Microsoft on Friday said that a weakness in Internet Explorer 8 identified by security researcher Ruben Santamarta recently is not an exploitable vulnerability, but rather a “technique for bypassing ASLR.”
ASLR (Address Space Layout Randomization) is a memory protection that, along with DEP (Data Execution Prevention), Microsoft has added to recent versions of Windows and Internet Explorer in order to prevent some specific memory-based attacks. Security researchers and software security experts have praised the two technologies as being very effective anti-exploit technologies and have said ASLR and DEP together make it much more difficult to take advantage of memory vulnerabilities on Windows machines.
However, the two technologies certainly are not a foolproof defense against attacks. Several researchers have demonstrated various techniques for bypassing ASLR and DEP under certain circumstances, although Microsoft has addressed some of those attacks in recent releases of Internet Explorer.
Santamarta, a researcher at Wintercore, a Spanish security company, recently published information on a flaw he found in mshtml.dll, the HTML viewer in IE 8. He said in his advisory that the problem could be exploited to leak a memory pointer in IE 8, which, when combined with some other data, could allow and attacker to run code on a remote machine.
However, Jerry Bryant of Microsoft’s Security Response Center said that the problem is not an exploitable vulnerability.
“The Internet
Explorer reverse mode issue targeting mshtml.dll is not an exploitable
vulnerability. It is a technique to bypass ASLR (Address Space Layout
Randomization) under certain conditions. ASLR is an important countermeasure introduced to help protect
customers from memory-targeting attacks that are commonly seen in the wild. The
mitigation is most effectively deployed in tandem with DEP (Data Execution
Prevention),” he said. “These two mitigations, though not capable of blocking
all attacks, are highly effective when used in combination with one another.”
