Welcome to TechNet Blogs Sign in | Join | Help

TARGETED FUZZING

The sniper

 

Normal fuzzing is like shooting a machine gun in the dark and having no idea where the target is. You might hit the target a number of times, but you also miss an awful lot, and it takes a lot of rounds. Using targeted fuzzing, on the other hand, is a bit like a sniper observing the targets and picking them off one by one. I prefer the sniper approach because, although you may not get a wide range of results, you will often get more meaningful data and let’s face it, snipers are cool. :)

 

XSS Filter and the javascript protocol

 

I contract for Microsoft testing the security of the XSS Filter, which is due to be released soon in the next version of Internet Explorer. Part of this work involves making sure that XSS Filter successfully detects javascript protocol injections in various ways. I saw this as an ideal opportunity to perform some targeted fuzzing to obtain every possible combination.

 

The first task was to gather as many known inputs as possible, javascript:  can be represented in various ways as I'm sure you're aware of like javascript:, for example.  Then you gather any unknown input combinations. So in this case you can traverse the amount of characters from 0 to 65535 or more, and either replace part of the string or add to it. In addition to this, you can also encode the character in different ways as mentioned previously, �  etc. The standard way of performing such a fuzz would be to use iframes because this allows you to execute javascript: automatically, however, I encountered a problem using this method; It's very slow and takes up too much memory for the amount of data I wanted to test. 

 

Making a targeted fuzzer is about understanding how to achieve your goal in the quickest possible time and finding your targets quickly. To do this, I decided to use the browser to my advantage, when creating links in any browser it is possible to find if that link uses a certain protocol like HTTP and also javascript:. I decided to let the browser tell me if my fuzz was successful. Using normal <A> links makes the fuzzer much faster and it was possible to scan around 10,000 links at once. Using this speed, it was possible to scan characters 0 to 65535, and if they were URL encoded, HTML entities, replace or add in every combination in only a few minutes.

 

If you found the Javascript protocol fuzzer interesting, the source code can be found here:

http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.phps

 

A demo of the final result can be viewed here:-

http://www.businessinfo.co.uk/labs/javascript_protocol_fuzzer/javascript_protocol_fuzzer.php

 

Logging the results

 

The protocol fuzzer I described had a huge advantage over traditional fuzzing, because the data didn't cause a browser crash, it was possible to log all results without any problems. I did this using a standard JavaScript logger, which involves creating a dynamic image in JavaScript and sending the results to a server side script like the following code:

var logger = new Image();

logger.src='yoururl.php?link='+yourdata;

 

What if your goal is to crash the browser? I came across this exact problem when working on another project for Microsoft. There are two ways to achieve this, one is to log the results before sending the output and the other is to remotely control the target and have the fuzzing code sent to the target. I decided because I was interested in how to crash the browser once with the code I supplied, I would log the results first before sending the output to the browser. You can do this in PHP by using output buffering; other languages may have similar features. Output buffering works by constructing the page before sending it to the browser, this is ideal because you can log the results and then send the data and see what happens. Here is a simple code snippet that I used:-

 

<?php

function saveCache($buffer) {

                $fp = fopen('cache.txt', 'w') or die('unable to open');

                fwrite($fp, $buffer); // Log the results

                fclose($fp);

                return $buffer;

}

ob_start("saveCache"); // Don't send it to the browser yet

?>

Your fuzz output here

<?php

ob_end_flush(); // Send the output to the browser

?>

Summary

 

My fuzzer proved very successful and enabled me to perform some rigorous testing on the XSS filter to make sure it detected many javascript protocol injections. Because the code I wrote worked across browsers it also found some interesting cross browser issues which was an added bonus. Here's a small sample of some interesting results it found in Firefox 2.0.0.14:-

 

Char: 56320, link: jav&#56320ascript:

Char: 56321, link: jav&#56321ascript:

Char: 56322, link: jav&#56322ascript:

 

I hope you enjoyed my article and I hope to see you all at BlueHat this October. Happy sniping.

