14 DAY TRIAL // A game of chess is a simple analogy for software security efforts. Opponents move one at a time, and, as a general rule, one of them is at least a step ahead. There’s a continuous, silent race between hackers and software developers, the first seeking to break protections built into products, the latter aiming to bulletproof solutions as much as possible, in order to conserve that “step ahead” advantage and protect customers. This is valid for products such as Windows 7 and Internet Explorer 8, considered at the top of their game in terms of the level of security they deliver, especially after being built with the help of the Security Development Lifecycle.
However, one critical aspect of security, even for Windows 7 and IE8, is that the products feature no impenetrable barriers. Instead, Microsoft has built a complex, multi-tiered architecture of mitigations, designed to make hacks simply not be worth the effort. But it is important to note that neither Windows 7 nor IE8 are bulletproof. Microsoft underlined this aspect recently, after IE8 on Windows 7 was hacked during the Pwn2Own contest at CanSecWest 2010.
“Recently, there has been some news from some security researchers about how they've managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well). […] Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms,” Pete LePage of the Internet Explorer team revealed. “Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them - they're on by default. That's one of the reasons why we encourage users to make sure they're running the latest and most up-to-date software.”
The fact of the matter is that, given sufficient time and resources, no security measure is impenetrable. This is valid for every security product and is in no way limited to software. With the various protections built into Windows 7 and IE8 by default, Microsoft’s strategy is to make hacks enough complex and costly so that hackers will fail to see any profit from breaking into a system to actually merit the efforts of a hack. Similarly, think of the best protected banks. There’s always a way to break into the most massive vault you can imagine, but the question is, will it be worth it?
“There are a number of other features that aren't as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7. For example, Protected Mode helps ensure exploited code cannot access system or other resources. Address Space Layout Randomization (ASLR) helps prevent attackers from getting memory addresses to use in buffer overflow situations. Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable. These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities,” LePage added.
During the Pwn2Own hacking contest, IE8 and Firefox on Windows 7, as well as Safari on Mac OS X were hacked within minutes by security researchers. And although the attacks are sufficiently complex so that script kiddies won’t be taking advantage of them anytime soon, maybe it was time for Microsoft to consider upping the ante with Internet Explorer 9 and Windows 8.