14 DAY TRIAL // 9 billion dollars have fueled Vista's design engine in the development stage. Such financial resources have driven to numerous innovative technologies implemented in the fundamental structure of the operating systems. As recently, a Symantec signed report questioned the security level of the new code components seamlessly integrated in Vista's security fiber, with emphasis placed on network related protection. Symantec identified and analyzed alterations in the network services and in the networking stack along with changes at the applications' core protocols and concluded upon the OS's external security.
With Vista, the Redmond Company grabbed the chance to address security issues at an embryonic level of development, and Microsoft has stressed on numerous occasions the core nucleus of security measures at the heart of Vista. Despite this, Symantec has embarked on a prophylaxis diagnosis and treatment initiative offering insight on Vista's panoply, while focusing on design defects brought on by the volume of innovative code accumulated in the operating system.
Rewriting completely the TCP/IP network stack translates in the delivering of support for IPv6 and IPv4, while Vista has also incorporated new protocols featuring characteristics as topology, the pattern of interconnection between nodes, server-less name resolution and the IETF standard Network Address Translation traversal. Furthermore Microsoft redesigned the Server Message Block file sharing protocol, resulting a revamped SMB2 1 variant.
Symantec has tested the behaviors of Neighbor Discovery and Address Resolution Protocol, TCP/IP protocols involved in obtaining the physical address of nodes and providing support for ANC data located within serial data streams, when confronted with redirection attacks. While leaving aside Ethernet and PPP and PPPoE private links related protocols, the Link Layer Topology Discovery protocol has undergone testing as it is undocumented as yet. Supporting the transportation of address resolution for IPv4and IPV6 packages at the Link Layer, the ARP is vulnerable to a redirection attack through an ARP package signaling address alterations, causing the target host to ignore the intended target of the packets following an attack and to send them to a compromised node. This is possible because of a flaw permitting ARP table overwriting or the spawn of an entirely new entry by the malicious ARP packet. Confronted with a conflict generated by processing an ARP packet and logging in an IP address synonymous to that of the host, Vista will crash the networking stack interface. Neighbor Discovery is susceptible to redirection attacks via spoofed ND replies while the protocol is in the process of soliciting legitimate requests. Such an attack is carried out by exploiting the ND table entries timeout factor and the management of addresses in the Probe phase by the ND module. Both ARP and ND refer to Link Layer protocols and so they are not vulnerable to remote exploitation but are instead limited to attacks via the local network.
The Link Layer Topology Discovery protocol is a component designed and implemented to provide topology data related to hosts on local networks. LLTD may allow an attacker to generate source addresses by exploiting a link saturation condition. This would lead to the host creating additional traffic on behalf of the attacker, a scenario often encountered in Denial of Service attacks. Being an undocumented protocol introduced by Microsoft with Vista, LLTD serves as a client program and as a server kernel driver. The last is running by default while being configured on installation and the client component intermediates the generation of a network map at the explicit request of the user. As public documentation of LLTD is non-existent, Symantec was able to identify only portions of the protocol fields, this translating in the impossibility to identify any additional vulnerabilities.
To be continued?