Posted by: David Schneier
Application Security, Microsoft Security
On the same day that Microsoft patched a slew of vulnerabilities in Office and other products, including Internet Explorer, the tubes were abuzz yesterday with news of a new exploit for IE 7 that was being used against fully patched Windows XP and Windows 2003 systems. Early reports of the attack said that it was affecting mainly users in China and other Asian countries. But there are now reports of it moving into other areas as well, and it’s likely to spread quickly.
The attack is related to the way in which IE handles XML. Microsoft is investigating the issue right now. From the excellent analysis of the attack and exploit by H.D. Moore:
The exploit can be broken down into three parts. The first part is a set of three functions used by the exploit. The first function provides the equivalent of a sleep() call, the second sprays a string into the process heap using a common technique, the third returns a string of a specific size and is used by the heap spray code. The second part of this exploit is the shellcode. Without getting into too much detail, this shellcode downloads the real payload – a Windows executable. The third part is the actual vulnerability trigger.
Exploiting this flaw relies on two core requirements; being able to force the instruction pointer to the location of the shellcode and being able to execute the shellcode once the instruction pointer has been set. The first requirement boils down to being able to allocate memory at a known location with arbitrary contents. If it is possible to control the exact location where memory is allocated, a large buffer that doubles as a nop sled is no longer necessary. The second requirement depends on the operating system, configuration, and hardware of the target system. Many of the articles that discuss browser exploits recommend that users enable Data Execution Prevention (DEP). This setting essentially breaks common heap overflow techniques by preventing shellcode from executing in memory regions that are considered “data,” such as the Internet Explorer heap. Unfortunately, DEP is not enabled in Internet Explorer 6 or 7, so unless DEP is manually enabled, it does the target little good.
Microsoft has shown a willingness recently to issue emergency out-of-band patches for critical vulnerabilities, but it likely will be several days at least before we know whether that’s going to happen.