Exploitability | Microsoft Security Response Center

Preventing the exploitation of user mode heap corruption vulnerabilities

Tuesday, August 04, 2009

Over the past few months we have discussed a few different defense in depth mitigations (like GS [pt 1, pt2], SEHOP, and DEP [pt 1, pt 2]) which are designed to make it harder for attackers to successfully exploit memory safety vulnerabilities in software. In addition to the mitigations that we’ve discussed so far, a significant amount of effort has gone into hardening the Windows heap manager in order to complicate the exploitation of heap-based memory corruption vulnerabilities.

Community Based Defense - Redux

Monday, July 27, 2009

Handle: The Crushman IRL: Andrew Cushman Rank: Security Director Likes: Cranberry juice (thanks Jay!) Dislikes: Super helpful hotel desk clerks (thanks Raoul?) OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama.

The year-end review – well, sort of :)

Sunday, July 26, 2009

Handle: Cap’n Steve IRL: Steve Adegbite Rank: Senior Security Program Manager Lead Likes: Reverse Engineering an obscene amount of code and ripping it up on a snowboard Dislikes: Not much but if you hear me growl…run Hey! It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security.

Latest Baidu public posting requires Adminisrator to elevate

Thursday, June 11, 2009

Last night we noticed a Windows XP kernel 0day claim in win32k!NtUserConsoleControl posted on baidu.com. We took a quick look and found that the issue requires administrator privileges to execute. We are still investigating, looking for any chance of privilege escalation but so far it looks like a reliability issue, not a security vulnerability.

MS09-019 (CVE-2009-1532): The "pwn2own" vulnerability

Tuesday, June 09, 2009

IE8 behavior notes MS09-019 contains the fix for the IE8 vulnerability responsibly disclosed by Nils at the CanSecWest pwn2own competition (CVE-2009-1532). Nils exploited this vulnerability on an IE8 build that did allow .NET assemblies to load in the Internet Zone. The final, released build of IE8 does not allow .Net assemblies to load in the Internet Zone.

MIDI PoC not exploitable for code execution

Thursday, April 16, 2009

On Wednesday, a PoC was posted to milw0rm describing an “integer overflow” in Windows Media Player. We investigated the .mid file and found it to be a duplicate of a non-exploitable crash previously posted publicly on Bugtraq around Christmas, four months ago. We blogged about this same issue here: http://blogs.technet.com/srd/archive/2008/12/29/windows-media-player-crash-not-exploitable-for-code-execution.aspx

Prioritizing the deployment of the April security bulletins

Tuesday, April 14, 2009

We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.

The History of the !exploitable Crash Analyzer

Wednesday, April 08, 2009

At the CanSecWest conference earlier this month we made our first public release of the !exploitable Crash Analyzer. While an upcoming white paper and the CanSecWest slide deck go into detail on the technology involved, we thought it might be useful to explore the history of the tool. Roots in Fuzzing The technology and research that eventually became the !

New EMF gdiplus.dll crash not exploitable for code execution

Thursday, March 26, 2009

Yesterday we noticed a blog post and securityfocus article about a potential new vulnerability in Microsoft GDI+ when parsing a specially-crafted EMF file. You might have heard about it referred to as ‘GpFont.SetData()’. We wanted to address some speculation about this EMF parsing bug. First, our initial investigation shows that it is not exploitable for code execution.

GS cookie protection – effectiveness and limitations

Monday, March 16, 2009

The Microsoft C/C++ compiler supports the GS switch which aims to detect stack buffer overruns at runtime and terminate the process, thus in most cases preventing an attacker from gaining control of the vulnerable machine. This post will not go into detail about how GS works, so it may be helpful to refer to these MSDN articles for an overview and loads of detail on how GS works and what a GS cookie is.