My good forum friends,
We get word that the last two MS defence bastions for IE7 and IE8 also have been overcome by hackers. Yes, by exploiting weaknesses in Adobe Systems' Flash Player, researchers have devised two separate attacks that bypass mitigations Microsoft put into IE 7 and 8. Known as ASLR, or address space layout randomization, and DEP, or data execution prevention, the technologies are designed to lessen the severity of bugs by making it hard for them to cause the execution of malicious code.
Both techniques wield the so-called just-in-time compiler in Flash so that a computer's memory is blanketed with large chunks of identical shellcode. The "JIT-spray" allows attackers to overcome ASLR, which normally thwarts execution by picking a different memory location to load system components each time an operating system is started. (source: http://www.theregister.co.uk/2010/02/03 ... on_bypass/ )
This will be rather difficult for MS to overcome because, one of the hackers told: "A change in the memory allocator could prevent" JIT-spraying," Immune's Nicolas Pouvesie said: "That is, I think, way too complex to do. I don't think we're going to see that happen anytime soon." So the follow up of heap spraying is there, we just have to wait until this is coming to malware in the wild. Maybe this was also a reason to drop Flash in HTML5 by GoogleChrome, the abuse of functionality in Flash defeated the last two MS defence bastions upholding the IE browser security.
Aren't we fortunate souls to have the blessings of NoScript, certainly when the going gets narrow here,
luntrus
JIT spraying to circumvent ASLR and DEP
JIT spraying to circumvent ASLR and DEP
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100202 Minefield/3.7a1pre
Re: JIT spraying to circumvent ASLR and DEP
So this raises the question of why exploiting Flash wouldn't result in the same issues with Firefox. We know that NoScript can be used to block Flash (including whitelisted sites). I recently read an article (http://threatpost.com/en_us/blogs/one-e ... are-020310) concerning the number of hacked sites where a user might trust the content of the site (because they trust the site). The user might load the Flash object (because they trust the site) which means that if Firefox + Flash is vulnerable the only defense is to not load any Flash objects ever.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20091112 Firefox/3.7a1pre ID:20091112045818
Re: JIT spraying to circumvent ASLR and DEP
Plugins in IE8 don't run in their own processes just like in Google Chrome?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6