Reports of DEP being bypassed20 January 2010, 7:01 pmYesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.
Real-world attacks so far still only effective against Internet Explorer 6
We have seen an increase in attacks attempting to exploit the vulnerability detailed in Security Advisory 979352. However, all attacks we have seen so far still target Internet Explorer 6 - this is also confirmed by the attack samples our Microsoft Active Protections Program (MAPP) partners have sent in.
While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:
Private proof-of-concept code exploiting IE7 on Windows XP for arbitrary code execution
Private proof-of-concept code exploiting IE7 on Windows Vista without DEP enabled for code execution within the Protected Mode sandbox. We are not aware of any proof-of-concept code exploiting Windows Vista with DEP enabled.
Commercial, limited distribution proof-of-concept code exploiting IE8 on Windows XP with DEP enabled for arbitrary code execution.
State-of-the-art of attacker research on various platforms
Here’s the current state-of-the-art on each platform:
Windows XP
Windows Vista
Windows 7
IE 6
Public exploit code consistently reliable for arbitrary code execution
N/A
N/A
IE 7
Private proof-of-concept is likely consistently reliable for arbitrary code execution
Private proof-of-concept is likely consistently reliable for limited code execution within the Protected Mode sandbox.
N/A
IE 8
In our testing, the commercially-available, limited distribution exploit results in code execution about one in three attempts. For two in three attempts, it results in an Internet Explorer crash.
No known proof-of-concept code. Current exploits modified for use on Windows Vista would likely be effective for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows Vista.
No known proof-of-concept code. Current exploits modified for use on Windows 7 would likely be effectively for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows 7.
Other mitigations (besides DEP)
We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.
Internet Explorer Protected Mode limits the impact of Windows Vista and Windows 7 exploits. Attackers who are able to successfully exploit Internet Explorer on those platforms are stuck in a “sandbox”, potentially able to read data but unable to install programs or change system configuration.
Address Space Layout Randomization (ASLR) makes exploiting vulnerabilities more difficult by relocating normally-predictable code locations pseudo-randomly in memory. ASLR re-bases DLL’s to random locations in memory, making ret2libc type attacks unreliable. Due to ASLR we believe exploits for Internet Explorer 8 on Windows Vista or Windows 7 could result in limited code execution for less than 1% of attempts.
Out-of-band update coming tomorrow
We’ll be releasing a comprehensive, well-tested security update tomorrow morning PST to address this vulnerability. In the meantime, we hope this information helps you assess risk and protect your environment.
Acknowledgements
Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback.
- Jonathan Ness, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*
Source: Security Research & Defense>> To obtain the full Microsoft Security Research & Defense article, click the link in the first post line <<
AuthorTopic: Reports of DEP being bypassed (Read 309 times)
