Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010.
The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since this bypass still needs to be used in conjunction with another higher-severity vulnerability that allows remote code execution in order to provide some value to attackers. ASLR is an important mitigation that has been supported since Windows Vista which, when combined with Data Execution Prevention (DEP), makes it more difficult to exploit memory corruption vulnerabilities.
Because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers are very interested in attempting to find new bypass techniques for it. These bypass techniques typically fall into one of three categories:
1) Presence of a DLL at runtime that has not been compiled with /DYNAMICBASE flag (therefore loaded at a predictable location in memory).
2) Presence of predictable memory regions or pointers that can be leveraged to execute code or alter program behavior.
3) Leveraging a vulnerability to dynamically disclose memory addresses.
The ASLR bypass that has been addressed by MS13-106 falls into the first category. The difficulty of finding and using an ASLR bypass varies based on the category of the technique. It is generally easier to identify DLL modules that fall into the first category (especially expanding the search through third-party browser plugins and toolbars), while it is generally more difficult, and less reusable, to find or create a bypass for the other two categories. For example, two of the recent Internet Explorer exploits that were used in targeted attacks (CVE-2013-3893 and CVE-2013-3897) both relied on the same ASLR bypass, which fell into the first category -- making use of the HXDS.DLL library that is part of Office 2007/2010 that was not compiled using /DYNAMICBASE.
Bolstering the effectiveness of ASLR helps to harden the security of our products and that is why MSRC continues to releasetools and updates that enforce ASLR more broadly on Windows (such as KB2639308 and EMET) and to release updates that close known ASLR bypasses as part of our defense-in-depth strategy (such as MS13-063 for the bypass presented atCanSecWest 2013).
Today MS13-106 closes one additional known bypass that will no longer be available to attackers.
- Elia Florio, MSRC Engineering