News

IE 8 Hacks Slowed by Windows Safeguards

Even a fire-proof safe needs additional protective measures, and Internet Explorer 8 on Windows 7 is no different.

Such was the view of Microsoft security maven Paul Cooke, commenting on the recent "Pwn2Own" contest at the CanSecWest security conference, which was held last week in Vancouver. IE 8 got hacked in two minutes during the contest.

A hacking mainstay from Germany who goes by the nickname "Nils," along with Peter Vreugdenhil, found ways to disable IE 8's touted DEP (data execution prevention) and ASLR (address space layout randomization) protections, which are two of the most vaunted anti-exploit features in Windows Vista and Windows 7. Nils also was a big winner at last year's Pwn2Own contest.

Even though two minutes seems like a short time, delaying hacker success is part of the security goal, according to Cooke.

"A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last," Cooke wrote in a blog.

Hackers targeted Microsoft's Internet Explorer 8 on Windows 7 and IE 7 on Vista and XP during the contest. They showcased their intrusion skills and competed to win prizes of up to $10,000.

Cooke noted in the blog that Microsoft's newer operating systems, such as Vista and Windows 7, provide additional "defense in depth" protections over previous OSes. H.D. Moore, Rapid7's chief security officer, largely concurred with that view, but he added a caveat.

"The [recent Pwn2Own contest] made one thing clear: efforts by software vendors to improve the resiliency of their operating systems are paying off, but application-specific vulnerabilities are still a serious threat," Moore said. He added that the defense-in-depth protections of the OSes did slow down the Pwn2Own hacking efforts somewhat.

"The complexity of the Internet Explorer exploit used [by the winners] to bypass both DEP and ASLR should be seen as a positive thing for security," said Moore, who is a security researcher, hacker and founder of the Metasploit Project, which tracks software vulnerabilities. "Just one year ago the same type of vulnerability would have exploitable by anyone with basic skills and an hour of time to burn."

Security software entrepreneur Phil Lieberman had a simple response to the two-minute knockout of IE 8.

"Cool and bravo," said Lieberman, who is president of Lieberman Software. "Maybe this will wake up Microsoft to stabilize and secure their browser. IE 8 was worse than IE 7 from a compatibility and performance point of view. It looks like IE 9 will use a more secure architecture built on the new Vista and Windows 7 core."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.