New exploit technique nullifies major Windows defense

Google engineer posts sample code to show how to bypass DEP in Windows

March 3, 2010 02:00 PM ET

Computerworld - The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft's newer operating systems, researchers said today.

On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker "Skylined" when he posts exploit research, published proof-of-concept code that bypasses DEP, or data execution prevention, one of two major security enhancements Microsoft has added to Windows since 2004. The other is ASLR, for address space layout randomization.

DEP prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.

Microsoft introduced DEP in Windows XP Service Pack 2, the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.

"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," said Wever in a post to his personal blog on Monday.

Wever should know about Windows: According to his LinkedIn profile, he worked for Microsoft as a security software engineer from 2006 to 2008.

In 2005, Wever helped popularize "heap spraying," a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe's Reader.

"This is pretty significant," said David Sancho, a senior threat researcher at Trend Micro, when asked to peg the importance of Wever's demonstration. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."

There have been DEP work-arounds making the rounds, Sancho acknowledged. "But this is generic enough that it will work within any exploit," he said.

Earlier today, another Trend Micro researcher also predicted that Wever's disclosure will likely lead to attacks that regularly shove aside DEP's defenses. "After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique," said Trend's Ria Rivera in an entry on the company's malware blog. "It would thus be not farfetched that the release of this new proof-of-concept could lead to the same scenario -- new exploits could start using 'return-to-libc' to achieve DEP bypass."

Wever's new technique requires that ASLR be bypassed as well, but that's not a solid barrier, said Sancho. Attackers have taken to running their exploit code many times, in many parts of memory, in the hope of one landing in a executable location. "Yes, attacks need to bypass both ASLR and DEP, but [Wever's proof-of-concept] makes it all easier," Sancho emphasized.

The proof-of-concept that Wever published doesn't actually do damage, since it is wrapped around an exploit of a bug in Internet Explorer 6 that was patched years ago.

"This exploit targets a bug that was fixed in IE6 in 2005, which explains why it does not affect any recent install," said Wever in a comment he added to his blog entry. "This release is for academic purpose only, it is not an 0-day that script-kiddies can use to pwn your grandma's computer."

From Sancho's viewpoint, the DEP bypass doesn't exploit a vulnerability in Microsoft's code, but rather takes advantage of a design flaw. "Microsoft can fix this, and I have faith they will," he said.

However, Microsoft declined to say whether it would revamp DEP. Instead, Jerry Bryant, a senior manager with the Microsoft Security Research Center (MSRC), only noted that any bypass technique, including Wever's, could not compromise a computer on its own, but required an accompanying exploit of an unpatched vulnerability.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.