Well if you run IE7 on XP2 as an Administrator (as most people do), then you have no ability to prevent an attack that takes advantage of a buffer overflow vulnerability. Basically, if you run ANY program on XP2 as an Administrator that access the Internet, same problem. (I plead ignorance with regards to Vista.)

If the buffer overflow vulnerability exists (not so rare) AND you run as administrator (very common) AND the attacker takes advantage of it, then they can execute arbitrary code on your computer...whether it's to install a virus, a trojan, keystroke logger, et. al.

The only protection from this attack vector is an active AV program that detects the installation of said virus, trojan, keystroke logger, et. al. onto your file system. And even this is not 100% effective as the malware that is installed may be a 0 day exploit that is undetectable by the AV software. So, yes, common sense is the best defense...just don't browse to sites that you don't fully trust.

And, no, I don't have to ask Tim, i used to work with him.

I shouldn't have refed to it as a JPG Flaw. I am refering to the WMF Expliot. Here is some info.

http://en.wikipedia.org/wiki/Windows..._vulnerability

Here is an emulation of the infection.

http://www.youtube.com/watch?v=WTBcDJ9kJH4

We ran the same emulation and went to one of the same sites and it happens just that fast. Microsft fixed the flaw pretty quick but there was still a 1 week window where there was no 100% fix for the problem.

Matt

Well, I learned a bit. I misinterpreted the IE7 sandbox as an actual virtual machine that was completely detached from the OS. It might as well be though, since IE7 cannot access anything but its own temp folder without explicit permission given.

What I meant with the SP2 comment was running things from IE6/7 requires user permission.

I did not know that 32-bit Vista also limits kernel access. I thought that was one of the bonuses to running 64-bit.

A virus that just screws up a local user is kind of a silly virus, and an annoyance at best, since to get rid of it you could just log on as a different user and delete the infected user. Hence I think UAC does a great job.


It's been a while since I've done programming that can result in a buffer overflow (I'm coding in VB6/.NET now, and Java before that...haven't done C/C++ since 1999) but doesn't an error message show and the program crash when a buffer overflow occurs? If some trojan is already on your machine to take advantage of that, then you already downloaded something you shouldn't have. Someone correct me if I'm wrong here.

I forgot to check this thread over the weekend, so if you all really want me to, I'll go and run an Avast scan tonight.

At the end of the day, common sense rules the day and protects you against all but the most clever of viruses. If the unlikely day comes when I've been infected beyond repair from a virus, then I'll simply reload the machine and restore my files from the latest backup I've made.

C/C++ does not perform any sort of bounds checking on memory access. Therefore if your process owns the memory you can scribble on it all you want. This is true on all platforms. The only way your program will crash at the moment of a buffer overflow is if you access memory that is not mapped into your process address space.

There are two basic types of buffer overruns - stack based and heap based.

A stack buffer overrun is the simpler overrun to exploit. The reason is because you are scribbling on the return address in the call stack and in most cases you know your actual memory location and/or the neighboring data. IOW, you get to redirect the code to whereever you want. Having said that, this is still not actually *that* easy to pull off. Most of the so-called script kiddies are a joke and couldn't exploit one of these flaws to save their life - much less uncover one. This stuff is not simple at all - most folks can't do much more than make a program crash (trust me, that's not impressive), actually compromising user data is something very few developers are clever enough to pull off.

A heap buffer overrun is much more difficult to exploit. It requires you to devise an exploit than can be invoked from an unpredictable location in memory with no guarantees of the neighboring data in memory.

Ah yes, I was thinking of page faults. I used to get those all of the time when I was starting out with arrays in C++.

That brings up something else, is it possible to redirect a program to a section of memory that it doesn't own with a stack overflow exploit?

Not really. As soon as you attempt to jump to that location you will get an access violation. The only way to make that happen would be if you had a cooperating kernel component that was handling access violations and doing something special. And if you already have buggy and/or nefarious code running in the kernel you are so screwed.

If you are running as administrator, IE7 can do anything on your computer.

not really sure what you mean here. IE6/IE7 can do anything that the logged in user can do (which is everything if you're logged in as the administrator as most people are)

you have things backwards here. a buffer overflow attack is how an attacker will install a trojan (or other malware) onto your system. it's an attack vector for your computer to get owned.

with all due respect, if you don't have AV software, you would have no idea that you've been infected with the more serious type of malware, as they're designed to not call attention to themselves (e.g., keystroke logger). The only way you would have an inkling that you were hacked into is to discover that your bank account is drained.

Read my previous posts. I'm referring to IE7 in Protected Mode, which has fewer privileges than even a standard user.
SP2 added in the Allow/Deny choice when installing and running embedded controls on a website.
As Tim described, you have to be really in trouble for an overflow attack to work, since a page fault/access violation would normally occur.
If someone really wants to go to the trouble of getting me to install something that contains a key logger and I don't notice it running (I frequently check the list of running processes...not sure if you can hide something from that list), and it somehow gets through all of the security features in Vista/IE7, then they deserve what they can get. I imagine most criminals tend to rely on phishing sites to get access to bank accounts. Any anyway, my bank's website is read-only, so all they could do would be check my balances and transaction history.

I'll stick with what I've done for the past 16 years and not put resource-hogging realtime virus scanners on my machine.

You are assuming IE7 runs without buffer overflow vulnerabilities. If there is a buffer overflow vulnerability AND you are running as administrator, it is immaterial what features IE7 was coded with. A buffer overflow attack allows ARBITRARY code to run as administrator. This includes wiping your C:\ drive or installing any piece of software that the attacker wishes. I'm not sure how much more clearly i can explain that.

Wrong. You only have to be running a program that someone hasn't completely tested 100% for buffer overflow vulnerabilities...which includes IE6/IE7 and most probably every single application your computer. A buffer overflow will NOT trigger a page fault/access violation. The o/s has NO IDEA whether it is returning to code written by the application developer or code written by the attacker since the return address has essentially been hijacked.

fine. that is your choice, but you really shouldn't be spreading incorrect information around in defense of your personal choices.

Please read up on Protected Mode and UAC. It doesn't matter if the code isn't part of IE7. If the process it's running under doesn't have even standard user permissions, it can't access unauthorized locations, period.
The application is allocated a certain amount of memory. If a location outside of that area is accessed, the OS says "hold on a minute, you can't do that." and shows an error. The OS would have to be modified to allow this access.
I'm just trying to explain why I feel safe not running antivirus software.

You are both right. If IE7 is actually running with an administrator process token then you are vulnerable (what George says). However, when IE7 runs in protected mode it is run with a highly restricted token that basically only has the privileges to write to the internet file cache and is therefore not capable of wreaking havoc on the system (what Spivonous says).


A buffer overrun CAN absolutely trigger a page fault - this is extremely common for larger blocks of memory that end up being page allocs rather than sub-page heap based allocs.

Yep.

If your system is compromised you have no way of knowing if that list is accurate.

Tim, do you run an antivirus program at home? Why/why not?

i'm not talking about heap allocations/heap overrun attacks.

maybe i'm missing something, but there is nothing sacred about the stack. if the attacker successfully overwrites the stack with his own arbitrary code and sets the return address correctly, the attacker has basically succeeded in getting the user (typically administrator) to run his arbitrary code.

perhaps ie7 protected mode mitigates against arbitrary code running as a privileged user, but certainly not all your applications that get input or process files from the internet do (iTunes, Windows Media, Outlook, Outlook Express, RealPlayer, Adobe Flash, Adobe Acrobat Reader, MP3 players, etc...).

http://www.jcfonline.com/forums/show...00#post1111567