Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it.
Although Microsoft is currently not aware of any attacks, given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack may increase.
Users of Windows Vista and later versions of Windows are strongly encouraged to protect themselves against this issue by installing the free Enhanced Mitigation Experience Toolkit (EMET) and proceed to protect the iexplore.exe process.
When EMET is in place, this type of exploit will most likely fail. This is because of at least three mitigations:
- Mandatory ASLR: This mitigation will force the mscorie.dll to be located on random addresses each time.
- Heap Spray pre-allocation: Some of these exploits use some common used heap pages for placing ROP data such as 0x0c0c0c0c.
- EAT Filtering: Running shellcode can potentially be blocked by this mitigation.
Microsoft continues to investigate the vulnerability and will release a comprehensive security update once available.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.