Microsoft defends Pwn2Own hacks that bypassed "DEP, ASLR" security features found in Windows 7

Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer and Firefox, Microsoft said the measures aren't meant to "prevent every attack forever." Pete LePage of IE's developer division, stood up for DEP (data execution prevention) and ASLR (address space layout randomization), security features that two hackers sidestepped to […]

Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer and Firefox, Microsoft said the measures aren't meant to "prevent every attack forever." Pete LePage of IE's developer division, stood up for DEP (data execution prevention) and ASLR (address space layout randomization), security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest. "Defense-in-depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability," LePage said, referring to DEP, ASLR and another feature specific to IE, called Protected Mode. All three antiexploit features are also found in Windows 7 operating system. Peter Vreugdenhil, a freelance vulnerability researcher from Netherlands, and a German researcher who only goes by his first name of Nils, each bypassed Windows 7's DEP and ASLR when they successfully attacked IE8 and Firefox 3.6, respectively, at Pwn2Own hacking challenge. LePage's comments Friday were the first from Microsoft on the DEP and ASLR circumventions since Pwn2Own concluded.

More info: Microsoft defends Windows 7 security after Pwn2Own hacks