 

-Gareth Heyes, Independent Security Researcher

Posted Thursday, August 14, 2008 12:40 PM by BlueHat | 0 Comments

THE BUSINESS OF PUTTING US OUT OF BUSINESS

Let me tell you about a great business plan I ran into recently. It’s not the traditional “we’re all going to make millions” operation, but it has some characteristics you’ll relate to if you have ever tried to pitch a startup idea to a VC …

This is a business that has remarkably innovative financing and sales/marketing operations.  Almost a bootstrapping model, getting the business started does not require any more than an initial investment of let’s say $1,000 (now that is something you don’t see a lot of with VC pitches).  Are you interested yet?  This $1,000 goes into the basics – infrastructure and the initial “wages” for your sales channels.  (Yes – we are building on a pure channel partner program, as we are not that great in direct sales….) You’ll plan on recovering these in a short term of let’s say a couple of months, if not doubling your investment by then.

Okay, I’m not going to keep you waiting for too long – the business I’m talking about is one that I have spent days (and nights) researching and analyzing over the past year.  It’s the business of making money online – e-crime. This business is really close to you – you’ve seen it on sites such as CNN, eBay, your online banking provider, and other major news/finance/entertainment portals.  You’re closer to it than you may realize, as the “channels” I have mentioned earlier are in full utilization and can get to YOUR favorites list.  And this is not all sci-fi – I have had a chance to spend some quality time with a few law enforcement agencies and correlate my data with their findings.  There’s nothing like seeing an organization chart of the national organized crime at a police intelligence office, and overlapping it with the e-crime data brought in from the security research side!

Covering this area is an intriguing mix of business, finance, and a lot of technical forensics that really provides a view of the big picture.  From understanding and following the distribution payout business models, through the internal update mechanisms of custom toolkits (and their “phone home” licensing mechanisms – see the image below showing how Neosploit is contacting it’s licensing server as seen from an IDA disassembly of the toolkit).

All in all, I would say that this area of research is one of the most challenging I have had a chance to be involved with.  The variety of skills required (technical, business, finance and sometimes social…) is what I perceive would be required from any modern security researcher getting into this field (and us veterans know that the adaptation is fun!).  Getting into the details of the kind of operation that has such a direct impact on how web security is perceived by the general public, by corporations who get hit by targeted ROI-driven attacks, and by security vendors and researchers trying to find the right solutions and stay ahead of the curve, has proven to be a real eye-opener.  And this is coming from a guy that used to do UNIX security, then network stuff, application security in the heyday of 2000, and now business/technical of e-crime.

Looking forward to seeing a lot of old (and new) friends while I’ll be presenting at BlueHat v8 this October, and until then – promise to keep collecting anecdotes and code for what I hope will be an entertaining and informational talk.

Iftach Ian Amit

Director, Security Research, Aladdin

Posted Friday, August 01, 2008 12:04 PM by BlueHat | 0 Comments

Title: A Buddhist Monk Goes Up to a Hot Dog Vendor…

…and says “Make me one with everything.”  Aside from that fact that most hot dog vendors don’t carry Tofu Pups, we’re taking this joke seriously for the next iteration of BlueHat, and giving you some attack content as well as talking about proactive defense. 

 

Coming this October, the BlueHat team will partner with the SDL team to create two full days of content, the first day focusing on new attacks and the emerging threat horizon, and the second day focusing on steps we can take as software architects, developers, testers, and maintainers to make code more secure in the first place.

 

Stay tuned for guest blog posts here and on the SDL blog from both sets of speakers, with topics ranging from attack to defense.  It’s about changing the balance between attackers and defenders; it’s about showing both sides of the same coin; and it’s about time.

 

Katie Moussouris, Security Strategist II

Bryan Sullivan, Security Program Manager

Posted Friday, July 18, 2008 9:13 AM by BlueHat | 0 Comments

XSSFilter in Internet Explorer 8.0

Hello everyone, this is Robert "RSnake" Hansen. It’s been a while since I’ve talked with the BlueHat folks but only because I’ve been busy behind the scenes working on some cool stuff with the Microsofties.  I was pleasantly surprised to hear I am now allowed to talk about one of the things I have helped work on. David Ross mentioned it in a blog post he wrote some time ago, but it has come a long way from that point. He called it “XSS-Focused Attack Surface Reduction goodness” for lack of a better term, but now I think we’ve happily settled on a shorter and more memorable name - “XSSFilter.”

