Wednesday, April 08, 2009
At the CanSecWest conference earlier this month we made our first public release of the !exploitable Crash Analyzer. While an upcoming white paper and the CanSecWest slide deck go into detail on the technology involved, we thought it might be useful to explore the history of the tool. Roots in Fuzzing The technology and research that eventually became the !
Monday, March 23, 2009
Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.
Friday, March 20, 2009
In a previous post we noted some stack-based vulnerabilities, such as MS08-067, that GS was not designed to mitigate due to the degree of control available to an attacker. However, other vulnerabilities such as the ANI parsing vulnerability in MS07-017 would have been mitigated if the GS cookie protection had been applied more broadly.
Monday, March 16, 2009
The Microsoft C/C++ compiler supports the GS switch which aims to detect stack buffer overruns at runtime and terminate the process, thus in most cases preventing an attacker from gaining control of the vulnerable machine. This post will not go into detail about how GS works, so it may be helpful to refer to these MSDN articles for an overview and loads of detail on how GS works and what a GS cookie is.
Thursday, March 05, 2009
It’s getting busy around here with people preparing for the CanSecWest security conference (http://cansecwest.com/). Many of the Microsoft Security Engineering Center (MSEC) and Microsoft Security Response Center (MSRC) members that regularly post to this blog will be attending CanSecWest and soaking up the 3 days of presentations & networking. If you haven’t heard us talk about the Security Science angle of MSEC before, let me explain.
Monday, February 02, 2009
One of the responsibilities of Microsoft’s Security Engineering Center is to investigate defense in depth techniques that can be used to make it harder for attackers to successfully exploit a software vulnerability. These techniques are commonly referred to as exploit mitigations and have been delivered to users in the form of features like /GS, Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR).
Friday, January 30, 2009
On MondayIE8 RC1 was released. Here are some of the most interesting improvements and bug fixes to the XSS Filter feature: Some byte sequences enabled the filter to be bypassed, depending on system locale URLs containing certain byte sequences bypassed the Beta 2 filter implementation in some locales. For example, with a Chinese locale system, URLs of the following format would bypass the filter:
