Windows 7 with IE8/Chrome : the latest must for security ?

The star of the annual Pwn2Own hacking competition has given his opinion on general public software solutions - both OS’ and browsers – as to which is the most resistant to computer attacks. Windows 7 with Internet Explorer 8 or Google Chrome is the best combination, as long as Flash is absent.

Each year, the CanSecWest information technology security conference is held in Vancouver, Canada. To the side of this conference, a hacking competition is organised under the guide of the company TippingPoint. Hackers (white hats) confront each other with prizes being offered for those who are the fastest to discover and exploit system or web browser vulnerabilities.

Through this competition, Charlie Miller has earned himself some fame by twice winning the competition, the second time in 2009 when he exploited a fault in Safari on the Mac OS X operating system. With the 2010 competition planned for the end of the month, oneITsecurity interviewed Charlie Miller, asking him what software solution was in his opinion the most robust.

According to Charlie Miller, between Windows 7 and Mac OS X 10.6 (Snow Leopard), Microsoft’s OS provides the most features which can prevent hacking attempts. These are essentially based on the two protection mechanisms: ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).

The ASLR technology allows for the storage space addressing to be randomised, with system processes being randomly configured in the system. For the base elements, a different memory allocation is provided each time the system is booted, meaning that addresses can no longer be predicted and therefore targeted by hackers. While Mac OS X also partly uses ASLR, Charlie Miller puts forward that in Windows 7, ASRL is fully used and that by default the attack surface is smaller: "no Java or Flash installed by default".

While Windows 7 has to be associated with a web browser to obtain the most robust solution, Charlie Miller turns towards Internet Explorer 8 or Google Chrome. Be careful though, as he states that "the essential is to not have Flash installed!"

It shouldn’t be forgotten that the basis of Charlie’s opinion is in relation to the competition, with it not necessarily being the most reliable comparison for the security of a browser or operating system for home use. In the case of Linux, everything depends on the distribution used, but Charlie Miller believes that it is no more difficult to find holes in these releases, with it "probably even being easier". He also states that the vulnerabilities found in browsers are "the same no matter if the browser is operating on Linux or Windows".