Users of superseded Windows and Internet Explorer versions are hacker food, according to Microsoft's security team.
In a detailed report (pdf), security researchers explored how exploit mitigation technologies like heap metadata protection, Address Space Layout Randomization (ASLR) and Structured Exception Handler Overwrite Protection (SECHOP) were absent or weakly implemented in older versions of Windows and Internet Explorer.
The mixed use of different versions of Windows and Internet Explorer also determined how many of the technologies were implemented and put to best use.
The technologies work by breaking or destabilising exploits to make attacks impossible or more resource-intensive to conduct.
This, the team said, increased the cost of attacks against a network which helped to lower the risk of data breaches.
“Put simply, the cost of developing a weaponised exploit for a vulnerability must not exceed an attacker’s expected return on investment. Therefore, increasing this cost directly affects an attacker’s incentive to develop an exploit. Since exploit mitigations remove generic tools from an attacker’s toolbox—an attacker who attempts to exploit a vulnerability must invest significantly more time and resources to develop new exploitation techniques, which may or may not be applicable to other vulnerabilities. For software vendors, the return on investment is also noteworthy because exploit mitigations are relatively cheap to enable and do not require prior knowledge of a particular vulnerability. When combined, these factors suggest that exploit mitigations can be powerful and cost-effective methods for software vendors to use to decrease an attacker’s return on investment.”
The report covered the benefits of the mitigation technologies, how best to implement them, performance and compatibility considerations and examples of how the techniques have blocked attacks.
But exploit technologies do not absolve software developers from responsibility to design secure software, the authors said.
Under a “call to action”, the Microsoft security team said software vendors, enterprise administrators and users must pitch in to improve software security.
They called on vendors to “build software using exploit mitigation technologies such as DEP, ASLR, SEHOP, and /GS enabled by default and verify that it has been properly implemented with Microsoft’s SDL BinScope tool.
Enterprise IT departments must demand suppliers use exploit mitigations as part of the acceptance criteria when procuring applications, use EMET to enable exploit mitigation technologies for critical applications, and use SEHOP system-wide where possible.