Microsoft Security Advisory (2794220)

Discussion in 'other security issues & news' started by ronjor, Dec 29, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    http://technet.microsoft.com/en-us/security/advisory/2794220
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    https://blogs.technet.com/b/srd/arc...nternet-explorer-8-users.aspx?Redirected=true
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Thanks for this, Ron.
     
  4. Dogbiscuit

    Dogbiscuit Guest

    http://news.cnet.com/8301-1009_3-57561277-83/ie-flaw-may-allow-windows-pcs-to-be-hijacked-microsoft-warns/
     
  5. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    ISC Diary post, EMET 3.5: The Value of Looking Through an Attacker's Eyes. link

    Using MetaSploit on an XP SP3 host, it is shown how EMET 3.5 will simply resist heap spray and ROP attacks from this exploit.

    '...Repeating the exploit with EMET 3.5 running, we see an interesting notification before Internet Explorer gracefully terminates. EMET detects the heap-spray and terminates.
    Ok. But what if the exploit didn’t include a heap-spray? We disable heap-spray detection and repeat the exploit again. This time, we choose to mitigate ROP attacks by looking for a technique known as a StackPivot. (you may remember from the exploit source code). The exploit still fails as EMET detects the StackPivot.
    Maybe, it doesn’t use a stack pivot. Maybe it uses some unheard of technique that bypass DEP by making a call to one of the several Win32 API calls that can turn off DEP such as VirtualProtect(). Nope! Again, EMET detects the call and notices it has been called from a userland process and not the kernel. It terminates Internet Explorer and notifies the user.
    '
     
Loading...
Thread Status:
Not open for further replies.