Microsoft has come forward to clarify that its defensive measures in the Windows 7 operating system aren't meant to "prevent every attack forever." This came in the wake of various news reports on the Pwn2Own hacking contest that saw various security experts circumvent the security measures in IE8 and the underlying Windows operating system to win the contest prizes. 

Pete LePage, a product manager in IE's developer division spoke in defense of DEP (data execution prevention) and ASLR (address space layout randomization). In a blog post, LePage alluded the various security technologies to the fire-rating on a fire-proof safe, and how DEP and ASLR represents a "defense in depth" strategy; delaying the inevitable rather than stopping it.

LePage wrote, "Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability." However, LePage did spell out his belief that defense in depth features such as DEP and ASLR, "continue to be highly effective protection mechanisms."

What is most interesting is probably a remark by three-time winner at Pwn2Own, Charlie Miller, who admitted to Computerworld that it was getting more difficult to exploit the vulnerabilities. Miller said, "Before, any of the 20 bugs I found would have been fine for winning...this year, it took a better bug, a best-of-breed bug. Now you really need a very special, well-behaved vulnerability [to win]."

It would be easy to allow the entire security debate to degenerate into a "my platform is better" argument, despite the fact that it has proven relatively easy for security experts to find flaws in most operating systems. As I noted in my editorial last Friday titled "Pwn2Own 2010: The Mac isn't more secure" however, users just have to keep ensuring that they continue following best practices when it comes to security.

For more on this story:
- check out the article at Computerworld
- check out the article at CNET News
- check out the article at The Windows Security Blog

Related Articles:
Pwn2Own 2010: The Mac isn't more secure
Firefox, IE8, Safari and iPhone overcome on day one of Pwn2Own
Microsoft offers sneak peek at Internet Explorer 9
Microsoft urges users to upgrade from IE 6