Exploiting Windows: Upcoming Black Hat Briefings

“Why send someone an executable when you can just send them a sidebar gadget?” We have you by the Gadgets, a talk to be presented at Black Hat in Las Vegas on July 26 had Microsoft issuing a security advisory with a hat tip to “Mickey Shkatov and Toby Kohlenberg for working with us on Gadget vulnerabilities.” Microsoft wrote, “An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” How many people do you think will voluntarily use the Fix It solution to disable Gadgets and the Sidebar?

Yet that’s not the only attack exploiting Windows that you will be hearing about in the coming weeks. A few other Black Hat briefings that may prompt some response from Microsoft include:

On July 25, Matt Miller and Ken Johnson will present Exploit Mitigation Improvements in Win 8:

Over the past decade, Microsoft has added security features to the Windows platform that help to mitigate risk by making it difficult and costly for attackers to develop reliable exploits for memory safety vulnerabilities. Some examples of these features include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++’s code generation security (GS) protection for stack-based buffer overruns. In Windows 8, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. This presentation will provide a detailed technical walkthrough of the improvements that have been made along with an evaluation of their expected impact. In closing, this presentation will look beyond Windows 8 by providing a glimpse into some of the future directions in exploit mitigation research that are currently being explored by Microsoft.

Windows 8 Heap Internals will be presented by Chris Valasek and Tarjei Mandt on July 25:

Windows 8 developer preview was released in September 2011. While many focused on the Metro UI of the operating system, we decided to investigate the memory manager. Although generic heap exploitation has been dead for quite some time, intricate knowledge of both the application and underlying operating system’s memory manager have continued to prove that reliable heap exploitation is still achievable. This presentation will focus on the transition of heap exploitation mitigations from Windows 7 to Windows 8 (Consumer Preview) from both a user-land and kernel-land perspective. We will be examining the inner workings of the Windows memory manager for allocations, de-allocations and all additional heap-related security features implemented in Windows 8. Also, additional tips and tricks will be covered providing the attendees the proper knowledge to achieve the highest possible levels of heap determinism.

On July 26, Sung-ting Tsai and Ming-chieh Pan will talk about Exploitation of Windows 8 Metro Style Apps:

Windows 8 introduces lots of security improvements, one of the most interesting feature is the Metro-style app. It not only provides fancy user interface, but also a solid application sandbox environment.

All Metro-style application run in AppContainer, and the AppContainer sandbox isolates the execution of each application. It can make sure that an App does not have access to capabilities that it hasn’t declared and been granted by the user.

Cesar Cerrudo will talk about Easy Local Windows Kernel Exploitation on July 26:

For some common local Kernel vulnerabilities there is no general, multi-version and reliable way to exploit them. There have been interesting techniques published but they are not simple and/or neither they work across different Windows versions most of the time. This presentation will show some easy, reliable and cross platform techniques for exploiting some common local Windows kernel vulnerabilities. These new techniques allow even to exploit vulnerabilities that have been considered difficult or almost impossible to exploit in the past.

Also on July 26, Tsukasa Oi will present Windows Phone 7 Internals and Exploitability:

Windows Phone 7 is a modern mobile operating system developed by Microsoft. This operating system — based on Windows CE 6 — protects the system and the user by modern sandbox and secure application model. These security models are veiled and were difficult to uncover but we succeeded to analyze and inspect not well-known Windows Phone 7 security internals by comprehensive reverse engineering.

This operating system is properly implemented which makes exploitation and privilege escalation extremely difficult. However, it does not mean exploitation is impossible. Even the sandbox can be breached on some latest Windows Phone 7.5 devices.

The first topic is Windows Phone 7 security analysis. In this presentation, I will talk how we analyzed the system and how Windows Phone 7 looks secure/unsecure along with examples. The second topic is customizations by thirt-party vendors. Windows Phone 7-based devices by some vendors have special interfaces for system applications. Some interfaces however makes subverting sandbox easier because of various design/implementation issues such as directory traversal and improper privileged op.

That may not be all, but that’s it for now.

Like this? Here’s more posts:

• The more you encrypt, the more the government breaks into your cloud
• HOPE 9: Whistleblower Binney says the NSA has dossiers on nearly every US citizen
• NSA Whistleblower Drake: You’re automatically suspicious until proven otherwise
• Mobile Phone Surveillance Out of Control: Cops Collected 1.3 Million Customer Records
• High tech car theft: 3 minutes to steal keyless BMWs
• TSA lawlessly snubs federal court ruling for 1 year! Interview with Jim Harper
• Hacker claims to have breached & backdoored antivirus software firm Trend Micro
• The Future of Drone Surveillance: Swarms of Cyborg Insect Drones
• NSA claims it would violate Americans’ privacy to say how many of us it spied on
• Independence Day: Ghosts of SCOTUS on the fundamental right to privacy
• Windows 8 technology shift: The coming end of Win32 apps
• Going Dark in the Golden Age of Cyber-Surveillance?
• Interview with founder of Thruzt, the social network that got hacked almost immediately

Follow me on Twitter @PrivacyFanatic