 

In Internet Explorer 8.0, users will be protected from the vast majority of real world XSS attacks. David spent a lot of time analyzing the most common variants and has built a tool to isolate and protect against those attacks for the vast majority of Internet users out there. The tool protects against reflected XSS in particular, and not against the lesser common DOM or persistent XSS varieties. XSSFilter is certainly not a panacea and it’s still recommended that developers follow good programming practices, but this comes as welcome news to me personally and the vast majority of Internet users who will be protected from an attack they probably couldn’t even spell. And best of all, it will be by default – asking consumers to install security plug-ins has never worked well. Taking it out of the consumer’s hands is a huge leap forward.

 

I’ve been talking about browser security for quite a while in my speeches and on my site – we can’t expect programmers to fix all their flaws, especially in legacy applications. The browser is one of the few important choke points on the Internet, where client side issues can be heavily mitigated and we can begin to get ahead of the problem. Indeed, XSS is a prime example of what can happen when attackers start using the browser as a conduit for attacks against web applications and consumers. Since we know it’ll be a long time (or maybe even never) until we see every critical web application protecting itself, this is a great short term stop-gap for the vast majority of XSS issues against the Internet Explorer browser.

 

Only time will tell how attackers move and adjust to these changes, but in the near term, I’m happy to have played a small part in adding one more weapon in the fight to protect consumers.

Posted Wednesday, July 02, 2008 1:32 PM by BlueHat | 0 Comments

Blue Hawaii

After a whirlwind trip to beautiful Honolulu, Hawaii to give the Day 2 keynote at ShakaCon, I am finally back to reality here at Microsoft.  More on that shortly, from another blog...

Right here, right now, BlueHat video interviews with the speakers are available.  From "Bad Sushi: Beating Phishers at Their Own Game" with our own Billy Rios to "Token Kidnapping" with Cesar Cerrudo of Argeniss -- get an exclusive sneak peek into what really happened at BlueHat v7.

Or play a game with your friends:  How many times do Dan Kaminsky and I say "RickRoll" during his interview?  Submit your answer in the comments of this blog.  First correct answer will receive a prize if you come see me, Mike Reavey, and Captain Steve Adegbite at Black Hat this July!  Be sure to also see Billy Rios, Bryan Sullivan, Bruce Dang, and David Weston.

Aloha!

Katie Moussouris, Security Strategist
Posted Thursday, June 19, 2008 1:47 PM by BlueHat | 0 Comments

"Mr. Miller Goes to Washington"

Hi, Charlie Miller here.  I was asked to come out to BlueHat to participate in a panel discussion about the vulnerability economy and selling exploits and such.  Hopefully the folks who sat through us arguing for an hour got something out of it.  I enjoyed it.

When I'm not out shining a light onto the dark world of exploit sales, I'm usually spending my time looking for bugs in software, particularly with fuzzers.  BlueHat was a great opportunity for me to talk to some guys on the Microsoft fuzzing team.  BlueHat’s reason for being is to bring Microsoft employees together with security researchers, or "hackers".  It can be a really interesting dynamic because traditionally, we are rivals.  People like me try to find and exploit vulnerabilities, and people at Microsoft try to eliminate vulnerabilities or make them harder to exploit.  One thing for sure, it’s definitely easier and more fun to be on the attacking side than the defending side!  But anyway, the funny thing about BlueHat is that there are guys like me trying to figure out how Microsoft people work, how they test their software, how they run their fuzzers, and so on, in order to think of better ways to attack their software--while people from Microsoft are trying to figure out how researchers think, to better defend their software.  It's great fun and everyone benefits, I think.
Posted Friday, May 09, 2008 10:41 AM by BlueHat | 0 Comments

Can I interest you in a glass of Berry Blue Kool-Aid?: A Recap of BlueHat v7

Hello all, Nate McFeters here to give you a recap of all the fun at Microsoft BlueHat v7.  If you don’t know me, I work for Ernst & Young’s Advanced Security Center and I also blog over at ZDNet’s Zero-Day Security Blog.  You may have also seen me on the conference circuit, as I’ve spoken recently at such prestigious events as Black Hat and ToorCon.  This time around though, I wasn’t brought in to speak at a conference; Microsoft had Rob Carter (also from EY’s ASC) and I come in to discuss some recent vulnerabilities that we’ve discovered with a few third-party vendors with whom Microsoft has tight relationships.  Actually, that’s worth a shout out to Katie Moussouris for being awesome and putting Rob and I in touch with the proper people to get our issues fixed AND bringing us in to BlueHat for our efforts.

 

Coming to Seattle is always a treat for me.  The hacking/security research community is represented in Seattle like no other place that I’ve been to.  Of course, Seattle did not let me down once again!  On Wednesday, I got a chance to attend the iSec Partners party, celebrating the opening of their new Seattle office, so congrats to all those guys.  After the iSec party, I rolled over to the BlueHat speaker’s party with Billy Rios (former EY ASC guy, now a Microsoft employee, and a BlueHat Speaker) and got a great opportunity to drink free beer and hang out with some industry leading figures, such as Alex (kuza55), Fukami, Sowhat, and Manuel Caballero.

 

After a long first night, I took care of some work-related stuff and relaxed most of Thursday… that is, until the BlueHat party.  It was a great premise: Put a bunch of hackers in a bar and feed them free booze until closing time… the night before the big show!  Good thing these guys are professionals!

 

The highlights of the talks for me were:

 

1.)         Getting to see Alex (kuza55) discuss browser insecurities to a packed audience.  This guy has some really progressive stuff, but what really stuck to me was Alex’s mature understanding of the greater picture, which was truly impressive, even more so from a 17-year-old.  He discussed the need for more transparency from vendors on the standards that the browsers depend upon… nowhere was this more interesting than in the case of Cross-site Cooking and his FindMimeFromData attack.  Alex explained how dangerous the lack of understanding of these technologies are, and how, unless the security community is given more of the bigger picture, we can expect these issues to lay dormant until discovered, and of course, we have no guarantee that it will be a good guy finding it.

 

2.)         Watching Billy Rios’ and Nitesh Dhanjani’s phishing discussion, which was by FAR the most entertaining and enlightening talk that I’ve ever seen.  The talk was basically a recap of research that Billy and Nitesh got involved in over a year ago, where basically they joined up to the phishing community and realized that it’s not just about phishing, it’s really about identity theft.  They discovered that phishing was just one means of supply to fill the demand for identities in the identity theft ecosystem.  They were able to discover phishing sites, the kits that phishers use, and the sites where phishers sell stolen identities… truly unbelievable.  The saddest thing was realizing just how tech un-savvy these phishers truly are, and then further realizing how huge an impact they’ve caused to the Internet.  If you have not seen this talk, you should absolutely go catch it at Black Hat Vegas. If you have, I’m sure you’ll be seeing it again.

 

3.)         Manuel Caballero discussed something that originally didn’t catch my attention.  It initially sounded like the same research that’s been put into cross-site scripting attack frameworks, which basically involved using XSS to create a bi-directional communication channel between victim and attacker for exploitation of XSS.  Then I realized what Manuel was really talking about.  Resident scripts have put the fear of God into me.  Whereas a normal cross-site scripting attack vector is great for the site that was cross-site scripted, it stopped there; it couldn’t follow you off-domain.  Manuel’s can.  Scary. 

 

After the presentations, I was fortunate enough to get included in the IOActive Limo Race after party.  I’ve never been involved in an event that led to as many hilarious pictures as that one.  Specifically, the pictures of Dan Kaminsky, David Hulton, and Andrew Cushman are priceless.  Thanks to Josh Pennell and all the IOActive crew for putting that on -- it was outstanding fun.

 

All of that and I closed off the week by coming home to Chicago and proposing to my long-time girlfriend, Melissa Radocha (she said yes, thank God!), so it was probably one of the best weeks of my life.  Sorry to all of the media guys like Ryan Naraine and Rob McMillan who I’m sure wanted to join me, but keep in mind, I wasn’t here for media coverage… I just got lucky to steal an exclusive by having some research that Microsoft was interested in!  J

 

-Nate

 

------------------ 

Editor's Note:  The BlueHat planning team wishes to extend our heartfelt congratulations to Nate and Melissa!
Posted Tuesday, May 06, 2008 10:29 AM by BlueHat | 1 Comments

Mi Casa Es Blue Casa

BlueHat is not just an event, it’s a community, a network based on relationships developed over time, an integral part of our engineering science and outreach security efforts at Microsoft. As part of the team 'shipping' BlueHat, I spent some time in the speaker lounge – the room where speakers, community and Microsoft folks gather and meet during the conference. It was both fascinating and surreal and we look forward to bringing you more commentary about the event along with video podcasting via the blog in the coming weeks.

