What to make of the hacker who broke IE8 in two minutes

Will every Microsoft security improvement be matched by hackers?

Some of you might have seen today's story by Gregg Keizer of our sister publication Computerworld headlined "Hacker busts IE8 on Windows 7 in two minutes" and may have asked the same question I asked.

Two minutes?

Dutch hacker Peter Vreugdenhil broke into the current edition of the Web browser by launching a two-pronged attack on the Windows 7 operating system, Keizer reported. Vreugdenhil completed his hack at the Pwn2Own hacking contest held in Vancouver, BC, sponsored by Tipping Point, an intrusion prevention system provider acquired by 3Com in 2005.

Vreugdenhil compromised what Keizer described as "two of Windows 7's most vaunted anti-exploit features," namely DEP (data execution prevention) and ASLR (address space layout randomization).

Here's an excerpt from Keizer's report:

"To outwit ASLR -- which randomly shuffles the positions of key memory areas to make it much more difficult for hackers to predict whether their attack code will actually run -- Vreugdenhil used a heap overflow vulnerability that allowed him to obtain the base address of a .dll module IE8 loads into memory. He then used that to run his DEP-skirting exploit. DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2, prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, buffer overflow attacks.

"'[The exploit] reuses Microsoft's own code to disable DEP,' said Vreugdenhil. 'You can reuse Microsoft's own code to disable memory protection.'"

It was by deploying the two-pronged attack that he was able to complete the exploit in little more than two minutes, the hacker told Computerworld. Had he used only one approach, he said it could have taken close to an hour.

For his ingenuity, Vreugdenhil won the notebook computer he used to execute the attack and $10,000, or $5,000 for ever minute he spent on the task. Another hacker, who went only by his first name Nils, also broke into Windows 7 using the same two-step approach and from there hacked the Firefox browser. If misery loves company, Microsoft can at least take comfort in the fact that another hacker compromised Apple's OS X operating system and compromised its Safari browser at the same event.

But two minutes?

The Microsoft representative on hand at Pwn2Own must have done a spit take with his coffee when the Dutch hacker broke his company's state-of-the-art OS in just 120 seconds.

According to Keizer's story, "Jerry Bryant, a senior manager with the Microsoft Security Research Center (MSRC) acknowledged the vulnerabilities."

"We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete," Bryant told the reporter in an e-mail.

Of course, this is hacking in a controlled, friendly, White Hat environment. The hackers and Tipping Point don't share details of the exploits with anyone but the companies whose system was hacked.

I've written of late about Microsoft's efforts to improve its security as well as its security reputation. Microsoft's Scott Charney touted the company's TrustWorthy Computing security efforts again at this year's RSA Conference, where a panel of industry analysts also said Microsoft is improving its security. Another analyst told me Microsoft is "out of the doghouse" on security.

But when news like this breaks it just comes across as "same old same old" and invites Microsoft-bashers to pile on.

Microsoft will likely come up with a patch to fix this vulnerability and is no doubt serious about improving its security. But it may not be able to change a fundamental dynamic about the software industry. Because Microsoft is the largest software company and is ubiquitous in computer systems everywhere on the planet, it will continue to be the target of the Black Hat hackers.

We can hope the White Hat hackers like Peter Vreugdenhil can keep ahead of them.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)