unleashed
03-31-2010, 10:51 AM
At the annual Pwn2Own contest, IE8 was hacked in less than two minutes on a fully-patched 64-bit Windows 7 installation by Peter Vreugdenhil who bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). This allowed him to run any process on a computer that visited a website which launched his malicious code, as he had complete access to an interactive shell.
Now Microsoft has responded to the incident, saying that IE8 has “some of the best safety and privacy features available today:”
Protecting Windows customers is an absolute priority for the Internet Explorer engineering team. That’s why we work hard to make sure our browser has some of the best safety and privacy features available today. We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.
But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7. For example, Protected Mode helps ensure exploited code cannot access system or other resources. Address Space Layout Randomization (ASLR) helps prevent attackers from getting memory addresses to use in buffer overflow situations. Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable. These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities.
One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire. Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.
Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well). But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.
Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default. That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.
Microsoft describes DEP and ASLR as tools meant to delay, not prevent, attacks on the browser, comparing the browser to a fire-proof safe. But when it comes down to it, two minutes is not a very significant delay whatsoever. All users are recommended to upgrade to a newer, better browser (such as Chrome, remember that Firefox was also hacked through the same methods). A better analogy would be something like this: IE8 is a castle with several widely known secret tunnels leading behind the walls, cracks in the structure, a dry moat, and a drawbridge that stays down. However, Microsoft attempts to protect this castle by spilling oil everywhere so that invaders slip and fall and take a few more minutes than they normally would to capture the castle. Wonderful.
In fact, Omoronovo, one of our readers, does a great job at explaining a couple of key problems with IE8 in a recent comment: “Internet Explorer relies on its sandbox so that it can “ignore” more complicated security practices that are designed to be used in conjunction… Internet Explorer uses Software DEP (which is easily circumventable), it uses botched ASLR (only randomizing its address to a 30-bit address space even on the 64-bit version of the browser, rendering it susceptible to heap spray attacks), and it’s SafeSEH support is non-existent – if the browser crashes, it relies on the sandbox to make sure nothing can be exploited through it.”
If you have to use IE, please update your browser to the latest. However, it would much more beneficial to completely abandon the browser as new vulnerabilities are constantly found in the browser and it always loses in security contests. A popular response to this is that IE is very widely spread, and that it’s a much larger target; and as such, hackers target the browser much more often that its competitors. My reply to that is this: Microsoft has an outstanding userbase. Instead of creating excuses, Microsoft needs to use its widespread availability and deep pockets (much deeper and widespread than its competitors) to create a browser that can withstand its attacks. If it’s going to claim that IE is the most popular browser, its security should match that claim or Microsoft should back off the market.
Source (http://windows7news.com/2010/03/29/microsoft-responds-to-2-minute-ie8-hack/)
Now Microsoft has responded to the incident, saying that IE8 has “some of the best safety and privacy features available today:”
Protecting Windows customers is an absolute priority for the Internet Explorer engineering team. That’s why we work hard to make sure our browser has some of the best safety and privacy features available today. We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.
But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7. For example, Protected Mode helps ensure exploited code cannot access system or other resources. Address Space Layout Randomization (ASLR) helps prevent attackers from getting memory addresses to use in buffer overflow situations. Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable. These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities.
One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire. Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.
Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well). But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.
Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default. That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.
Microsoft describes DEP and ASLR as tools meant to delay, not prevent, attacks on the browser, comparing the browser to a fire-proof safe. But when it comes down to it, two minutes is not a very significant delay whatsoever. All users are recommended to upgrade to a newer, better browser (such as Chrome, remember that Firefox was also hacked through the same methods). A better analogy would be something like this: IE8 is a castle with several widely known secret tunnels leading behind the walls, cracks in the structure, a dry moat, and a drawbridge that stays down. However, Microsoft attempts to protect this castle by spilling oil everywhere so that invaders slip and fall and take a few more minutes than they normally would to capture the castle. Wonderful.
In fact, Omoronovo, one of our readers, does a great job at explaining a couple of key problems with IE8 in a recent comment: “Internet Explorer relies on its sandbox so that it can “ignore” more complicated security practices that are designed to be used in conjunction… Internet Explorer uses Software DEP (which is easily circumventable), it uses botched ASLR (only randomizing its address to a 30-bit address space even on the 64-bit version of the browser, rendering it susceptible to heap spray attacks), and it’s SafeSEH support is non-existent – if the browser crashes, it relies on the sandbox to make sure nothing can be exploited through it.”
If you have to use IE, please update your browser to the latest. However, it would much more beneficial to completely abandon the browser as new vulnerabilities are constantly found in the browser and it always loses in security contests. A popular response to this is that IE is very widely spread, and that it’s a much larger target; and as such, hackers target the browser much more often that its competitors. My reply to that is this: Microsoft has an outstanding userbase. Instead of creating excuses, Microsoft needs to use its widespread availability and deep pockets (much deeper and widespread than its competitors) to create a browser that can withstand its attacks. If it’s going to claim that IE is the most popular browser, its security should match that claim or Microsoft should back off the market.
Source (http://windows7news.com/2010/03/29/microsoft-responds-to-2-minute-ie8-hack/)