After blogging about the new unpatched vulnerability in Internet Explorer I became curious about something: Why wasn’t mscorie.dll linked with the /DYNAMICBASE option? This option enables ASLR (Address Space Layout Randomization), the absence of which is the door through which the exploit walks into remote code execution land.
mscorie.dll is identified as the “Microsoft .NET IE MIME Filter.” In a knowledge base article which describes the interactions between IE and .NET, its function is described:
The .NET Framework includes two components that handle the .NET Framework components in Internet Explorer. The first component, Mscorie.dll, contains a Multipurpose Internet Mail Extensions (MIME) Type Filter. This filter hooks into Internet Explorer and monitors all incoming data streams with the MIME type application/octet-stream. A primary role of this startup shim is to examine the incoming stream to see whether or not the stream is a managed code. If the filter determines that the incoming data is not a managed code, the filter allows Internet Explorer to handle the data the way that it did formerly.
As a workaround, Microsoft recommended that users “rebase” all DLLs used by Internet Explorer using their EMET tool. This has the same effect on the DLL as if the developers had used /DYNAMICBASE at link-time. But if there is a good reason why they didn’t use it, there may be side-effects of the change which we should know about. If there is no reason why, why not?
I asked Microsoft about this and the response from Dave Forstrom, Director, Trustworthy Computing, was:
Microsoft’s analysis does not indicate any potential problems by rebasing mscorie.dll.
So why didn’t they do it to begin with? It turns out that /DYNAMICBASE is only recommended and not required by the Microsoft SDL (Security Development Lifecycle). That, in and of itself, is not a reason not to do it, but it’s a reason why it might pass inspection.
Still, statically-based DLLs are one of only a few ways to get around the combination of DEP+ASLR. I would expect Microsoft to start flushing out cases like these and rebasing the files where possible. If there’s no reason why you shouldn’t run EMET for this, then there’s no reason Microsoft shouldn’t have used /DYNAMICBASE.
– on Security Watch
Related Posts
- New year, new exploits: 0-day found in Microsoft Graphical Rendering Engine
A new, potentially critical vulnerability in Microsoft Windows has come to our attention at Websense Security Labs. A specially-crafted Microsoft Office document can cause the GRE (Graphical Renderin... - Microsoft Mitigation Tool Blocks Adobe 0-Day
Coming just in the nick of time, Microsoft has released version 2.0 of their Enhanced Mitigation Experience Toolkit. This tool forces DEP (Data Execution Prevention) and ASLR (Address Space L... - Microsoft Patches Critical 0-Day Shortcut Flaw
Microsoft has issued an "out of band" update to all versions of Windows to fix a critical vulnerability that has been exploited in the wild for over 2 weeks.
MS 10:046: Vulnerability in Win... - Microsoft 0day: Malformed Shortcut Vulnerability
Today Microsoft updated it’s security advisory, which was initially published last Friday (16th), stating that they’re working on issuing a security patch for this hole. Earlier, malware e... - 0-day flaw discovered in Microsoft Windows
The nightmare of infected USB pen drives is back. Until now the source of infections was the Autorun feature embedded in Windows. Now the problem resides in a Windows flaw (or feature?) when handling... - Microsoft: 10,000 PCs hit with new XP 0day attack
Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug.
View full post on Network World on Secu... - Finjan’s Unified Secure Web Gateway Prevents IE 0-Day Attack Associated with Microsoft Windows TV Tuner library
A new 0-day attack has hit the web recently. The reported vulnerability is associated with Microsoft Windows TV Tuner library, 'MPEG2TuneRequest' Object and can be exploited via a malformed Web page. ... - PSN update now live across the U.S., go change your password now
In case you missed it — and you very well might have considering what time this ball got rolling — Sony has officially flipped the switch on the PlayStation Network, restoring service in a limited... - Silverlight Update Available, (Thu, Apr 21st)
Microsoft has issued a security patch for Silverlight KB2526954. It fixes several security issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it ... - Infiltrate 2011 and Offensive Security
Security researchers from around the world are digesting the weekend's fare at Infiltrate2011, organized by security outfit Immunity. "No policy or high-level presentations, just hardcore thought-prov...
Posted on 24 December 2010. Tags: 0day, Developer, error, Microsoft, shows
