2 recommendations |
to siljaline
Re: IE Zero-DayThat's the same link that chachazz posted (Look in the "quoted" part) |
|
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Noted |
|
1 recommendation |
StuartMW
Premium Member
2012-Dec-29 8:19 pm
Well I only know 'cause I clicked on both, That's where I got my quote from. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Some slight duplication of effort never hurt anybody. Better than no information • voila |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
|
trparky
Premium Member
2012-Dec-29 10:46 pm
Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception? I know that that happens when I try to access Object variables when I've not set it to something with "New Object()".
This happens in VB.NET, C#, and even Java. |
|
1 edit |
StuartMW
Premium Member
2012-Dec-30 10:17 pm
said by trparky:Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception? I haven't looked into it in any detail but apparently there's some rather clever techniques that can be used to access deallocated memory. Take a look at the EMET manual as it has basic explanations of some common tricks. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to trparky
I'm not big on code, trparky When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me. What we have in this thread is the latest information. I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
1 recommendation |
trparky
Premium Member
2012-Dec-30 10:55 pm
Oh shit, I think I know how this exploit may work.
There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.
But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.
All of which EMET helps guard a program against. |
|
trparky |
trparky
Premium Member
2012-Dec-30 10:57 pm
There's something called Structured Exception Handling Overwrite Protection or SEHOP. It does this by preventing attackers from being able to use the SEH overwrite technique by verifying that the threads exception handler list is intact before allowing any of the registered exception handlers to be called or executed. This mitigation technique is made possible by a side-effect of overwriting the SEH. The side-effect is that the pointer in the programs memory stack is corrupted in the process of overwriting the SEH, thus the integrity of the exception handling chain is broken.
An Exception Handler is anything that may include the use of TRY, CATCH, and FINALLY.
I did a presentation on various exploit techniques for my end of class project for my CompTIA Security+ prep class. I covered the use of EMET extensively so I had to actually do some research into how many of these attacks work on a basic level. |
|
trparky |
trparky
Premium Member
2012-Dec-30 11:08 pm
Many of Microsoft's newer programs have these exploit protections baked into the compiled code of the program. But, this only happens with programs that have been compiled with recent versions of the Microsoft Visual C++ Compiler.
My guess is that Internet Explorer 9 and 10, which aren't vulnerable, have been compiled with Visual C++ 2010 or newer and the older versions are still being compiled with pre-2010 C++ compiler thus not having the protections baked into the compiled code. |
|
|
to trparky
said by trparky:But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack.
...
All of which EMET helps guard a program against. That is my understanding as well. |
|
Lagz Premium Member join:2000-09-03 The Rock 2 edits |
to trparky
said by trparky:Oh shit, I think I know how this exploit may work.
There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.
But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.
All of which EMET helps guard a program against. I wonder if flash or IE uses standard exception handlers or do they write their own? My instructor in C# told us to write our own exception handling when possible rather than throw standard exceptions, this might be why. When I was first introduced to exceptions I was like, HELL YEA I don't have to write as much code now. We had been writing our own exception handling up to that point. I wonder if they are just throwing standard exceptions if that's a result from laziness or management hurriedly wanting code pushed out the door? |
|