© recon.cx 2005-2015
  • home
  • conference
  • training
  • schedule
  • cfp
  • sponsors
  • travel
  • archives
  • contact

Recon 2015 Schedule

  • Schedule
  • Speakers
  • Events
  • iCalendar
  • -
  • xCal
  • -
  • XML
  • -
  • JSON


lecture: Abusing Silent Mitigations

Understanding weaknesses within Internet Explorer's Isolated Heap and MemoryProtection

Event_large

In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap.

This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.

Info

Day: 2015-06-19
Start time: 11:00
Duration: 01:00
Room: Grand Salon
Track: Main

Links:

  • iCalendar

Speakers

Person_small
Brian Gorenc
Person_small
Simon Zuckerbraun
Person_small
Abdul-Aziz Hariri