Hacker Bypasses Windows 7 Anti-Exploit Features In IE 8 Hack
Kelly Jackson Higgins writes on Dark Reading:
A Dutch researcher won $10,000 in the Pwn2Own hacking contest this week for hacking Internet Explorer 8 on a Windows 7 machine -- bypassing built-in anti-exploit features in the operating system.More here.
Independent researcher Peter Vreugdenhil waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Other successful hacks in the annual contest held at CanSecWest in Vancouver were a non-jailbroken iPhone, Firefox on Windows 7, and Safari on Snow Leopard, each conducted by other researchers who also won the big cash prize. A hacker known as "Nils" hacked Firefox on Windows 7 -- also bypassing DEP and ASLR with an exploit of his own, the details of which were not available at the time of this posting.
Vreugdenhil used a two-part exploit: First he located a specific .dll file to evade ASLR, and then used that information to trigger an exploit that disabled DEP. He used a heap overflow attack to get the address of the .dll file, he said in a paper [.pdf] describing the attack. He would not reveal the vulnerabilities in IE 8 that he exploited, however: "But I might disclose them someday when Microsoft has them patched," he wrote.