BlueHat is rewarding to me because our team is able to help virtual teams form out of traditional rivalries.  Observing Adobe’s response team in discussions with Fukami – a Flash researcher notoriously at odds with the company. Participating in lively discussions about Mark Dowd’s latest research paper. Watching ”aha!” moments happen as product teams and researchers from all over Microsoft met with the researchers focusing on their products. CERTs, major guidance providers and security researchers breaking bread together. Community members (such as, several members of the TESO board of directors) greeting each other in person for the first time, after knowing each other virtually, for years. Legendary researchers in the community engaging in dialog with new up-and-comers like Alex K.

BlueHat also brings home how much security work is ahead of us and the how the asymmetry between attack and defense continues to widen. Bryan Sullivan’s talk highlighted that although we have made outstanding progress securing the operating system, we now have to make that same outstanding progress in the Web space. An environment with development cycles measured in weeks versus years, and one that presents challenges to the application of the traditional SDL. Billy Rios and Nitesh Dhanjani kept us entertained while confirming that phishing is easy, prolific, money-driven and not as funny as your father’s maiden name. All the panelists reminded us that researchers continue to look for vulnerabilities and there are many 3rd party attack vectors, apart from the OS and core shipped components, even including security products.    

We recognize the need for community-based defense (researchers, guidance providers, CERTs, etc.) as we continue to introduce new folks into the BlueHat network. Thank you to all of the speakers, guests and passionate supporters of BlueHat– we look forward to continuing to evolve and add value to this important community.

It’s our planet – let’s secure it!

Sarah Blankinship

Senior Security Strategist

Posted Monday, May 05, 2008 4:11 PM by BlueHat | 0 Comments

Security at the big software vendors

Cesar Cerrudo of Argeniss here. I was thinking what to write about in this blog post and I decided that this would be a good opportunity to acknowledge Microsoft security efforts by highlighting Microsoft improvements, and also to compare how security is currently handled by the other big software vendors.

 

While I don't like some Microsoft policies and how some security issues are handled by Microsoft sometimes, Microsoft is currently the software vendor that cares the most about security, and this can be seen in the increased security of their software. It has improved a lot in the last few years. Of course nobody is perfect, and Microsoft software will continue to have security vulnerabilities, but they will continue improving.

 

My team and I have been finding and reporting hundreds of vulnerabilities to major vendors for the last 6 years, so I guess I have some experience in the subject.

 

Let’s talk about two of the biggest software vendors. I’m not going to mention their real names. Let’s just say they are Vendor A and Vendor B.

 

First we have Vendor A. This vendor talks more than it acts. They are always talking about how much they train developers in security, how much they care about security, how they use these wonderful products that find all security issues, and even make and serve coffee while doing it, and blah, blah, blah. But reality is far different from what they say.

 

Let’s take an example: You report X vulnerability in Y functionality to them, and they will take their time to fix it (and it could take a couple of years sometimes). Furthermore, they just fix the X vulnerability in Y functionality. They don't investigate whether the same vulnerability is present in Z functionality. But that's not all, they only fix your reported attack vector. They don't look for other attack vectors. But wait, that's not all -- the developer will produce a fix that can't even prevent a variation of the reported attack and this fix goes straight to production. I really wonder how this vendor determines when a fix is ready to go into production, since not enough testing seems to have been done.

 

Nobody seems to notice that the fix sucks, then when the fix is ready, the vendor will inform you they have produced a fix for the vulnerability in software version 1a, 2a, and 2b, and that they will release it at some future date. When the fix is released, you test the fix in the corresponding versions and then you realize that there is no fix at all in version 1a and that the fix on version 2a and 2b only works when trying to exploit the vulnerability in the exact way you reported. If you change the exploit slightly, then the fix doesn't work, so you contact them again.

