how-to block ads
|reply to SUMware |
Re: Microsoft Confirms Critical 0-Day IE8 Vulnerability
And Softpedia also reported this so I assume they are differing vulnerabilities?
IE8 RTW Bulletproofed Against .NET, DEP and ASLR Bypass Reveals Microsoft
The gold version of Internet Explorer 8 was bulletproofed against techniques designed to attack Internet Explorer 7 by leveraging inconsistencies in Windows Vista's memory protection mechanisms. Vista brought to the table a number of mitigations, additional security layers including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), designed to make it extremely hard for exploits to work against the operating system.
Still, because of the actual design and implementation, the extra mitigations could in fact be defeated, as security researchers Alexander Sotirov and Mark Dowd demonstrated at BlackHat Vegas, in 2009.
Sotirov and Dowd managed to circumvent DEP and ASLR via .NET framework DLLs that were used for memory page allocation in relation to predictable locations within the iexplore.exe process. Jonathan Ness, from MSRC Engineering, explained that the bypass was no longer valid with the copy of Internet Explorer 8 released to web on March 19, 2009.
The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone, Ness stated.
Microsoft is committed to keeping its ears to the street, and has gathered feedback from the recent CanSecWest and SOURCE conferences, emphasizing that security researchers have categorized the process of producing exploits for Vista as very, very hard. IE8 is pretty cool technology. We have been using it internally now for a while. One of the great things about it is the layering of defenses on top of defenses. No browser is 100% secure but we are hoping if we keep adding defenses they will be harder and harder to exploit, Ness added.
said by therube:Correct. The Sotirov/Dowd demo occurred at BlackHat in 2008. Softpedia had the year wrong.
I assume they are differing vulnerabilities?
Researchers use browser to elude Vista memory protections
Here's their paper: Bypassing Browser Memory Protections [pdf]
said by Sotirov/Dowd :
Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.
In this paper we will discuss the limitations of all aforementioned protection mechanisms and will describe the cases in which they fail. We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers. This will be demonstrated with a variety of exploitation techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances.
White Plains, NY
|reply to SUMware |
It appears that Nils exploit is based on the Sotirov/Dowd exploit. DVLabs states the vulnerability is still in IE8 but these two techniques are not able to work with IE8 on Vista SP1 - mitigates both attacks (with a few caveats such as not in the Intranet zone or XP as the OS).
Sponsor confirms IE8 bug & IE7 Possibly Vulnerable
quote:[some emphasis added]
Hack contest sponsor confirms IE8 bug in final code
The final version of Microsoft's Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed Friday.
But the exploit used by the computer science student to break the release candidate of IE8 -- and walk away with a Sony laptop and $5,000 in cash -- won't work on the final version of IE8 as long as it's running in Windows Vista SP1 or Windows 7, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint.
Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because Nils, the German student who gave only his first name, hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later.
Forslof put the chatter to rest by confirming that IE8's RTW, or "release to Web" bits, were immune from Nils' hack. "His exploit did, in fact, employ the technique found by Sotirov and Dowd," said Forslof, referring to work by Mark Dowd and Alex Sotirov, two researchers who announced last summer that they were able to bypass two of Vista's biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention).
Microsoft made changes to IE8 between RC1 and the final code that blocked Dowd's and Sotirov's circumvention technique, thereby making Nils' exploit moot -- but only in some situations, said Forslof Friday.
"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly-known techniques."
Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.
Forslof declined to confirm whether the bug also exists in older versions of IE, such as IE7. "We're not going to comment on that," she said, "because we're still confirming the vulnerability on the previous versions ourselves. So we'll let Microsoft handle that [announcement]."
But she suspects that IE7 is vulnerable. "My guess would be yes," she said. "A lot of times, researchers look at the current software, in this case IE7, find a bug, then they test on the beta of the next. If they find it there [in IE8], they wait and see whether it's fixed in the final."
Microsoft has said little about the IE8 vulnerability, although during an online Q&A Wednesday, the browser team noted that Nils' exploit wouldn't work on the RTW edition. "We can say that the attack as demonstrated in Pwn2Own at CanSecWest will not succeed on the RTW build released on March 19 due to changes that can block the ASLR+DEP .NET bypass demonstrated by Dowd and Sotirov," said Kymberlee Price, a program manager for IE8 security.
Mozilla, whose Firefox browser was also hacked by Nils last week,
plans to patch has already patched that flaw, as well as another that just went public , next week.
Microsoft, however, has not spelled out a timetable for an IE fix.