When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser.
A team of experts from HP’s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they’d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense.
A chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs.
“We were very excited when we heard the results from Microsoft,” Gorenc, ZDI lead researcher, said. “We put a lot of time and effort into that research. We’re glad to hear Microsoft got good data out of it.”
Gorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR).
“We use one mitigation to defeat another,” he said. “Stuff like this has been done in the past, but what’s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we’ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.”
Use-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part, bypasses of and attacks against mitigations have largely been confined to researchers and academics, but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, scanned for the presence of EMET and would not execute if the tool was detected.
Internet Explorer has been plagued by memory corruption bugs forever it seems, with Microsoft releasing almost monthly cumulative updates for the browser which is constantly being used in targeted attacks and has been easy pickings for hackers.
> ZDI said it will donate the full Microsoft bug bounty to three institutions that sponsor strong STEM programs. > > Tweet
“The attack surface is valuable and has to exist,” Gorenc said of IE and use-after-free bugs. “It’s an attack surface where with slight manipulations, you can gain code execution on the browser.”
ZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities.
Gorenc’s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun reverse engineered MemProtect, studying how it stymied use-after-free vulnerabilities. Hariri focused on bypassing Isolated Heap. Together with Gorenc’s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft.
The reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM.
“HP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,” Gorenc said. “We look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.”