JIT spraying to circumvent ASLR and DEP
Posted: Wed Feb 03, 2010 10:36 pm
My good forum friends,
We get word that the last two MS defence bastions for IE7 and IE8 also have been overcome by hackers. Yes, by exploiting weaknesses in Adobe Systems' Flash Player, researchers have devised two separate attacks that bypass mitigations Microsoft put into IE 7 and 8. Known as ASLR, or address space layout randomization, and DEP, or data execution prevention, the technologies are designed to lessen the severity of bugs by making it hard for them to cause the execution of malicious code.
Both techniques wield the so-called just-in-time compiler in Flash so that a computer's memory is blanketed with large chunks of identical shellcode. The "JIT-spray" allows attackers to overcome ASLR, which normally thwarts execution by picking a different memory location to load system components each time an operating system is started. (source: http://www.theregister.co.uk/2010/02/03 ... on_bypass/ )
This will be rather difficult for MS to overcome because, one of the hackers told: "A change in the memory allocator could prevent" JIT-spraying," Immune's Nicolas Pouvesie said: "That is, I think, way too complex to do. I don't think we're going to see that happen anytime soon." So the follow up of heap spraying is there, we just have to wait until this is coming to malware in the wild. Maybe this was also a reason to drop Flash in HTML5 by GoogleChrome, the abuse of functionality in Flash defeated the last two MS defence bastions upholding the IE browser security.
Aren't we fortunate souls to have the blessings of NoScript, certainly when the going gets narrow here,
luntrus
We get word that the last two MS defence bastions for IE7 and IE8 also have been overcome by hackers. Yes, by exploiting weaknesses in Adobe Systems' Flash Player, researchers have devised two separate attacks that bypass mitigations Microsoft put into IE 7 and 8. Known as ASLR, or address space layout randomization, and DEP, or data execution prevention, the technologies are designed to lessen the severity of bugs by making it hard for them to cause the execution of malicious code.
Both techniques wield the so-called just-in-time compiler in Flash so that a computer's memory is blanketed with large chunks of identical shellcode. The "JIT-spray" allows attackers to overcome ASLR, which normally thwarts execution by picking a different memory location to load system components each time an operating system is started. (source: http://www.theregister.co.uk/2010/02/03 ... on_bypass/ )
This will be rather difficult for MS to overcome because, one of the hackers told: "A change in the memory allocator could prevent" JIT-spraying," Immune's Nicolas Pouvesie said: "That is, I think, way too complex to do. I don't think we're going to see that happen anytime soon." So the follow up of heap spraying is there, we just have to wait until this is coming to malware in the wild. Maybe this was also a reason to drop Flash in HTML5 by GoogleChrome, the abuse of functionality in Flash defeated the last two MS defence bastions upholding the IE browser security.
Aren't we fortunate souls to have the blessings of NoScript, certainly when the going gets narrow here,
luntrus