Microsoft Says IE8 Weakness Not an Exploitable Flaw

Microsoft on Friday said that a weakness in Internet Explorer 8 identified by security researcher Ruben Santamarta recently is not an exploitable vulnerability, but rather a “technique for bypassing ASLR.”

Microsoft on Friday said that a weakness in Internet Explorer 8 identified by security researcher Ruben Santamarta recently is not an exploitable vulnerability, but rather a “technique for bypassing ASLR.”

ASLR (Address Space Layout Randomization) is a memory protection that, along with DEP (Data Execution Prevention), Microsoft has added to recent versions of Windows and Internet Explorer in order to prevent some specific memory-based attacks. Security researchers and software security experts have praised the two technologies as being very effective anti-exploit technologies and have said ASLR and DEP together make it much more difficult to take advantage of memory vulnerabilities on Windows machines.

However, the two technologies certainly are not a foolproof defense against attacks. Several researchers have demonstrated various techniques for bypassing ASLR and DEP under certain circumstances, although Microsoft has addressed some of those attacks in recent releases of Internet Explorer.

Santamarta, a researcher at Wintercore, a Spanish security company, recently published information on a flaw he found in mshtml.dll, the HTML viewer in IE 8. He said in his advisory that the problem could be exploited to leak a memory pointer in IE 8, which, when combined with some other data, could allow and attacker to run code on a remote machine.

However, Jerry Bryant of Microsoft’s Security Response Center said that the problem is not an exploitable vulnerability.

“The Internet
Explorer reverse mode issue targeting mshtml.dll is not an exploitable
vulnerability. It is a technique to bypass ASLR (Address Space Layout
Randomization) under certain conditions. ASLR is an important countermeasure introduced to help protect
customers from memory-targeting attacks that are commonly seen in the wild. The
mitigation is most effectively deployed in tandem with DEP (Data Execution
Prevention),” he said. “These two mitigations, though not capable of blocking
all attacks, are highly effective when used in combination with one another.”

Suggested articles

Discussion

  • Anonymous on

    It would be nice if there was one button to turn from all zone sliders up, to reset default settings, and one picture telling the current "state". There's a zillion tutorials on how to mitigate the poor security by using the sliders on the zones, but they all assume your at the terminal with a mouse and on top of that, it's what 18 clicks/slides? to lock it down, and then  7 more clicks to reset the security.  We don't need these tutorials anymore, they're wasting productivity time,  I am sick of clicking 20 + times for something which should be on or off.  And even then, I am still left wondering and scratching my head, or opening regedit to see if activex might still be running. Who know's all the keys to even lock it down? In order to secure IE do I really have to learn every key there is for IE?  come on. Can we cripple it temporarily ? The problem is it's the backend for restore, security, help etc. , and some programs, while at the same time we don't want it getting slammed by something it meets on the web.

    This way, IE can be turned off, until specifically needed. We all know there's apps which rely on it's backend. Must we click 20+ times (like these tutorials on the web suggest) every time we have to expose our system to it's threat?

    I never found any script detail those sliders for the security zones on the msdn, yeah they're discussed, but not much, the whole issue feels dirty, unfinished, vague. I never found any script at microsoft.com, which can place all the zones into high, or reset them.  There's a fixit, I tried to unpack it, but it looked like trash... and not to mention when I look at the sliders they're not all up. They always leave something funky going on in the "custom"

    If somehow ie's security can be grinded down into two states. on and off? with a status light. This might possibly move mankind forward. It's like nobody at microsoft never took leadership charge of the whole thing and put it under an logical plan, to mitigate the ongoing exploits.

    A pipedream I guess. If you can turn the thing off, it's no longer exploitable

     I am too slow to try to figure out what microsoft says, by the time I one some tricks in some api, or menu system, and am able to script it myself, their website disappears, and the menu goes to crap, something breaks and has to be debugged. At least I am trying to learn, but frankly the thing's becoming so obtuse I no longer enjoy it's little burps.  It's like okay is it locked  down yet? no?  one more?  okay, is it locked down yet? no?  okay one more? okay is it locked down yet? no, one more. okay is it... and on and on.

    I'm thinking DESTROY it, then UNDESTROY it.  heh.  Any ideas? 

     

     

     

     

  • Anonymous on

    It's just lovely how Microsoft claims it's not a problem, but doesn't explain why one would want to bypass ASLR. Having just a security degree with no practical experience "in the wild", to me it begs the question of why I would want to disable a security feature. What are the "certain circumstances"?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.