MS13-106: Farewell to another ASLR bypass

Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space
Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010.

The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since
this bypass still needs to be used in conjunction with another higher-severity vulnerability that allows remote code
execution in order to provide some value to attackers. ASLR is an important mitigation that has been supported
since Windows Vista which, when combined with Data Execution Prevention (DEP), makes it more difficult to exploit memory
corruption vulnerabilities

Because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers
are very interested in attempting to find new bypass techniques for it. These bypass techniques typically fall into one of
three categories:

1)      Presence of a DLL at runtime that has not been compiled with /DYNAMICBASE flag 
         (therefore loaded at a predictable location in memory).

2)      Presence of predictable memory regions or pointers that can be leveraged to execute code 
         or alter program behavior.

3)      Leveraging a vulnerability to dynamically disclose memory addresses.

The ASLR bypass that has been addressed by MS13-106 falls into the first category. The difficulty of finding and using an
ASLR bypass varies based on the category of the technique. It is generally easier to identify DLL modules that fall into the
first category (especially expanding the search through third-party browser plugins and toolbars), while it is generally more
difficult, and less reusable, to find or create a bypass for the other two categories. For example, two of the recent
Internet Explorer exploits that were used in targeted attacks (CVE-2013-3893 and CVE-2013-3897) both relied on the
same ASLR bypass, which fell into the first category — making use of the HXDS.DLL library that is part of Office 2007/2010
that was not compiled using /DYNAMICBASE.

Bolstering the effectiveness of ASLR helps to harden the security of our products and that is why MSRC continues to release
tools and updates that enforce ASLR more broadly on Windows (such as KB2639308 and EMET) and to release updates that
close known ASLR bypasses as part of our defense-in-depth strategy (such as MS13-063 for the bypass presented at
CanSecWest 2013).

Today MS13-106 closes one additional known bypass that will no longer be available to attackers.

– Elia Florio, MSRC Engineering