Security
Headlines
HeadlinesLatestCVEs

Headline

MS13-106: Farewell to another ASLR bypass

Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010. The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since

msrc-blog
#vulnerability#windows#microsoft

Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space
Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010.

The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since
this bypass still needs to be used in conjunction with another higher-severity vulnerability that allows remote code
execution in order to provide some value to attackers. ASLR is an important mitigation that has been supported
since Windows Vista which, when combined with Data Execution Prevention (DEP), makes it more difficult to exploit memory
corruption vulnerabilities.

Because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers
are very interested in attempting to find new bypass techniques for it. These bypass techniques typically fall into one of
three categories:

  1. Presence of a DLL at runtime that has not been compiled with /DYNAMICBASE flag
    (therefore loaded at a predictable location in memory).

  2. Presence of predictable memory regions or pointers that can be leveraged to execute code
    or alter program behavior.

  3. Leveraging a vulnerability to dynamically disclose memory addresses.

The ASLR bypass that has been addressed by MS13-106 falls into the first category. The difficulty of finding and using an
ASLR bypass varies based on the category of the technique. It is generally easier to identify DLL modules that fall into the
first category (especially expanding the search through third-party browser plugins and toolbars), while it is generally more
difficult, and less reusable, to find or create a bypass for the other two categories. For example, two of the recent
Internet Explorer exploits that were used in targeted attacks (CVE-2013-3893 and CVE-2013-3897) both relied on the
same ASLR bypass, which fell into the first category – making use of the HXDS.DLL library that is part of Office 2007/2010
that was not compiled using /DYNAMICBASE.

Bolstering the effectiveness of ASLR helps to harden the security of our products and that is why MSRC continues to release
tools and updates that enforce ASLR more broadly on Windows (such as KB2639308 and EMET) and to release updates that
close known ASLR bypasses as part of our defense-in-depth strategy (such as MS13-063 for the bypass presented at
CanSecWest 2013).

Today MS13-106 closes one additional known bypass that will no longer be available to attackers.

  • Elia Florio, MSRC Engineering

Related news

When ASLR makes the difference

We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it’s a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today’s blog, we’ll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs not equipped with ASLR yet.

Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322

Today, we released Security Advisory 2934088 to provide guidance to customers concerned about a new vulnerability found in Internet Explorer versions 9 and 10. This vulnerability has been exploited in limited, targeted attacks against Internet Explorer 10 users browsing to www.vfw.org and www.gifas.asso.fr. We will cover the following topics in this blog post:

Assessing risk for the October 2013 security updates

Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-080(Internet Explorer) Victim browses to a malicious webpage.

MS13-080 addresses two vulnerabilities under limited, targeted attacks

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and made available the Fix it workaround 51001 to provide earlier protection to all customers for an actively exploited security issue that was reported to us.

Microsoft Releases Security Advisory 2887505

Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default