New study suggests RSA attack happened because of Windows XP


New research revealed today on the attack against secure token specialists RSA, which took place back in March, indicates that Windows Data Execution Prevention (DEP) would have mitigated or even stopped the attack if the victims were running Windows 7, rather than Windows XP.

“The victims were using Windows XP, which is DEP-capable since SP2. I know that for sure because the exploit won’t work against Windows 7 due to limitations in the exploit code itself. In this specific case, it was possible to change the exploit to work against DEP, but the exploit has been likely reused from another target. Having DEP on would prevent the exploitation,” security researcher Rodrigo Branco stated in a blog post.

Rodrigo Branco, the director of Qualys’ Vulnerability and Malware Research Labs, concluded that RSA victims were running Windows XP and did not have DEP enabled on their systems. “DEP is a security technology that prevents applications from executing machine code stored in certain regions of memory that are marked as non-executable, a technique that is quite frequently used by exploits,” Branco stated.

“We can’t say that the attacker would not change the exploit and try again, but it clearly was going to give more time to the defense to detect the attack and mitigate its effects,” Branco added.

No one really knows just how much RSA intelligence was really compromised. “Did the attacker have all the information previously — so, he knew RSA was using Windows XP, without DEP — or did he just try to see if it works? This actually tells a lot about the sophistication of the attack,” Branco states.

Branco suggests the main steps to protect yourself from these kinds of attacks is to install the latest patches and run the latest data protection mechanisms, such as DEP.