At the same time, it defended the security measures, saying they remained an effective way to hinder exploits.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
Pete LePage, a product manager with IE's developer division, stood up for DEP (data execution) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest last Wednesday.
"Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability ," LePage said, referring to DEP, ASLR and another feature specific to IE, called Protected Mode.
DEP, which Microsoft introduced in 2004 with Windows XP SP2, is designed to prevent attack code from executing in memory not intended for code execution. ASLR, a feature that debuted with Windows Vista three years ago, randomly shuffles the positions of key memory areas, such as the stack, to make it more difficult for hackers to predict whether their attack code will run. Protected Mode, a sandbox-like technology in which IE runs with restricted rights, is designed to reduce the ability of attack code to "escape" from the browser to write, alter or delete data elsewhere on the PC.
All three anti-exploit features are also found in Windows 7, Microsoft's newest operating system.
Peter Vreugdenhil, a freelance vulnerability researcher from the Netherlands, and a German researcher who only goes by his first name of Nils, each bypassed Windows 7's DEP and ASLR when they successfully attacked IE8 and Firefox 3.6 , respectively, at the Pwn2Own hacking challenge.
LePage's comments Friday were the first from Microsoft on the DEP and ASLR circumventions since Pwn2Own concluded.
In a post to the Windows Security blog LePage used the analogy of a fire-proof safe, equating its ability to withstand fire and heat with Windows' security. "Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two," LePage said. "A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last."
Microsoft has made the point before that DEP, ASLR and other defensive measures don't guarantee that Windows can withstand attack. Last summer, for example, Robert Hensing, an engineer in the Microsoft Security Response Center (MSRC), said, "DEP by itself is generally not a robust mitigation."