New runtime security mitigations in Windows 8 and IE 10 defeated.

An exploit to bypass the improvements to ASLR and other runtime security mitigations in Windows 8 and IE 10 was available less than a week after the day of the release of the new Windows OS.

The team that disclosed the exploit is the same group that defeated IE 9 running on Windows 7 at the last pwn2own targeting browsers.

Safari running on Lion was not compromised at that event. No methods to bypass the runtime security mitigations in Lion/ML have been disclosed.

The mitigations in OS X are derived from runtime security mitigation found in Linux. No methods to bypass the mitigations in Linux with only remote access have been demonstrated as well.

The major difference in mitigations between these Unix based operating systems and Windows is position independent executables (PIE). DLLs in Windows are pre-mapped at boot and the offset between the different DLLs is known. The beginning load address for the DLLs is random but the order is not. This isn't the case in Mac OS X and Linux due to PIE; both the location and order are random.

So, the layout of DLLs is revealed via a memory disclosure exploit. Knowing this layout allows ROP payloads to be produced that facilitate bypassing other runtime security mitigations, such as DEP.

Also, Windows provides two vectors to achieve arbitrary code execution once runtime security mitigations have been defeated. These vectors being return address and structured exception handler (SEH) overwrites. OS X and Linux don't have SEH and, therefore, don't provide that vector. Having two vectors to achieve arbitrary code execution increases the number of vulnerabilities that are exploitable.

Mitigations, such as SEHOP, are in place to prevent SEH overwrites but these mitigations are bypassed via essentially the same methods used to bypass the mitigations (ASLR & DEP) used to prevent return address overwrites.

Until Windows includes PIE, attackers will be able to produce reliable remote exploits against Windows.