March 03, 2010, 3:54 PM — The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft's newer operating systems, researchers said today.
On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker "Skylined" when he posts exploit research, published proof-of-concept code that bypasses DEP, or data execution prevention, one of two major security enhancements Microsoft has added to Windows since 2004. The other: ASLR, for address space layout randomization.
DEP prevents malicious code from executing in sections of memory not intended for code execution, and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.
Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.
"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," said Wever in a post to his personal blog on Monday.
Wever should know about Windows: According to his LinkedIn account, he worked for Microsoft as a security software engineer from 2006 to 2008.
In 2005, Wever helped popularize "heap spraying," a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe's Reader.
"This is pretty significant," said David Sancho, a senior threat researcher with Trend Micro, when asked to peg the importance of Wever's demonstration. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."
There have been DEP workarounds making the rounds, Sancho acknowledged. "But this is generic enough that it will work within any exploit," he said.