News

IE 8 Hacks Slowed by Windows Safeguards

Even a fire-proof safe needs additional protective measures, and Internet Explorer 8 on Windows 7 is no different.

Such was the view of Microsoft security maven Paul Cooke, commenting on the recent "Pwn2Own" contest at the CanSecWest security conference, which was held last week in Vancouver. IE 8 got hacked in two minutes during the contest.

A hacking mainstay from Germany who goes by the nickname "Nils," along with Peter Vreugdenhil, found ways to disable IE 8's touted DEP (data execution prevention) and ASLR (address space layout randomization) protections, which are two of the most vaunted anti-exploit features in Windows Vista and Windows 7. Nils also was a big winner at last year's Pwn2Own contest.

Even though two minutes seems like a short time, delaying hacker success is part of the security goal, according to Cooke.

"A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last," Cooke wrote in a blog.

Hackers targeted Microsoft's Internet Explorer 8 on Windows 7 and IE 7 on Vista and XP during the contest. They showcased their intrusion skills and competed to win prizes of up to $10,000.

Cooke noted in the blog that Microsoft's newer operating systems, such as Vista and Windows 7, provide additional "defense in depth" protections over previous OSes. H.D. Moore, Rapid7's chief security officer, largely concurred with that view, but he added a caveat.

"The [recent Pwn2Own contest] made one thing clear: efforts by software vendors to improve the resiliency of their operating systems are paying off, but application-specific vulnerabilities are still a serious threat," Moore said. He added that the defense-in-depth protections of the OSes did slow down the Pwn2Own hacking efforts somewhat.

"The complexity of the Internet Explorer exploit used [by the winners] to bypass both DEP and ASLR should be seen as a positive thing for security," said Moore, who is a security researcher, hacker and founder of the Metasploit Project, which tracks software vulnerabilities. "Just one year ago the same type of vulnerability would have exploitable by anyone with basic skills and an hour of time to burn."

Security software entrepreneur Phil Lieberman had a simple response to the two-minute knockout of IE 8.

"Cool and bravo," said Lieberman, who is president of Lieberman Software. "Maybe this will wake up Microsoft to stabilize and secure their browser. IE 8 was worse than IE 7 from a compatibility and performance point of view. It looks like IE 9 will use a more secure architecture built on the new Vista and Windows 7 core."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.