 

You go through the same process one more time, and then a new fix is released. With the new fix, you find out again that the fix in version 1a is not present, and the fix in version 2a works well, but the fix on version 2b still doesn't work with exploit variations. The same process goes on again and again, until some day after 2, 3, or 4 fixes, the vulnerability is finally fixed on all the affected software versions.

 

Unbelievable, eh? Well, that is how Vendor A is currently producing security fixes. Vendor A is clearly many years behind Microsoft when it comes to security.

 

Let’s talk now about Vendor B. This vendor has a lot of experience producing software, and like Vendor A, it is one of the big vendors. Vendor B seems to produce good fixes for security vulnerabilities, but they have a bigger problem. It seems their developers are not very familiar with security.

 

For instance, the latest version of one of their most popular software packages still has stack overflows that you can find in 5 minutes. It also has everything open by default, and by changing just one byte in software protocol packets you can easily crash the software.

 

You can tell that some developers don't really get security and that they have the final decision when to produce a fix. If you report a vulnerability related to some functionality that's accessible to all users by default, and that can be abused to perform evil actions, they will just respond that the functionality is used by their customers and that it can't be abused. And that's it, developers don't realize that their competitors’ software has restricted the same functionality by default for security reasons a long time ago. Vendor B doesn't seem to have a security response team, since most of the time, reports are handled directly by developers or software managers. I could continue with more examples, but I think you get the picture. What is weird is that Vendor B some time ago acquired an important security consulting company that had really skilled people. I wonder why these people are not helping to improve their own software security, instead of doing cool research on new attacks on software from other vendors and providing external consulting services in order to help other companies. Weird.

 

Again Vendor B is clearly many years behind Microsoft when it comes to security.

 

I have criticized and pointed out Microsoft security problems many times and I will continue doing it when it's necessary, but I really think that Microsoft is ahead by many years in security, compared to other vendors. Microsoft is leading security efforts in the software industry.

 

I have seen Microsoft make huge improvements over time. Some Microsoft products’ previous versions had dozens of vulnerabilities, but now the newest version has almost no vulnerabilities. I haven't seen that in any other products from other vendors, and this is something really amazing that nobody seems to notice.

 

I think other vendors will improve over time and that Microsoft is indirectly helping them with the knowledge and research it generates. By looking at Microsoft, these other vendors could get an idea on how to get better at security.

 

BlueHat is another innovative way Microsoft has developed to improve security. If you have something to say that will help to improve security in its products, then Microsoft will listen to you.

 

As I always say: “Vendor A and Vendor B are very lucky because they never had a worm.”

 

-Cesar
Posted Wednesday, April 30, 2008 3:40 PM by BlueHat | 1 Comments

The Battle for the [Browser] Your PC

Hello, this is Rob Hensing. I work with the SWI team at Microsoft. One focus of my job is looking for mitigations and workarounds that we can use to protect our customers against vulnerabilities and exploits. Part of this involves testing out the mitigation technologies that we’ve baked into a lot of our products as part of the SDL process, such as buffer overflow protection like /GS, execution prevention via DEP, and address space randomization via ASLR.  As a result, I spend a lot of time studying responsibly (and irresponsibly) disclosed vulnerabilities in a debugger and looking for crazy things our customers can do to protect themselves from attempts to exploit those vulnerabilities. Something that has been on my mind a lot lately is the battle for the browser and the attack surface the browser represents to the average user. And what I really mean is the battle for control of your PC by bad guys via your browser. J Obviously this is nothing new, bad guys have been pwning average users’ PCs for years using browsers, but things are about to change and I wanted to share some of my thoughts on this.

The battle for the browser was thrust into the limelight (again) this year by Shane Macaulay at CanSecWest when on Day 3 of the pwn2own festivities he and another researcher, Alexander Sotirov, were successfully able to claim the prize for pwning the Vista box using an Adobe Flash 0-day vulnerability. I was pretty sure it would be over within minutes, and when it wasn’t, I found myself checking in on their progress throughout the day. The reason I thought it would be over in minutes, is that because once you have some buggy AX control with a vulnerability running inside of IE, since about 2004, it has been almost trivial to code up a reliable exploit for it that makes use of a technique known as Heap Spray (pioneered AFAIK by Skylined), which requires nothing more than some clever JavaScript used to prepare the process’s memory to make exploitation of vulnerabilities more reliable. 

