Microsoft defends Windows 7 security after Pwn2Own hacks
Reacts to Pwn2Own hacks that bypassed DEP, ASLR; says the measures are still effective
Computerworld - Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer and Firefox, Microsoft said the measures aren't meant to "prevent every attack forever."
At the same time, it defended the security measures, saying they remain an effective way to hinder exploits.
Pete LePage, a product manager in IE's developer division, stood up for DEP (data execution prevention) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest last Wednesday.
"Defense-in-depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability," LePage said, referring to DEP, ASLR and another feature specific to IE, called Protected Mode.
DEP, which Microsoft introduced in 2004 with Windows XP SP2, is designed to prevent attack code from executing in memory not intended for code execution. ASLR, a feature that debuted with Windows Vista three years ago, randomly shuffles the positions of key memory areas, such as the stack, to make it more difficult for hackers to predict whether their attack code will run. Protected Mode, a sandbox-like technology in which IE runs with restricted rights, is designed to reduce the ability of attack code to "escape" from the browser to write, alter or delete data elsewhere on the PC.
All three antiexploit features are also found in Windows 7, Microsoft's newest operating system.
Peter Vreugdenhil, a freelance vulnerability researcher from the Netherlands, and a German researcher who only goes by his first name of Nils, each bypassed Windows 7's DEP and ASLR when they successfully attacked IE8 and Firefox 3.6, respectively, at the Pwn2Own hacking challenge.
LePage's comments Friday were the first from Microsoft on the DEP and ASLR circumventions since Pwn2Own concluded.
In a post to the Windows Security blog, LePage used the analogy of a fireproof safe, comparing Windows' security to the safe's ability to withstand fire and heat. "Without defense-in-depth techniques, a fireproof safe may only protect its contents for an hour or two," LePage said. "A stronger fireproof safe with several defense-in-depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last."
Microsoft has made the point before that DEP, ASLR and other defensive measures don't guarantee that Windows can withstand attack. Last summer, for example, Robert Hensing, an engineer at the Microsoft Security Response Center, said that "DEP by itself is generally not a robust mitigation."
But in the same post to Microsoft's Security Research & Defense blog, Hensing also said that "DEP and ASLR used together are very difficult to bypass."
Microsoft's LePage said much the same last Friday. "Defense-in-depth features, including DEP and ASLR, continue to be highly effective protection mechanisms," he claimed.
Vreugdenhil, who exploited IE8 on Windows 7, didn't seem to think they were that difficult to overcome. "It took me six or seven days to get everything to work," he said last week in an interview after his Pwn2Own victory. Although he didn't reveal the two exploits he used to bypass DEP and ASLR and then hack Microsoft's browser -- by the rules of the contest, he's not allowed to talk in detail until the flaws are fixed -- Vreugdenhil posted a paper (download PDF) where he explained how he evaded Windows 7's protections.
- Microsoft defends Windows 7 security after Pwn2Own hacks
- Pwn2Own winner tells Apple, Microsoft to find their own bugs
- Hacker busts IE8 on Windows 7 in 2 minutes
- iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own
- iPhone falls in Pwn2Own hacking contest
- Former winners defend titles at Pwn2Own hacking contest
- Hackers at Pwn2Own to compete for $100K in prizes
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts