Despite the security measures included in Windows 7, two security researchers were able to defeat the security provided to users running Internet Explorer 8 on top of Microsoft's latest operating system.The researchers managed to surf their way through Windows 7's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) anti-hacking defenses on a completely up-to-date and fully patched 64-bit version of Windows 7 running IE8.
If you find that news sobering, consider how (relatively) quickly the Dutch hacker, Peter Vreugdenhil, was able to develop a working exploit. From Ryan Naraine at the Threatpost blog:
"I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass," he added.
Vreugdenhil, who won a $10,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. "I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.
After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.
"Fuzzing" techniques include using tools that throw random data (essentially junk) at software inputs to see what happens.
Vreugdenhil published a brief paper [.PDF] explaining how he bypassed both ASLR and DEP.
The demonstration took place at the CanSecWest Vancouver security conference, underway now. It's part of a contest funded by intrusion-prevention provider Tipping Point. More than $100,000 in prizes are earmarked for hackers who can break into leading Internet browsers and mobile platforms for the iPhone, Blackberry, Symbian, and Andriod.
IE 8 running on Windows 7 wasn't the only browser to fall at the conference so far. The iPhone, Safari, and Mozilla Firefox also fell to exploits designed to take advantage of zero-day vulnerabilities in all of those systems.
For my security and technology observations throughout the day, consider following me on Twitter.