New ASLR-busting JavaScript is about to make drive-by exploits much nastie

Discussion in 'other security issues & news' started by lotuseclat79, Feb 15, 2017.

  1. Evolution of memory protection by the OS: Windows XP = DEP, Vista = SEHOP and ASLR, (I don't recall Windows 7 improvements), Windows 8.1 = Heap protection and Control Flow Guard, Windows 10 = Return Flow Guard and a lot more (article)

    Can't edit above post anymore
     
  2. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    the reality is that very few people have "that much knowledge" (ie: omniscient) of AE. I cannot imagine MalwareBytes or Hitman, or anyone else, will even contemplate the public delving into their strategies and coding just to discuss the counters to a hardware vulnerability in a community forum. As we are doing rght now.

    Of interest is the 2011 date attached to Vinay Katoch's SecFence White Paper quoted by @itman. Katoch explicitly uses scripting, and in today's world that would seem to be the best--if only because the most convenient--delivery method. Certainly scripting has advanced to ridiculous levels of intrusion in the last two decades, and I can see his illustration is perfectly possible using fileless injection. He also specifies Firefox rather than IE, although that's no big surprise. So the big short term question is, do we go for banning scripts (very reasonable in commercial and SOHO networks, regardless of managerial screams) or trying to enumerate all processes running in a web-facing computer (a la MBAE)? (I disagree with the concept of not protecting OS components.)

    If a rigorous penetration test succeeds in compromising the target computer or network, then we have another problem. The average SOHO owner cannot reasonably afford the level of protection required. And yet these are still very much the target machines necessary for a botnet. Who pays? How long before mitigation/protection becomes low/no-cost?

    I do hope the OP in that post understands the difference, since the word "Alert" was sprinkled so freely :)
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Very interesting to see how the need for security mitigations increase while the mitigations themselves evolve and strengthen over a period of time.

    In addition to CFG/RFG, we are also going to see a lot more Virtualization Based Security (VBS) which is essentially security enforced by the underlying hypervisor platform. Several recent Windows 10 security features already rely upon that but also upcoming security features such as Windows Defender Application Guard will also use some form of VBS by running certain content within mini virtual machines. The next few years is going to be quite interesting. Although I can also imagine hardware requirements going up slightly over this period of time as well because virualization based security would come at the expense of some (likely minor) performance implications.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It may be false, but it's not likely. Like I said, AE don't try to block ASLR bypasses, they try to block the goal of the bypass, that is to run malware via certain exploitation technologies. Also, I have noticed that often these researchers completely ignore mitigation technologies, because they are so excited about their new discovery.

    Actually, basic knowledge is already enough to be able to make certain assumptions. I still don't understand why you would call it "terrifying" without even any basic knowledge about how AE and exploits work.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Turns out I was right, and there's nothing real scary about this attack.

    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-521#post-2655515
    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-521#post-2655725
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.