[Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
fred.vicious at gmail.com
Thu Oct 1 15:52:39 BST 2009
Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now
there's no reliable method to exploit memory corruption vulnerabilities on
I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in
the IFRAME overflow exploit  which have been used by almost every IE
memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP
and ASLR protections, making heap spray useless. Then Mark Dowd and
Alexander Sotirov published their great paper - Bypassing Browser Memory
Protections  providing some excellent techniques, mainly the .NET binary
technique which bypasses DEP and ASLR which was used by Nils on the latest
Pwn2Own to own Internet Explorer 8 RC (Release Candidate)  and was used
to mass-exploit other vulnerabilities . One day after Nils owned IE8RC,
Microsoft released Internet Explorer 8 RTM and blocked the option to load
.NET DLL’s from Internet zone and Restricted sites zone. Due to the fact
that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local
machine zone, this makes the .NET DLL technique irrelevant most of the
So my question is - Is there no reliable method to exploit memory corruption
vulnerabilities in Internet Explorer 8?
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.