Wednesday, March 31, 2010

IE 8 Hacks Slowed by Windows Safeguards

Even a fire-proof safe needs additional protective measures, and Internet Explorer 8 on Windows 7 is no different.

Such was the view of Microsoft security maven Paul Cooke, commenting on the recent "Pwn2Own" contest at the CanSecWest security conference, which was held last week in Vancouver. IE 8 got hacked in two minutes during the contest.

A hacking mainstay from Germany who goes by the nickname "Nils," along with Peter Vreugdenhil, found ways to disable IE 8's touted DEP (data execution prevention) and ASLR (address space layout randomization) protections, which are two of the most vaunted anti-exploit features in Windows Vista and Windows 7. Nils also was a big winner at last year's Pwn2Own contest.

Even though two minutes seems like a short time, delaying hacker success is part of the security goal, according to Cooke.

"A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last," Cooke wrote in a blog.

Hackers targeted Microsoft's Internet Explorer 8 on Windows 7 and IE 7 on Vista and XP during the contest. They showcased their intrusion skills and competed to win prizes of up to $10,000.

Cooke noted in the blog that Microsoft's newer operating systems, such as Vista and Windows 7, provide additional "defense in depth" protections over previous OSes. H.D. Moore, Rapid7's chief security officer, largely concurred with that view, but he added a caveat.

"The [recent Pwn2Own contest] made one thing clear: efforts by software vendors to improve the resiliency of their operating systems are paying off, but application-specific vulnerabilities are still a serious threat," Moore said. He added that the defense-in-depth protections of the OSes did slow down the Pwn2Own hacking efforts somewhat.

"The complexity of the Internet Explorer exploit used [by the winners] to bypass both DEP and ASLR should be seen as a positive thing for security," said Moore, who is a security researcher, hacker and founder of the Metasploit Project, which tracks software vulnerabilities. "Just one year ago the same type of vulnerability would have exploitable by anyone with basic skills and an hour of time to burn."

Security software entrepreneur Phil Lieberman had a simple response to the two-minute knockout of IE 8.

"Cool and bravo," said Lieberman, who is president of Lieberman Software. "Maybe this will wake up Microsoft to stabilize and secure their browser. IE 8 was worse than IE 7 from a compatibility and performance point of view. It looks like IE 9 will use a more secure architecture built on the new Vista and Windows 7 core."

Microsoft Disputes ‘Vulnerability’ in Virtual PC‘The Last Airbender’ Stars Promise Fans Will Be ‘Blown Away’