New exploit technique nullifies major Windows defense

Google engineer posts sample code to show how to bypass DEP in Windows

The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft's newer operating systems, researchers said today.

On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker "Skylined" when he posts exploit research, published proof-of-concept code that bypasses DEP, or data error prevention, one of two major security enhancements Microsoft has added to Windows since 2004. The other: ASLR, for address space layout randomization.

DEP prevents malicious code from executing in sections of memory not intended for code execution, and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.

Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.

"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," said Wever in a post to his personal blog on Monday.

Wever should know about Windows: According to his LinkedIn account, he worked for Microsoft as a security software engineer from 2006 to 2008.

In 2005, Wever helped popularize "heap spraying," a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe's Reader.

"This is pretty significant," said David Sancho, a senior threat researcher with Trend Micro, when asked to peg the importance of Wever's demonstration. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."

There have been DEP workarounds making the rounds, Sancho acknowledged. "But this is generic enough that it will work within any exploit," he said.

Earlier today, another Trend Micro researcher also predicted that Wever's disclosure will likely lead to attacks that regularly shove aside DEP's defenses. "After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique," said Trend's Ria Rivera in an entry on the company's malware blog . "It would thus be not farfetched that the release of this new proof-of-concept could lead to the same scenario -- new exploits could start using 'return-to-libc' to achieve DEP bypass."

Wever's new technique requires that ASLR be bypassed as well, but that's not a solid barrier, said Sancho. Attackers have taken to running their exploit code many times, in many parts of memory, in the hope of one landing in a executable location. "Yes, attacks need to bypass both ASLR and DEP, but [Wever's proof-of-concept] makes it all easier," Sancho emphasized.

The proof-of-concept that Wever published doesn't actually do damage, as it is wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago.

"This exploit targets a bug that was fixed in IE6 in 2005, which explains why it does not affect any recent install," said Wever in a comment he added to his blog entry. "This release is for academic purpose only, it is not an 0-day that script-kiddies can use to pwn your grandma's computer."

From Sancho's viewpoint, the DEP bypass doesn't exploit a vulnerability in Microsoft's code, but rather takes advantage of a design flaw. "Microsoft can fix this, and I have faith they will," he said.

Microsoft was not immediately available to answer questions about Wever's proof-of-concept DEP bypass, and whether it would -- and if so, when -- revamp the security feature in Windows.

------

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags exploits and vulnerabilitiesMicrosoftWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?