Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.
Real-world attacks so far still only effective against Internet Explorer 6
We have seen an increase in attacks attempting to exploit the vulnerability detailed in Security Advisory 979352. However, all attacks we have seen so far still target Internet Explorer 6 - this is also confirmed by the attack samples our Microsoft Active Protections Program (MAPP) partners have sent in.
While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:
State-of-the-art of attacker research on various platforms
Here’s the current state-of-the-art on each platform:
Other mitigations (besides DEP)
We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.
Out-of-band update coming tomorrow
We’ll be releasing a comprehensive, well-tested security update tomorrow morning PST to address this vulnerability. In the meantime, we hope this information helps you assess risk and protect your environment.
Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback.
Update Jan 20, 2010: Updated "less than 1%" to "1%". Thanks reader Larry for catching arithmetic error.
Update Jan 22, 2010: Updated to reflect new understanding of the commercially-available, limited distribution exploit on IE8 / XP SP3. Also removed formula behind the theoretical 1% ASLR success chance. The formula was off by a fraction of a percentage point and the math to describe it would be difficult to explain. The chance is approximately 1.1%.
- Jonathan Ness, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*