Microsoft: IE's Defense in Depth Not Fool-Proof

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Less than a week after a white hat hacker took mere minutes to take over Internet Explorer 8 running on Windows 7, Microsoft has responded that its "defense in depth" strategy isn't meant to altogether stop such attacks, but rather to delay them.

But a hacker presenting at the CanSecWest conference in Vancouver, wasn't delayed much at all as he quickly defeated Microsoft's defense in depth measures for Windows 7 running IE8. (To be fair, hackers also quickly defeated security in Firefox and Safari.)

One of the two Microsoft "defense in depth" features that the exploit took advantage of is what's called, "Data Execution Prevention" or, "DEP." Its aim is to keep code that has been loaded into non-executable memory locations from being allowed to execute.

The hacker also claimed to use a second security protection feature as part of the successful takeover -- known in the hacker community as Pwn2own. However, due to the rules of the contest, he couldn't reveal the entire exploit.

Friday, in a post to the Windows Security blog, IE team spokesperson Pete LePage, tried to put the events into focus.

"Protecting Windows customers is an absolute priority for the Internet Explorer engineering team," LePage said in his post.

Besides DEP, LePage also cited other defense in depth measures included in Windows 7 and IE8, including Address Space Layout Randomization (ASLR), meant to randomly locate key pieces of code so that an attacker can't easily figure out how and where to attack, particularly with buffer overflow exploits. Another measure he mentioned is Protected Mode, a feature in Windows 7 and Windows Vista that runs IE in a reduced privileges mode.

LePage, however, said that nothing is a panacea and that one of the purposes of defense in depth is to slow the bad guys down, if not stop them dead in their tracks.

"One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire. Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last," LePage's post said.

LePage continued with the fire-proof safe analogy. "Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability."

Perhaps a little ironically, he cited both DEP and ASLR as key components of that strategy, while admitting that both have been used to break into systems running Windows and IE.

Administrator rights enable risk?

Meanwhile, a report compiled by privileged access lifecycle management vendor BeyondTrust and released Monday, found that a majority of Microsoft security vulnerabilities can be mitigated, if not totally blocked, by removing administrators' rights from most users desktops.

All-in-all, however, at least one analyst feels that demonstrations are useful, but don't change the facts on the ground.

"The reality is there is no perfect security...but even if you've got something that will keep them out, a determined individual will still get through," Rob Enderle, principal analyst at the Enderle Group, told InternetNews.com.

"However, if you make something that's really secure [the bad guys] will go elsewhere," Enderle added.

A recent IBM-funded survey by Traverse City, Mich. security researcher, Poneman Institute queried 115 C-level executives in the U.K. Its findings were not heartening for those who might think their systems are secure. All of the respondents said they had experienced attacks on their data in the past year.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.