mailing list archives
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8
From: Jared DeMott <jared.demott () harris com>
Date: Thu, 01 Oct 2009 11:27:22 -0400
Freddie Vicious wrote:
Microsoft has released Internet Explorer 8 on March 19, 2009 and up to
now there's no reliable method to exploit memory corruption
vulnerabilities on it?
I mean, on IE6 and IE7 we had SkyLined heap spray technique, first
seen in the IFRAME overflow exploit  which have been used by almost
every IE memory corruption exploit so far. Internet Explorer 8 was
enhanced with DEP and ASLR protections, making heap spray useless.
Then Mark Dowd and Alexander Sotirov published their great paper -
Bypassing Browser Memory Protections  providing some excellent
techniques, mainly the .NET binary technique which bypasses DEP and
ASLR which was used by Nils on the latest Pwn2Own to own Internet
Explorer 8 RC (Release Candidate)  and was used to mass-exploit
other vulnerabilities . One day after Nils owned IE8RC, Microsoft
released Internet Explorer 8 RTM and blocked the option to load .NET
DLL’s from Internet zone and Restricted sites zone. Due to the fact
that most of IE exploitation doesn’t occur in Intranet/Trusted
sites/Local machine zone, this makes the .NET DLL technique irrelevant
most of the times.
So my question is - Is there no reliable method to exploit memory
corruption vulnerabilities in Internet Explorer 8?
I'm not aware of any catch-all technique just for IE8, though there are
a few common ones like return oriented programming. Application
specific techniques are also common when third party extensions are
Jared D. DeMott
Principal Security Researcher
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/