IE 10 Tougher to Crack

Thursday, March 15, 2012 @ 02:03 PM gHale

Internet Explorer, IE 10, is already in consumer preview and it includes some major exploit mitigations.

In addition to the existing implementations of ASLR, DEP and others technologies in Windows and IE, Microsoft included new ones designed to further inhibit memory attacks.

Safari Updates; Firefox Delays
Browsers hit with Framesniffing
Chrome Attack Trap Falls Flat
Browsers Fall in Hacking Contest

The biggest change in IE 10 is a technology called ForceASLR that should help compensate for the fact that not every application on Windows is compiled with the flag that opts them into ASLR. One of the main exploit mitigations that Microsoft has added to Windows in recent years, ASLR (address space layout randomization) essentially turns memory modules into moving targets for attackers, making it far more difficult for them to locate their payloads where they want. This has made browser-based exploits more complicated, but it only works if developers compile their applications with a specific flag, called /DYNAMICBASE, set.

The new ForceASLR technology helps fix that shortcoming by allowing IE to tell Windows to load every module in a random location, regardless of whether it compiled with the /DYNAMICBASE flag. Microsoft security officials said this is among the more important additions the company made to the security of its browser and Windows machines.

“ForceASLR is a new loader option used by Internet Explorer 10 to instruct the operating system to randomize the location of all modules loaded by the browser, even if a given module was not compiled with the /DYNAMICBASE flag. The ForceASLR protection was added to the Windows 8 kernel, and the feature is now available as an update to Windows 7 that will be installed when Internet Explorer 10 is installed on that platform,” said Forbes Higman, a security program manager on IE.

In addition to ForceASLR, Microsoft included another mitigation called High Entropy ASLR that takes advantage of the larger address space that’s available on 64-bit Windows machines. The more entropy the operating system can add to the randomization, the more difficult life will be for attackers who are trying to place their payloads precisely.

“This has the effect of drastically increasing the number of potential addresses that may be assigned to a 64bit process. All 64bit processes can opt-in to the increased entropy made available by HEASLR. Processes can opt-in either at link time (/HIGHENTROPYVA) or at load time via a new Image File Execution Option,” Higman said.

Leave a Reply

You must be logged in to post a comment.