“A new generic method for exploiting a common problem in software code that was previously thought to be prohibitively difficult to attack is generating a wave of concern and surprise in the security community.”
This is really just another buffer overflow attack. If he is taking advantage of bugs in the VM then it’s just an old fashioned exploit.
Because the ‘code’ you execute in a Virtual Machine or Intereter does not directly access the low level runtime libraries, we assume that the programs we develop can not cause a buffer exploit. If there is an exploit then it lies in the VM itself. Its very easy in a low level language like C or C++ to allow a buffer exploit simply due to the semantics of some of the calls. You have to actively check for these issues and have some knowledge on how these exploits arise. When developing code that is executed via a VM, the onus for this checking for and blocking of this class of exploit is shifted to the application, which in this case is the VM itself.
We trust that a VM is checked and tested thoroughly and is free of these kind of bugs so that as developers we can not worry (so much) that our code has some kind of exploit.
If anything this paper simply reminds us that these VMs are just another application and if they have holes, these can be exploited.
There’s some pretty interesting info from Matasano Chargen analysing this exploit.
The Whitepaper on the actual exploit is pretty heavy reading: http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
The scary thing about this is the wide range of target platforms – one of the comments from Mark Dowd on the Matasano Chargen blog was that he saw no reason for being able to exploit Flash 8 as well as Flash 9, and on every platform in existence.