Though Internet Explorer 8 was only one of several products hacked in a recent contest, Microsoft is standing up for its browser.
Microsoft's official Windows Security blog on Friday discussed the specific features that were hacked to win the contest, explaining that IE's security techniques aren't designed to thwart every attack forever, but more to slow down the bad buys and make it harder for them to exploit vulnerabilities.
Last Wednesday's annual Pwn2Own hacking contest at the CanSecWest security show in Vancouver, B.C., pitted security experts and researchers against each other to see who was the top hacker. The contestants managed to hack not just IE8 on Windows 7 but also a non-jailbroken iPhone, Safari running on Snow Leopard, and Firefox on Windows 7.
Peter Vreugdenhil, an independent security researcher who won $10,000 for bypassing the security in IE8, said he exploited IE8 by sneaking past two of its key defenses--ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
The Microsoft blog posted for Pete LePage, a product manager from the Internet Explorer team, mentioned the security researchers and addressed ASLR and DEP. ASLR is designed to stop hackers from getting memory addresses they can use to compromise code. DEP tries to prevent malicious code from running in memory where executable files are not supposed to run.
In describing the way these security defenses work, the blog compared a computer to a fire-proof safe. Without these defenses in place, "a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several 'defense in depth' features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last." The blog said that both ASLR and DEP continued to be "highly effective protection mechanisms."
In hacking IE8, Vreugdenhil explained that the computer running the browser was compromised by visiting a Web site that launched the malicious code. He was then able to steal user rights on the PC, giving him the capability to run applications, such as the Windows calculator. The security researcher who hacked into Firefox said he also bypassed ASLR and DEP to gain control of the computer.