Microsoft defends Windows 7 security after Pwn2Own hacks

Reacts to Pwn2Own hacks that bypassed DEP, ASLR; says the measures are still effective

1 2 Page 2
Page 2 of 2

Charlie Miller, another Pwn2Own winner who bypassed DEP and ASLR defenses in Apple's Snow Leopard operating system to hack Safari last week, sided with Microsoft on the measures' antiexploit skills. "It's more difficult [to exploit vulnerabilities] than it was before," Miller said. "Before, any of the 20 bugs I found would have been fine for winning," he continued, referring to his recent discovery of 20 vulnerabilities in Mac OS X, Safari, Microsoft Office and Adobe Reader. "But this year, it took a better bug, a best-of-breed bug. Now you really need a very special, well-behaved vulnerability [to win]."

Miller is the only researcher to "three-peat" at Pwn2Own, having won prizes in 2008, 2009 and again this year.

One reason why it's more difficult now, Miller said, is because of DEP and ASLR, both of which Mac OS X also uses, though the latter is only partially implemented by Apple's operating system. But he also argued that their presence is a double-edged sword, and a dull one at that.

"With ASLR, exploiting was supposed to be harder, but I still win [at Pwn2Own]," Miller said. "Then they added DEP, and I still win. People don't think we need to find bugs, now that there's mitigation. But that's not the case. [DEP and ASLR] are just one piece to security, and they don't work as well as people think they will."

In fact, earlier this month, a Google engineer and a former Microsoft security engineer posted proof-of-concept code for bypassing DEP. At the time, a Microsoft spokesman declined to commit to a revamping of the security feature, instead asserting that any skirting of DEP could not compromise a computer by itself.

Other researchers were confident that the code's publication meant that DEP circumvention would increase. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon," said David Sancho, a senior threat researcher at Trend Micro, in an interview four weeks ago.

"Even as security improves, researchers end up winning," Miller said. "We're obviously in better shape [in terms of security], but it's still true that you can't feel totally confident in a full-patched computer."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon