Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

“These exploitation techniques are a hot commodity right now,” says Portnoy. “If you have a way to bypass the (operating system’s) security, then you are a step above most of the people here.”

Apple has not been immune, either. The company has continued to release more security technologies in its own operating system, and Snow Leopard includes both ASLR and DEP, according to Miller.

Microsoft acknowledges that software bugs will always exist, and says that the goal is to make exploiting such vulnerabilities less damaging. Today, other measures, including further stack protections, ASLR, and DEP make it harder to find and exploit vulnerabilities.

“If those techniques weren’t around, you would see a lot more exploits than what we are seeing now,” says HD Moore, chief security officer of Rapid7 and the director of the Metasploit Project, which packages exploitation techniques in an easy-to-use framework for security researchers.

Research on additional protections is ongoing, and a leading candidate is “sandboxing”–a technique where untrusted code is run in protected areas of memory and processing space and not allowed to affect other parts of the computer or device. The Java programming language and runtime environment made sandboxes popular, but only recently have programs been using sandboxes more extensively. Browser makers are looking at running their code in a sandbox, and Google’s Chrome, which survived the Pwn2Own contest without being hacked, runs code in a sandbox.

Moore says sandboxes do have their limitations. “Sandboxes are really good at protecting against a vulnerability in an application becoming an exploit of the operating system,” he says, “but it is only useful if the data that you are trying to protect is not accessible.” In many cases, the program may need access to sensitive or system data, and then sandboxing no longer helps, he says.

In the end, software makers have made their programs harder to exploit, says Miller. While he found nearly 20 vulnerabilities in popular software, such as programs created by Adobe, Apple, and Microsoft, less than a handful could be exploited on an up-to-date system, he says. “It’s a trade-off,” Miller admits. “Every time you add one of these (protections), it slows down the system or makes development harder. The goal is to make software hard to exploit, and they have done that.”

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Computing, security, Microsoft, software, hackers, operating system, software vulnerabilities

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me