You may recall that Sotirov is someone who did even more work in the area of heap spray, culminating in presentations at BlackHat on “Heap Feng Shui” and a JavaScript library that makes exploit development using heap spray even easier. But to my surprise, instead of taking minutes, it took the better part of a day before the judges declared them the winners. (In fact it took so long that I didn’t even get to see them win, as I was busy presenting on targeted attacks in one of the final sessions of the last day!). For some reason, throughout the day the exploit wasn’t working properly and IE was just crashing instead of running the shellcode. At the time, the working theory was that in Vista SP1 we must have marked the heap pages as non-executable or more accurately, Vista SP1 started enforcing no execution of instructions out of pages of memory that were not marked as executable via a concept known as DEP (Data Execution Prevention). However, this was not the case – IE7 on XPSP2 and Vista SP0/SP1 does not ”opt-in” to DEP (…yet, and more on that later). More intriguing (to me) was that, operating on the assumption that they were up against DEP, Macaulay and Sotirov set off trying to bypass DEP protection using another technique, which I don’t think was the one discussed by Skape and Skywing in this Uninformed article.

During the day, the use of a Java VM was mentioned, so I’m guessing that instead of using JavaScript to do the heap spray, Macaulay and Sotirov may have used a Java class file and a Java VM to spray memory with NOPs and shellcode. The difference? Our JavaScript library will allocate heap memory pages with PAGE_READWRITE protection (and so attempts to execute code from them can be stopped by enabling DEP) and a Java VM may allocate memory as PAGE_EXECUTE_READWRITE (rendering DEP powerless to stop code execution, since the pages are marked as being intended for code execution!). Clever. If that’s what indeed happened. (I don’t know for sure – I’m only speculating).

So why did this under-reported piece of information grab my attention? There were two reasons:

1.       The fact that the researchers went after Adobe and found a code execution vulnerability is a big deal. Flash is a cross-platform application and is more ubiquitous than even IE or Windows. It is virtually guaranteed that Flash will be installed on a given machine connected to the Internet.

2.       It demonstrated that researchers (and more than likely, malware or exploit writers) are actively looking for ways to bypass DEP, should it be enabled for the process they are trying to exploit.

Today, IE doesn’t use DEP by default and it would seem that researchers are already looking for ways to bypass it, anticipating a day when it might. Right now, you can make IE use DEP by following the instructions in Mike Howard’s blog (or by using the .REG file at the end of my blog post on DEP in Vista), but I suspect the vast majority of people haven’t done that and so there hasn’t been a lot of focus on bypassing DEP because there hasn’t really been the need. So why not create that need? Why haven’t we made more effort to make IE use DEP by default? For the same reason we do most things that seem counterintuitive, for application compatibility reasons. J We haven’t made IE use DEP by default yet, because it’s only in the last year or so that major 3rd party AX controls like Flash were able to run in a process using DEP without crashing the process! Remember, it was only a couple of weeks ago that Apple released an update to QuickTime that finally allows some of the key QuickTime libraries to use DEP and ASLR on Windows (which was is a very big deal!). Oh and for the record, that ”someday when IE might use DEP by default” I mentioned earlier is coming soon! In fact, recently Eric Lawrence (an IE Program Manager) went on record last week as saying that IE8 will opt-in to DEP by default on Vista using a new API that we made available in Vista SP1!

In more signs of the times: just this week, Mark Dowd, an Aussie security researcher with IBM-ISS rocked the security researcher world and blew a lot of minds with his pretty impressive work exploiting yet another Flash vulnerability (Ptacek’s write-up is a great summary if you don’t want to read the 25 page write-up from Mark). In essence, Mark found a vulnerability in Flash that allowed him to perform an arbitrary 4-byte write to a location in memory. That in and of itself isn’t necessarily what’s interesting; what’s interesting is the way he chose to leverage that vulnerability (by patching some bytes used by the ActionScript Virtual Machine, which allowed him to run dangerous ActionScript bytecode