Memory-related vulnerabilities must be properly patched up

Mar 13, 2012 15:40 GMT  ·  By

Since hackers started targeting computers via the web browser and its add-ons, Microsoft fitted Internet Explorer(IE) 10 with some sophisticated mechanisms to ensure that memory-related vulnerabilities were impossible, or highly difficult, to exploit.

Web browsers are usually targeted with buffer overflow attacks or by leveraging use-after-free vulnerabilities. Both these attack methods exploit memory flaws that may allow an attacker to run a piece of arbitrary code by deviating the browser’s code execution path.

The researchers in charge with making Internet Explorer 10 safer and better protected against attacks not only implemented new defense features, but they also enhanced some old ones.

For instance, when it comes to complier mitigations, the /GS compiler flag is one of the defenses utilized in previous variants of the popular web browser. The latest version of the technology that offers a buffer overrun detection capability to an application stack, relies on improved heuristics to protect more functions.

Performance cost was also improved as a result of the optimization that eliminated certain checks that were not necessary.

Another flag is /SAFESEH which ensures that in case of an exception, the handler addresses on the application’s stack are verified against the ones stored in a lookup table placed in a secure location of the memory. If the values don’t match, the process is terminated and the potential attack is mitigated.

The downside with this flag is that if not all the DLL modules opt in for the protection, the security measure is less effective.

The final flag leveraged in compiler mitigations is /DYNAMICBASE which relies on an OS mitigation known as Address Space Layout Randomization (ASLR). Similar to the /SAFESESH flag, the value of the security offered by ASLR drops if the DLL modules don’t opt into the protection.

When referring to runtime mitigations, which involve the operating system in keeping processes secure, the DEP/NX does this by using the key security feature of modern CPUs.

DEP/NX has been successfully utilized since Internet Explorer 8 and it will continue to ensure that the data pages that are marked as non-executable (those that may contain the attacker’s code) are not executed.

SEHOP is a mitigation first enabled in IE9 which works on pretty much the same principles as the /SAFESEH compiler flag.

These, along with other security enhancements implemented by the Internet Explorer will hopefully discourage hackers from launching malicious operations. All there remains to be done is convince users to upgrade their products every time a new update is released.