About all those fancy security measures Microsoft put into Windows Vista… well, they’re now pretty much useless, according to security experts from IBM and VMware presenting a new attack methodology at this week’s Black Hat security conference.
The details of the latest attack are complicated to explain, but they essentially outline ways to use .NET, Java, and Microsoft’s ActiveX system to bypass Vista’s security via a web browser. Any browser can be used, but Internet Explorer makes the security bypass even easier, letting an attacker insert data into a running machine at any place he chooses. The researchers note that the attack doesn’t exploit any new vulnerability in Vista but rather takes advantage of the architecture of the OS and the way Windows tends to trust code fragments. In broad terms, if one component of Windows trusts a piece of code, for example, and passes it on to another component, then that second component will often automatically trust the code too, and so on. Browsers are increasingly being seen as the easiest “way in” for malware.
