Microsoft urges Windows, Internet Explorer upgrades

Microsoft security researchers have urged users to upgrade past ageing versions of Windows and Internet Explorer in order to take advantage of better security measures.

In a report released by the software giant last week (pdf), the researchers detailed the differing use and integration of exploit mitigation technologies in newer versions of the company's popular operating system and default Web browser.

They included a mix of technologies including heap metadata protection, Address Space Layout Randomization (ASLR) and Structured Exception Handler Overwrite Protection (SECHOP), which were absent or weakly implemented in older versions of both software packages.

The mixed use of different versions of Windows and Internet Explorer also determined how many of the technologies were implemented and put to best use.

The technologies worked by breaking or destabilising exploits to make attacks impossible or more resource-intensive to conduct.

This, the team said, increased the cost of attacks against a network which helped to lower the risk of data breaches.

“Increasing this cost directly affects an attacker’s incentive to develop an exploit," the researchers said. "For software vendors, the return on investment is also noteworthy because exploit mitigations are relatively cheap to enable and do not require prior knowledge of a particular vulnerability.

"When combined, these factors suggest that exploit mitigations can be powerful and cost-effective methods for software vendors to use to decrease an attacker’s return on investment.”

A matrix detailing which versions of Windows and Internet Explorer provided the most apt security technologies.

The 26-page report covered the benefits of the mitigation technologies, how best to implement them, performance and compatibility considerations and examples of how the techniques have blocked attacks.

But exploit technologies did not absolve software developers from responsibility to design secure software, the authors said.

Under a “call to action”, the Microsoft security team said software vendors, enterprise administrators and users must pitch in to improve software security.

They called on vendors to build software which enabled exploit mitigation technologies by default and verify that it had been properly implemented with Microsoft’s SDL BinScope tool.

They said enterprise IT departments should demand suppliers use exploit mitigation technologies as part of the acceptance criteria when procuring applications, use EMET to enable exploit mitigation technologies for critical applications and use SEHOP system-wide where possible.

Copyright © SC Magazine, Australia