Microsoft’s browsers have been popular targets for hackers for years, and the company has responded in kind to do its best to preserve, harden and protect its browser. But hackers, both good and bad, keep penetrating the browser’s defenses. Now Microsoft is admitting that its browser defense system is only good for slowing down hackers, not stopping them completely. eSecurity Planet takes a look.
Less than a week after a white hat hacker took mere minutes to take over Internet Explorer 8 running on Windows 7, Microsoft has responded that its “defense in depth” strategy isn’t meant to altogether stop such attacks, but rather to delay them.
But a hacker presenting at the CanSecWest conference in Vancouver, wasn’t delayed much at all as he quickly defeated Microsoft’s defense in depth measures for Windows 7 running IE8. (To be fair, hackers also quickly defeated security in Firefox and Safari.)
One of the two Microsoft “defense in depth” features that the exploit took advantage of is what’s called, “Data Execution Prevention” or, “DEP.” Its aim is to keep code that has been loaded into non-executable memory locations from being allowed to execute.
The hacker also claimed to use a second security protection feature as part of the successful takeover — known in the hacker community as Pwn2own. However, due to the rules of the contest, he couldn’t reveal the entire exploit.