Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.

Real-world attacks so far still only effective against Internet Explorer 6

We have seen an increase in attacks attempting to exploit the vulnerability detailed in Security Advisory 979352. However, all attacks we have seen so far still target Internet Explorer 6 - this is also confirmed by the attack samples our Microsoft Active Protections Program (MAPP) partners have sent in.

While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:

  • Private proof-of-concept code exploiting IE7 on Windows XP for arbitrary code execution
  • Private proof-of-concept code exploiting IE7 on Windows Vista without DEP enabled for code execution within the Protected Mode sandbox. We are not aware of any proof-of-concept code exploiting Windows Vista with DEP enabled.
  • Commercial, limited distribution proof-of-concept code exploiting IE8 on Windows XP with DEP enabled for arbitrary code execution.

State-of-the-art of attacker research on various platforms

Here’s the current state-of-the-art on each platform:

  Windows XP Windows Vista Windows 7
IE 6 Public exploit code consistently reliable for arbitrary code execution N/A N/A
IE 7 Private proof-of-concept is likely consistently reliable for arbitrary code execution Private proof-of-concept is likely consistently reliable for limited code execution within the Protected Mode sandbox. N/A
IE 8 In our testing, the commercially-available, limited distribution exploit does result in successful code execution with DEP enabled. No known proof-of-concept code. Current exploits modified for use on Windows Vista would likely be effective for limited code execution within the Protected Mode sandbox on 1% of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows Vista. No known proof-of-concept code. Current exploits modified for use on Windows 7 would likely be effectively for limited code execution within the Protected Mode sandbox on 1% of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows 7.

Other mitigations (besides DEP)

We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.

  • Internet Explorer Protected Mode limits the impact of Windows Vista and Windows 7 exploits. Attackers who are able to successfully exploit Internet Explorer on those platforms are stuck in a “sandbox”, potentially able to read data but unable to install programs or change system configuration.
  • Address Space Layout Randomization (ASLR) makes exploiting vulnerabilities more difficult by relocating normally-predictable code locations pseudo-randomly in memory. ASLR re-bases DLL’s to random locations in memory, making ret2libc type attacks unreliable. Due to ASLR we believe exploits for Internet Explorer 8 on Windows Vista or Windows 7 could result in limited code execution for 1% of attempts.

Out-of-band update coming tomorrow

We’ll be releasing a comprehensive, well-tested security update tomorrow morning PST to address this vulnerability. In the meantime, we hope this information helps you assess risk and protect your environment.

Acknowledgements

Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback. 

Update Jan 20, 2010:  Updated "less than 1%" to "1%".  Thanks reader Larry for catching arithmetic error.

Update Jan 22, 2010:  Updated to reflect new understanding of the commercially-available, limited distribution exploit on IE8 / XP SP3.  Also removed formula behind the theoretical 1% ASLR success chance.  The formula was off by a fraction of a percentage point and the math to describe it would be difficult to explain.  The chance is approximately 1.1%.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*