Flaw in Core IE 8 Component Could Enable Remote Attacks

There’s an unpatched vulnerability affecting Internet Explorer 8 running on most current versions of Windows that could give attackers the ability to run code on remote machines. The flaw is a memory leak that gives attackers key information on the location of a specific address in memory, even with memory protections such as ASLR enabled.

There’s an unpatched vulnerability affecting Internet Explorer 8 running on most current versions of Windows that could give attackers the ability to run code on remote machines. The flaw is a memory leak that gives attackers key information on the location of a specific address in memory, even with memory protections such as ASLR enabled.

The vulnerability, published by Ruben Santamarta of Wintercore, is in mshtml.dll, the Microsoft HTML viewer. Under certain conditions, an attacker could use the vulnerability to get information about the location in memory of addresses that the attacker could use for further attacks. Santamarta published a proof-of-concept demonstration of the attack that in IE8 displays a leaked memory pointer.

Mshtml.dll is a core
component of Internet Explorer
, and serves as the viewer and parser
for HTML content in the browser. Santamarta found that some predictability in the way that IE8 handles some timeout events, along with the presence of the memory leak led to a vulnerability that could lead to remote attacks.

“Well, my theory is that in an effort to not return a plain
sequential/predictable ID, Microsoft decided to add a “magic” value.
Unfortunately, this “magic” value is a pointer member of the CWindow
object which ultimately represents an open browser’s window. Thus we can
define it as persistent in memory even after reloading, till the
Browser’s instance is closed,” Santamarta said in his analysis of the flaw. “Taking into account that IDEvent is predictable and we know the pointer
offset, we can trivially infer the pointer to the persistent CWindow
object(leakedPointer – ID_Counter – 0x3c). This fact brings us useful
addresses for ROP/Anti-ASLR exploits. :)”

The vulnerability affects IE8 running on Windows XP, Windows Vista and Windows 7 32-bit and 64-bit editions, Santamarta said. The flaw does not affect other browsers, such as Firefox or Chrome.

Earlier this year Santamarta was one of two security researchers–along with Tavis Ormandy–to report a serious Java flaw affecting most versions of Windows. That vulnerability also enabled attackers to bypass ASLR and DEP, two of the key memory protections that Microsoft has added to recent versions of Windows to prevent certain types of memory exploits.

Suggested articles