove aside DEP’s defenses. “After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique,” said Trend’s Ria Rivera in an entry on the company’s malware blog. “It would thus be not farfetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”

Wever’s new technique requires that ASLR be bypassed as well, but that’s not a solid barrier, said Sancho. Attackers have taken to running their exploit code many times, in many parts of memory, in the hope of one landing in a executable location. “Yes, attacks need to bypass both ASLR and DEP, but [Wever's proof-of-concept] makes it all easier,” Sancho emphasized.

The proof-of-concept that Wever published doesn’t actually do damage, since it is wrapped around an exploit of a bug in Internet Explorer 6 that was patched years ago.

“This exploit targets a bug that was fixed in IE6 in 2005, which explains why it does not affect any recent install,” said Wever in a comment he added to his blog entry. “This release is for academic purpose only, it is not an 0-day that script-kiddies can use to pwn your grandma’s computer.”

From Sancho’s viewpoint, the DEP bypass doesn’t exploit a vulnerability in Microsoft’s code, but rather takes advantage of a design flaw. “Microsoft can fix this, and I have faith they will,” he said.

However, Microsoft declined to say whether it would revamp DEP. Instead, Jerry Bryant, a senior manager with the Microsoft Security Research Center (MSRC), only noted that any bypass technique, including Wever’s, could not compromise a computer on its own, but required an accompanying exploit of an unpatched vulnerability.

And so the problem is not an immediate one, which is why Microsoft will not do anything right now, giving the bad guys a chance to do lots of damage. A history of being just good enough and leaving things as they are is what sets Microsoft apart from some other companies, so it will certainly be a race for the bad guys to see who can compromise the Microsoft code first. After a few exploits are shown, Microsoft will do something about this.

Do you ever wonder how many unpatched copies of Internet Exploder 6, that have not been updated in years, there are? It’s not a far fetched idea, as many people were upset when the automatic download of SP2 for Windows XP hosed their computers – they repaired the problem and turned off auto-updates forever.

Each time Microsoft releases something that messes with the normal working of a person’s computer the chances of updates being ignore as evil goes up. I know may people that, after the SP3 on XP causing hosed machines with a rebooting binge behavior, have turned off updates permanently, and swear that all will be fine forever.

Not a good excuse, but one that is used in a wide number of cases.

by the oracle at Lockergnome