Net ZDI Successfully Attacked by IE Memory

Net ZDI Successfully Attacked by IE Memory

In the summer of 2014 Microsoft launched the use-after-free mitigations into the Internet Explorer browser. At that point some of the exploits classes were closed off, while the black hats and the researchers were left in search of new ways on corrupting memory inside the browser.

It was not very long until an expert team from the Zero Day Initiative from HP noticed that the exploits which were once reliable are no longer behaving as expected. The issue was traced back to a number of mitigations that were introduced into the Internet Explorer in July. Several months later, in October, the researchers Abdul Aziz Hariri, Simon Zuckerbraun and Brian Gorenc developed attacks against two mitigations namely MemoryProtection and Isolated Heap. Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense awarded the researchers with the sum of 125 000 USD. The researchers commented that they are very glad that Microsoft had used the good data out of the research made.

Part of the money or 25 000 USD were awarded separately for the submission of a suggestion for defense against the technique. It is expected the award to be fully donated to Concordia University, Texas A&M University, Khan Academy. These are the institutions that are sponsoring the programs for technology, science, mathematics and engineering.

According to Gorenc, Microsoft has not patched the issues that were identified in the HO ZDI research and ZDI will wait with disclosure of the details. The researcher, however, revealed that one part of the attack includes usage of the MemoryProtect as an oracle in order for the ASLR (the Address Space Layout Randomization) to be bypassed. In other words, the researchers are using one mitigation to defeat another. These mitigations were used after free harder on the attacker. The researchers made the mitigation defeat another mitigation that the Internet Explorer relies on.

The use-after-free vulnerabilities have taken over the buffer overflows as the new vulnerability concerning memory corruption. These vulnerabilities happen when the pointer memory has been freed and thus allowing the cyber criminals to use the pointer against an area in the memory that has a malicious code inserted and executed.

Microsoft company has invested time and money into the building of mitigations against attacks related to the memory. It included mitigations in Internet Explorer and through the EMET (Enhanced Mitigation Experience Toolkit).

Great deal in the attacks against and the bypasses of mitigations have been largely confined to academics and researchers. Some of the high-profile targeted attacks however have been directed to take into consideration the mitigations presence. For example, the APT operation against military and government targets Operation Snowman, is scanned for EMET presence and will not execute in case that tool was detected.

For a long time, the Internet Explorer has suffered from bugs causing memory corruption and Microsoft has been releasing monthly cumulative updates for that browser every month as it has been used in targeted attacks from hackers.

Asked about the use-after-free bugs and the IE, the researcher Gorenc stated that the attack surface is valuable and needs to exist. It is so as through some minor manipulations on the attack surface, the researcher can gain code execution on the browser.

ZDI has invested around 12 million dollars in the past 9 months on the use-after-free attack surface and on buying vulnerabilities. A vulnerability program, ZDI rewards researchers who disclose vulnerabilities through its process. The bugs were shared with the HP customers and then also with the vendors that were affected.

Before joining ZDI full time, the colleagues of Gorenc – Hariri and Zuckerbraun were external contributors, dealing with IE and use-after-free submissions. For the IE Memory Attacks Zuckerbraun reversed the MemProtect by studying how it stymied use-after-free vulnerabilities. At that time Hariri focused on bypassing the Isolated Heap. Gorenc was working on the sandbox bypasses. When their efforts combined, the researchers got enough information to share and discuss with Microsoft.

The reward that the three researchers got will be donated to these three education institutions in particular, as they have personal distribution and meaning to each of the researchers and strong STEM emphasis.