Today Microsoft released a new security advisory to help protect users from a vulnerability affecting Internet Explorer versions 6, 7, and 8. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.
Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it.
Although Microsoft is currently not aware of any attacks, given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack may increase.
Users of Windows Vista and later versions of Windows are strongly encouraged to protect themselves against this issue by installing the free Enhanced Mitigation Experience Toolkit (EMET) and proceed to protect the iexplore.exe process.
When EMET is in place, this type of exploit will most likely fail. This is because of at least three mitigations:
- Mandatory ASLR: This mitigation will force the mscorie.dll to be located on random addresses each time.
- Heap Spray pre-allocation: Some of these exploits use some common used heap pages for placing ROP data such as 0x0c0c0c0c.
- EAT Filtering: Running shellcode can potentially be blocked by this mitigation.
Additionally, users should be aware that protected Mode in Internet Explorer on Windows Vista and Windows 7 helps to significantly limit the impact of currently known exploits. Protected Mode is on by default in Internet and Restricted sites zones in Internet Explorer 7 and 8, and prompts users before allowing software to install, run or modify sensitive system components.
Microsoft continues to investigate the vulnerability and will release a comprehensive security update once available.