Microsoft Stands Behind Security Of Windows 7
Last week at the CanSecWest security conference in Vancouver, Dutch researcher Peter Vreugdenhil won $10,000 in the annual Pwn2Own hacking contest after bypassing Windows 7's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features to attack IE 8.
DEP wards off attacks by preventing code from running in memory that is marked non-executable, while ASLR masks memory addresses to make it harder for attackers to trigger buffer overflows. User Account Control (UAC), Kernel Patch Protection, and Windows Service Hardening are other examples of defense in depth security technologies in Windows 7.
In a Friday blog post, Pete LePage, product manager of the Internet Explorer Developer Division, defended ASLR and DEP as key parts of Microsoft's defense-in-depth approach to security in Windows 7.
LePage likened defense-in-depth security to a fireproof safe that's able to protect its contents for hours longer than an ordinary safe by virtue of the extra layers of physical protection it contains.
"Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms," LePage wrote in the blog post.
Microsoft has been criticized for its stance toward Windows security for years, but David Sockol, president and CEO of Emagined Security, San Carlos, Calif., says its response in this case shows how it's communicating more actively in these situations. The reality in the security industry has always been that no technology offers absolute protection from threats, he said.
"Security technology only is effective until the hacking community catches up," Sockol said.
Any vendor that tries to create the impression of being invincible is putting a bulls eye on the forehead of their product, notes Darrel Bowman, CEO of Tacoma, Wash.-based security solution provider Mynetworkcompany.com.
"Securing any software or operating system is an ongoing practice which needs to be practiced constantly. There is no magic bullet to ensure totally safe computing," he said.