Go Back   MacRumors Forums > Mac Community > Community Discussion > Apple, Industry and Internet Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Nov 3, 2012, 06:22 PM   #1
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
New runtime security mitigations in Windows 8 and IE 10 defeated.

An exploit to bypass the improvements to ASLR and other runtime security mitigations in Windows 8 and IE 10 was available less than a week after the day of the release of the new Windows OS.

The team that disclosed the exploit is the same group that defeated IE 9 running on Windows 7 at the last pwn2own targeting browsers.

Safari running on Lion was not compromised at that event. No methods to bypass the runtime security mitigations in Lion/ML have been disclosed.

The mitigations in OS X are derived from runtime security mitigation found in Linux. No methods to bypass the mitigations in Linux with only remote access have been demonstrated as well.

The major difference in mitigations between these Unix based operating systems and Windows is position independent executables (PIE). DLLs in Windows are pre-mapped at boot and the offset between the different DLLs is known. The beginning load address for the DLLs is random but the order is not. This isn't the case in Mac OS X and Linux due to PIE; both the location and order are random.

So, the layout of DLLs is revealed via a memory disclosure exploit. Knowing this layout allows ROP payloads to be produced that facilitate bypassing other runtime security mitigations, such as DEP.

Also, Windows provides two vectors to achieve arbitrary code execution once runtime security mitigations have been defeated. These vectors being return address and structured exception handler (SEH) overwrites. OS X and Linux don't have SEH and, therefore, don't provide that vector. Having two vectors to achieve arbitrary code execution increases the number of vulnerabilities that are exploitable.

Mitigations, such as SEHOP, are in place to prevent SEH overwrites but these mitigations are bypassed via essentially the same methods used to bypass the mitigations (ASLR & DEP) used to prevent return address overwrites.

Until Windows includes PIE, attackers will be able to produce reliable remote exploits against Windows.
Attached Thumbnails
Click image for larger version

Name:	image.jpg
Views:	10
Size:	44.5 KB
ID:	374766  

Last edited by munkery; Nov 3, 2012 at 07:00 PM.
munkery is offline   1 Reply With Quote

Reply
MacRumors Forums > Mac Community > Community Discussion > Apple, Industry and Internet Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
General: Does Innovation Typically Slow Down After a Jailbreak is Defeated? braddick Jailbreaks and iOS Hacks 1 Mar 11, 2014 08:25 PM
Find My iPhone can be defeated by disabling location services? hansonjohn590 iOS 7 14 Jan 20, 2014 03:31 PM
OS X = Windows on security nonsense tevion5 OS X 9 Jun 8, 2013 02:02 AM

Forum Jump

All times are GMT -5. The time now is 08:19 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC