Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Users of superseded Windows and Internet Explorer versions are hacker food, according to Microsoft's security team.
In a detailed report (pdf), security researchers explored how exploit mitigation technologies like heap metadata protection, Address Space Layout Randomization (ASLR) and Structured Exception Handler Overwrite Protection (SECHOP) were absent or weakly implemented in older versions of Windows and Internet Explorer.
The mixed use of different versions of Windows and Internet Explorer also determined how many of the technologies were implemented and put to best use.
The technologies work by breaking or destabilising exploits to make attacks impossible or more resource-intensive to conduct.
This, the team said, increased the cost of attacks against a network which helped to lower the risk of data breaches.
“Put simply, the cost of developing a weaponised exploit for a vulnerability must not exceed an attacker’s expected return on investment. Therefore, increasing this cost directly affects an attacker’s incentive to develop an exploit. Since exploit mitigations remove generic tools from an attacker’s toolbox—an attacker who attempts to exploit a vulnerability must invest significantly more time and resources to develop new exploitation techniques, which may or may not be applicable to other vulnerabilities. For software vendors, the return on investment is also noteworthy because exploit mitigations are relatively cheap to enable and do not require prior knowledge of a particular vulnerability. When combined, these factors suggest that exploit mitigations can be powerful and cost-effective methods for software vendors to use to decrease an attacker’s return on investment.”
The 26-page report covered the benefits of the mitigation technologies, how best to implement them, performance and compatibility considerations and examples of how the techniques have blocked attacks.
But exploit technologies do not absolve software developers from responsibility to design secure software, the authors said.
Under a “call to action”, the Microsoft security team said software vendors, enterprise administrators and users must pitch in to improve software security.
They called on vendors to “build software using exploit mitigation technologies such as DEP, ASLR, SEHOP, and /GS enabled by default and verify that it has been properly implemented with Microsoft’s SDL BinScope tool.
Enterprise IT departments must demand suppliers use exploit mitigations as part of the acceptance criteria when procuring applications, use EMET to enable exploit mitigation technologies for critical applications, and use SEHOP system-wide where possible.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.