Spudz777 wrote:
Buffer overflow vulnerabilities are prevalent in Windows releases.
They are not common. They do happen, but they are not common, especially with today's technology. Especially in the core operating system -- in fact, I have never heard of a single case of a buffer overflow in the core operating system of Windows XP. There was a case of a buffer overflow in the "Plug n Play" service, which would allow administrator-level access to the entire system, but that service is not the core operating system, and would certainly not give you access to the index of system files, if they are stored in RAM like I am assuming.
Spudz777 wrote:
Unless you'd like to say that Microsoft programmers don't make big mistakes? Granted, taking advantage of such a vulnerability is more difficult when that area in RAM is looked after directly by the OS, but it's far from uncommon.
If the vulnerability existed, it would have to be in the portion of the operating system responsible for the index maintenance and querying, and if that vulnerability existed, it would matter little where in RAM the list is.
Spudz777 wrote:
If it's only "shuffling" the system files, then it wouldn't be as bad a performance hit once the index is created, only a couple extra RAM reads whenever a system file is needed, so I can see how that would work.
In order to execute a successful buffer overflow attack, all a program needs is knowledge of where in RAM it is running, where in RAM its target is, and (possibly, depending on what it's trying to accomplish) the ability to masquerade as a system process.
That is not how a buffer overflow works at all. A buffer overflow happens when you are asked for input by a routine, and provide too much or incorrect input that causes an internal array to go out of bounds.
Spudz777 wrote:
Most OSes don't mind if a program tries to read outside its own memory space, so in this case, it would only need to read the index file, pick out the files it wants to delete, modify, copy, etc., then use system calls (as an already running system service) to do whatever to the files directly. This may be easier said than done, depending on how Vista sets up security, but the idea is quite simple, and very successful.
DOS didn't care. Every operating system since will throw an exception at you, terminate your program, and ask if you would like to send a report to Microsoft. Oh, and that is if you somehow get out of the virtual memory mode all programs run in (they get their own address space, completely independent of all other running programs).
Well, maybe you're right -- maybe they abandoned the whole "virtual protected memory" scheme and based Vista on some very early version of DOS.