Microsoft Adds New Exploit Mitigations to IE 10

Windows 8 is still off on the horizon somewhere, but the new version of Internet Explorer that’s coming with it–IE 10–already is in consumer preview and it includes some major changes to the exploit mitigations. In addition to the existing implementations of ASLR, DEP and others technologies in Windows and IE, Microsoft has included a couple of new ones designed to further inhibit memory attacks.

The biggest change in IE 10 is a technology called ForceASLR that’s meant to help compensate for the fact that not every application on Windows is compiled with the flag that opts them into ASLR. One of the main exploit mitigations that Microsoft has added to Windows in recent years, ASLR (address space layout randomization) essentially turns memory modules into moving targets for attackers, making it far more difficult for them to locate their payloads where they want. This has made browser-based exploits more complicated, but it only works if developers compile their applications with a specific flag, called /DYNAMICBASE, set.

The new ForceASLR technology helps fix that shortcoming by allowing IE to tell Windows to load every module in a random location, regardless of whether it was compiled with the /DYNAMICBASE flag. Microsoft security officials say that this is among the more important additions the company has made to the security of its browser and Windows machines.

“ForceASLR is arguably the most important change to ASLR in Windows 8. ForceASLR is a new loader option used by Internet Explorer 10 to instruct the operating system to randomize the location of all modules loaded by the browser, even if a given module was not compiled with the /DYNAMICBASE flag. The ForceASLR protection was added to the Windows 8 kernel, and the feature is now available as an update to Windows 7 that will be installed when Internet Explorer 10 is installed on that platform,” Forbes Higman, a security program manager on IE, wrote in a blog post.

In addition to ForceASLR, Microsoft has included another mitigation called High Entropy ASLR that takes advantage of the larger address space that’s available on 64-bit Windows machines. The more entropy that the operating system can add to the randomization, the more difficult life will be for attackers who are trying to place their payloads precisely.

“This has the effect of drastically increasing the number of potential addresses that may be assigned to a 64bit process. All 64bit processes can opt-in to the increased entropy made available by HEASLR. Processes can opt-in either at link time (/HIGHENTROPYVA) or at load time via a new Image File Execution Option,” Higman said.

Security researchers have been looking at the new protections in IE 10 and some have said that they are going to present a serious challenge for exploitation.

“It will make exploitation much harder and more complicated,” Chaouki Bekrar of VUPEN said at the CanSecWest conference last week when talking about the new mitigations.