IE8 and IE7 Mitigations Failed Against the MSHTML.DLL Critical Exploits

On December 17, 2008, Microsoft released in excess of 300 distinct updates for all supported versions of Internet Explorer, packaged as MS08-078, in its rush to patch a critical vulnerability in the systems, which was under attack at least as early as December 9. Not only was the security flaw actively exploited in the wild (allowing for remore code execution), but the majority of mitigations built into the Windows operating system were useless to stop attacks, according to Michael Howard, senior security program manager in the Security Engineering group at Microsoft.

“There is a plethora of defenses available on various versions of Windows, but only a couple came into play owing to the nature of the code,” Howard stated, enumerating the mitigations that failed to make a difference, including the protections built against stack-based buffer overruns, ASLR and NX and Heap Termination on Corruption.

However, users running Internet Explorer 7 and the Beta versions of Internet Explorer 8 on Windows Vista, Windows 7 pre-Beta, Windows Server 2003, and Windows Server 2008 still benefited from an additional layer of protection, namely Protected Mode.

“On Windows Vista and Windows Server 2008, this is a major defense that comes into play against the currently circulating exploits. When the exploit code runs, it's running at low integrity because IE runs at low integrity, and this means the exploit code cannot write to higher integrity portions of the operating system, which is just about everywhere,” Howard added. “For our server platforms, Windows Server 2003 and Windows Server 2008, Internet Explorer Enhanced Security Configuration also prevents the exploit from working because the vulnerable code is disabled.”

Patches are now available for all versions of Internet Explorer, including IE8 Betas and instances of the browser running on top of Beta Windows client and server operating systems. Users are advised to apply the security updates as soon as possible, in order to protect themselves against attacks targeting the Pointer Reference Memory Corruption vulnerability.

“The bug was an invalid pointer dereference in MSHTML.DLL when the code handles data binding. It's important to point out that there is no heap corruption and there is no heap-based buffer overrun,” Howard explained. “When data binding is used, IE creates an object which contains an array of data binding objects. In the code in question, when a data binding object is released, the array length is not correctly updated, leading to a function call into freed memory.”