Microsoft Defends Win 7 Security After Pwn2Own

Last week we reported that during Pwn2Own, two hackers were able to sidestep Windows 7's data execution prevention (DEP) and address space layout randomization (ASLR), and hack into Internet Explorer 8 and Firefox 3.6. One of the hackers, Peter Vreugdenhil, a freelance vulnerability researcher from the Netherlands, said that he used "fuzzing" to uncover two vulnerabilities in a fully-patched version of 64-bit Windows 7.

"I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP (data execution prevention) bypass,” Vreugdenhil said last week.

Days later, Pete LePage, a product manager in Microsoft's Internet Explorer developer division, came up to bat for IE's Protected mode, DEP and ASLR in a recent blog, saying that defense-in-depth techniques aren't designed to prevent every attack forever. Instead, they're in place to make it that much more difficult to actually find and exploit a vulnerability.

"One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire," LePage wrote. "Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last."

Apparently the "safe" isn't all that thick. Vreugdenhil said last week that the Windows 7 defenses weren't hard to overcome, taking at least six or seven days to "get everything to work." While he didn't specify the exploits he used to bypass DEP and ASLR, Vreugdenhil released a white paper explaining how he sidestepped Windows 7's security. The PDF file can be downloaded here.

Vreugdenhil will disclose the exploits once they have been addressed by Microsoft.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
38 comments
    Your comment
    Top Comments
  • thedipper
    My defense for Microsoft is:

    It's Microsoft. They can have almost any exploitable security hole repaired and the patch rolled out to users all within the same day.
    27
  • flyinfinni
    Interesting. Security really is a continual work in progress as Hackers will continue to find new exploits and they will continually be in the process of being fixed. Nothing is perfect and more and new ways to attack will continue to be developed.
    20
  • doc70
    Wasn't that hard? At least 6-7 days to overcome?
    Doesn't sound too easy to me.
    A little confusing there, Kevin.
    20
  • Other Comments
  • flyinfinni
    Interesting. Security really is a continual work in progress as Hackers will continue to find new exploits and they will continually be in the process of being fixed. Nothing is perfect and more and new ways to attack will continue to be developed.
    20
  • thedipper
    My defense for Microsoft is:

    It's Microsoft. They can have almost any exploitable security hole repaired and the patch rolled out to users all within the same day.
    27
  • doc70
    Wasn't that hard? At least 6-7 days to overcome?
    Doesn't sound too easy to me.
    A little confusing there, Kevin.
    20