Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.exe process. They were then able to demonstrate how .NET behavior could be combined with a separate exploitable memory corruption vulnerability to run arbitrary code. It was actually pretty brilliant. You can find the paper here.
We are always learning from the security community. The feedback we receive from the community is invaluable. It is usually a different view of our products that we can use to help protect customers. Last week, the IE team launched IE8 with an interesting mitigation that comes directly from the security community’s feedback. The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone.
IE8 is pretty cool technology. We have been using it internally now for a while. One of the great things about it is the layering of defenses on top of defenses. No browser is 100% secure but we are hoping if we keep adding defenses they will be harder and harder to exploit. We heard from security researchers and exploit writers at both CanSecWest last week and SOURCE Boston the week before that writing exploits for Windows Vista is “very, very hard” with all these mitigations to work around. We expect that blocking the .NET DEP+ASLR bypass will make it even harder.
We have smart engineers thinking all day every day about mitigations and testing ways to bypass our defense-in-depth approach to security. If you have an idea that you’d like to share, please email us at switech _at microsoft.com. Thanks!
- Jonathan Ness, MSRC Engineering
*Postings are provided “AS IS” with no warranties, and confers no rights.*