Hacker Cracks Internet Explorer 8 on Windows 7
Despite the security measures included in Windows 7, two security researchers were able to defeat the security provided to users running Internet Explorer 8 on top of Microsoft's latest operating system.
March 25, 2010
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
Despite the security measures included in Windows 7, two security researchers were able to defeat the security provided to users running Internet Explorer 8 on top of Microsoft's latest operating system.The researchers managed to surf their way through Windows 7's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) anti-hacking defenses on a completely up-to-date and fully patched 64-bit version of Windows 7 running IE8.
If you find that news sobering, consider how (relatively) quickly the Dutch hacker, Peter Vreugdenhil, was able to develop a working exploit. From Ryan Naraine at the Threatpost blog:
"I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass," he added.
Vreugdenhil, who won a ,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. "I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.
After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.
"Fuzzing" techniques include using tools that throw random data (essentially junk) at software inputs to see what happens.
Vreugdenhil published a brief paper [.PDF] explaining how he bypassed both ASLR and DEP.
The demonstration took place at the CanSecWest Vancouver security conference, underway now. It's part of a contest funded by intrusion-prevention provider Tipping Point. More than $100,000 in prizes are earmarked for hackers who can break into leading Internet browsers and mobile platforms for the iPhone, Blackberry, Symbian, and Andriod.
IE 8 running on Windows 7 wasn't the only browser to fall at the conference so far. The iPhone, Safari, and Mozilla Firefox also fell to exploits designed to take advantage of zero-day vulnerabilities in all of those systems.
For my security and technology observations throughout the day, consider following me on Twitter.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024