Vista Will Foil Office File-Format Attacks

Users updating to Windows Vista will be protected from the kind of attacks that plagued Office users this summer, when a slew of unpatched Word, Excel, and PowerPoint bugs were exploited by hackers suspected of operating from China.

Thomas Dullien, chief executive and head of research at the reverse-engineering tool developer Sabre Security, kicked off the discussion in his blog, where he noted that Vista's Address Space Layout Randomization will make file-format attacks moot.

"Client-side bugs in MS Office are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots and will at some point start to smell," said Dullien, who also goes by the nom de plume "Halvar.Flake." ASLR, which has been used in the Unix world for over a decade, stymies some kinds of exploits, notably those that rely on memory manipulation, by arranging key data areas randomly in the available address space. Microsoft's debut of the technique will be in Windows Vista.

"ASLR should be more effective at blocking the kinds of attacks on Office seen this year," agrees Oliver Friedrichs, director of Symantec's security response team. "It will make exploitation of memory management vulnerabilities much more difficult. Even if a developer makes a mistake in coding memory management, it shouldn't manifest itself in an exploit."

Although Office users may be better protected against file-format exploits when running Vista, those who rely on other applications may not, warns Friedrichs. "Third-party software may still be susceptible to these kinds of attacks," he says, since developers have to explicitly compile ASLR capabilities into their products.

Nor will ASLR and other security technologies new to Windows in Vista stop all attacks. In fact, the rise of attacks that don't rely on vulnerabilities but that depend on so-called "social engineering" tactics to trick users into opening malware or visiting malicious Web sites can be directly traced to improvements in Windows XP that are being expanded upon by Vista.

"Vista will not mean the end of malicious code," Friedrichs says. "Stack and heap protection will make an impact, but attackers will learn to work within the confines of Vista. Windows XP already introduced some of these [defensive] technologies, and one can make a correlation between the decrease in the number of widespread worms and [security] improvements in Windows XP SP2." As Vista rolls out new security technologies, cyber criminals will simply continue to shift their points of attack. "Attackers are moving up the application stack because they're being pushed out of the operating system," says Friedrichs. "They're now moving up the application stack and to the Web layer.

"And as for Vista's overall impact, I can't speak to that yet," concludes Friedrichs. "It will be more effective at blocking some kinds of current attacks, but I suspect there will be whole new areas [for attackers] to explore."

Microsoft plans to launch Windows Vista, as well as Office 2007, in the United States at a New York City event Thursday.