IE8 RTW Bulletproofed Against .NET, DEP and ASLR Bypass

The gold version of Internet Explorer 8 was bulletproofed against techniques designed to attack Internet Explorer 7 by leveraging inconsistencies in Windows Vista's memory protection mechanisms. Vista brought to the table a number of mitigations, additional security layers including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), designed to make it extremely hard for exploits to work against the operating system. Still, because of the actual design and implementation, the extra mitigations could in fact be defeated, as security researchers Alexander Sotirov and Mark Dowd demonstrated at BlackHat Vegas, in 2009.

Sotirov and Dowd managed to circumvent DEP and ASLR via .NET framework DLL’s that were used for memory page allocation in relation to predictable locations within the iexplore.exe process. Jonathan Ness, from MSRC Engineering, explained that the bypass was no longer valid with the copy of Internet Explorer 8 released to web on March 19, 2009.

“The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone,” Ness stated.

Microsoft is committed to keeping its ears to the street, and has gathered feedback from the recent CanSecWest and SOURCE conferences, emphasizing that security researchers have categorized the process of producing exploits for Vista as “very, very hard.” “IE8 is pretty cool technology. We have been using it internally now for a while. One of the great things about it is the layering of defenses on top of defenses. No browser is 100% secure but we are hoping if we keep adding defenses they will be harder and harder to exploit,” Ness added.


Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).