Windows 7 would have stopped RSA hack, says security expert

Windows' DEP facility would have stopped March's damaging hack on secure token specialists RSA, according to a researcher

According to security researchers, the damaging hack on secure token specialists RSA in March would not have occurred had the company not been using an old and unpatched version of Windows.

Writing for the blog of security firm Qualys, researcher Rodrigo Branco explained that Microsoft's Data Execution Prevention (DEP) technology would have prevented the hack.

"DEP is a security technology that prevents applications from executing machine code stored in certain regions of memory that are marked as non-executable, a technique that is quite frequently used by exploits," he said.

DEP was introduced for Windows XP in 2004 in the operating system's Service Pack 2. It operates as standard in subsequent operating system releases of Vista and Windows 7.

At the time of the attack, RSA was largely supported by XP running with the out-of-date Service Pack 1.

This highlights the need for enterprises to keep their machines up to date with the latest patches, as operating system security flaws are continually found and fixed. After the attack, RSA's parent company, EMC, admitted the attack had cost it in the region of £40m.

Branco concluded that the volume and complexity of modern software installed on most enterprise machines increases their vulnerability.

"While I investigated an exploit on Adobe Flash, the sheer number of software applications installed on modern machines in network environments opens the door for similar attacks.

"The complexities of typical software packages create a huge attack surface, a fact that has been repeatedly utilised by exploit writers."

He explained that using more modern operating systems, security tools and other software helps to lessen this vulnerability by making attacks sufficiently hard for hackers that the reward no longer justifies the effort.

"Modern defense mechanisms create a barrier by elevating the technical difficulty of the attack. There is a tremendous opportunity for IT pros to turn the tables on the attackers and increase the cost of the attack to a level where all but the most determined attackers will fail.

"This covers the great majority of attacks, including automated attacks and those re-using previously delivered exploit codes."