Windows security has allways been pockmarked <br><br><div><span class="gmail_quote">On 4/1/07, <b class="gmail_sendername">George Ou</b> <<a href="mailto:george_ou@lanarchitect.net">george_ou@lanarchitect.net</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">"<a href="mailto:ad@heapoverflow.com">ad@heapoverflow.com</a> said:<br><a href="http://www.milw0rm.com/exploits/3634">
http://www.milw0rm.com/exploits/3634</a><br><br>str0ke told me to test this one and no miracle, it works under vista and the<br>default DEP settings doesn't catch it."<br><br><br>Default DEP settings in Windows XP or Vista are worthless since it's off for
<br>all applications including IE7. I tested with DEP always-on and it crashed<br>IE7 and the exploit failed.<br><br>Note that when you manually launch an HTML from your hard drive, Protected<br>Mode is turned off because your HDD is considered a trusted source where as
<br>the public Internet is not. If I had try to browse a webpage with this<br>exploit, protected mode would have been turned on. I also had to manually<br>bypass the Active X warning to get the exploit to run and even then it
<br>crashed with my fully-on DEP settings with hardware-enforcement.<br><br>I don't really feel like turning off my DEP settings on my Vista machine<br>though I have a feeling that UAC would prevent it from rooting my system
<br>though it could probably damage my files if it were coded to do that. But I<br>had to go out of my way to get this exploit to run by manually downloading<br>the zip and manually enabling the ActiveX control just to get it to crash my
<br>browser.<br><br>So I think it's fair to say that hardware-enforced fully-enabled DEP will<br>defeat the ANI exploit (in the current generic state) all by itself.<br>Protected Mode would have also mitigated the ANI exploit to a low-risk state
<br>that is non-persistent as soon as IE is closed.<br><br>So with protected mode turned off, DEP not fully enabled (or missing NX<br>hardware), the ANI exploit would be able to compromise the local user<br>profile and data but it would still need to get around UAC if it wants to
<br>put a backdoor in Vista.<br><br><br><br>George<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://www.goldwatches.com/watches.asp?Brand=39">
http://www.goldwatches.com/watches.asp?Brand=39</a><br><a href="http://www.wazoozle.com">http://www.wazoozle.com</a>