New measures against IE 8 exploits
Only a few days after Microsoft's new Internet Explorer 8 was exposed and hijacked, the developers have announced the implementation of new protective measures. They intend to make the exploitation of buffer overflows considerably more difficult. In a blog entry, the developers have announced that they intend to prevent at least one of the exploit techniques for bypassing Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) demonstrated by Dowd and Sotirov in 2008.
Dowd and Sotirov demonstrated how to use .NET programs, embedded into a web page via <object> tags, to inject code in such a way that it is executable (DEP) and can be addressed directly (ASLR). From now on, this will be prevented by an undisclosed ".NET MIME Filter" in the internet and Restricted Sites Zones.
During the Pwn2own competition, the mysterious Nils used an, as yet unknown, exploit to inject and execute code via Internet Explorer 8 on a Windows 7 system. While no details have become available, rumour has it that the exploit was at least based on the techniques presented by Dowd and Sotirov.
According to Microsoft, the filter is already active in the most recently released final version of IE8 for Vista. The MSRC's Jonathan Ness did not explain why, despite this, Nils was successful. As the Microsoft blogger referred to a quote by Nils and said that the filter makes writing exploits a little more difficult, we can only assume that the version of IE8 used for Pwn2own didn't include the new filter.
Nowadays the Microsoft security team quite naturally links to papers explaining how to bypass Windows security measures. Back in 2004, our German language associate site, heise Security, received a rather agitated complaint by a Microsoft employee who said that a news release about the Sasser worm contained "step-by-step instructions for the Windows SEH exploit" – and asked whether this was really necessary. At the time, heise Security answered: "Nobody benefits if this knowledge is only accumulated in the wrong circles" – except of course those "in the wrong circles". (ju)