Developers have become savvier about incorporating software security into their development process earlier in product lifecycles, and many have effectively used tools like static analysis software to eradicate vulnerabilities from their own code.

Diving into the Internet Explorer vulnerability

on Apr 30, 14 • by Roy Sarkar • with No Comments

A new zero-day exploit within Microsoft Internet Explorer was revealed this week and presents the latest in a string of flaws by which software security is making headlines this year. The exposure (pun intended) is an interesting opportuntity, however, as it shows how gaps in software testing can have potentially...

Home » Software Security » Diving into the Internet Explorer vulnerability

A new zero-day exploit within Microsoft Internet Explorer was revealed this week and presents the latest in a string of flaws by which software security is making headlines this year. The exposure (pun intended) is an interesting opportuntity, however, as it shows how gaps in software testing can have potentially catastrophic results – and how Klocwork fills in those gaps.

Exploring the issue

Right now, attackers are actively exploiting the vulnerability, known as CVE-2014-1776, and can potentially impact over a third of the browser market. The hole exists in versions 6 through 11 of Internet Explorer and uses an existing exploitation technique in Adobe Flash Player to give an attacker access to memory after it has been freed by the application. The vulnerability in Flash Player allows an attacker to bypass two methods that Windows uses to prevent exploits: Address Space Layout Randomization (ASLR), which randomizes the locations where system files and apps are run, and Data Execution Prevention (DEP), which marks certain areas of memory as protected and non-executable. To bypass these methods, attackers use a Flash SWF file that’s designed to perform a heap spray, allocating vectors to cover memory addresses that can be corrupted to pivot control back to the attacker’s code (this is known as return-oriented programming (ROP)).

Once control is taken, the SWF file calls into Internet Explorer’s Javascript to trigger the IE bug and overwrite the length field of a Flash vector object. This exploits a weakness known as “use-after-free”, or deliberately executing arbitrary code within the same piece of memory that has been previously freed. Once the length field of the vector object is overwritten, the SWF file can perform any arbitrary memory accesses to bypass the ASLR and DEP protection and execute its own code.

Finding the issue

As complicated as the use-after-free exploit sounds, static code analysis has no problem finding it on the developer’s behalf. In fact, Klocwork detects several different types of use-after-free problems – here’s just one example from our checker documentation:

int *foo(int t) {
    static int *x = NULL;
    if (!x) {
        x = (int *)malloc(4 * sizeof(int));
    }
    if (t) {
        free(x);
    }
    return x + 1;
}

Here, Klocwork reports that the memory pointed to by x is freed and reused, potentially causing unexpected values and perhaps leading to crashes or arbitrary code execution (imagine if x now points to a different memory location when the developer doesn’t expect it – that new memory location is now vulnerable to attack). This is a simple example, of course, most real-world examples would have memory freed and used between much further points in code.

Like other recent examples of issues in code security, this IE flaw illustrates the difficulties of effective software testing and the impact of what happens when these problems get out into the field. Tools like static code analysis show how simple it is to make testing easier and code less vulnerable to attack.

Learn more:

• The original vulnerability attack report by FireEye
Microsoft’s Security Advisory
• Our 20 minute course on another type of problem when freeing memory – CWE-415 Double Free

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top