Researcher releases attack code for just-patched Windows bug

Microsoft fixed flaw nine months after it was revealed at last year's Pwn2Own hacking contest

1 2 Page 2
Page 2 of 2

"There was some confusion about how Peter's exploit worked," Portnoy said. "They thought that it was non-exploitable, and we had to clarify." Only after Vreugdenhil received clearance to move to the U.S. to take the TippingPoint job did he and Portnoy connect with Microsoft to spell out the vulnerability and the working of the complex exploit.

While Microsoft has repeatedly defended ASLR's and DEP's effectiveness -- it applauded the technologies just days after Vreugdenhil and another researcher evaded both at Pwn2Own -- the company's security engineers have also acknowledged that hackers are finding ways to bypass both by exploiting weaknesses in ASLR.

"They're just hurdles," said Portnoy. "They don't make it impossible [to run attack code], but they do make it harder."

Last month, Microsoft reaffirmed its confidence in ASLR and DEP when Matt Miller of the Microsoft Security Engineering Center (MSEC) said that they "are strong countermeasures for the types of attacks that we see in the wild today despite weaknesses in their current implementations."

Portnoy begged to differ.

"Just because they've seen none in the wild doesn't mean that they haven't been used," Portnoy said. "It just means that Microsoft hasn't seen them."

TippingPoint will again sponsor the Pwn2Own contest at the CanSecWest security conference, which is slated to run March 9-11. Portnoy said TippingPoint would release more information about this year's Pwn2Own early next month, but confirmed that it would highlight browser and mobile exploits.

One change this year is that Pwn2Own will offer cash prizes to researchers who successfully hack into a mobile phone's broadband processor, opening the door for exploits of bugs in the firmware of the chips that process a phone's radio signals.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon