- Jul 21, 2011
- 669
http://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-mcafee-symantec/
Vanilla Firefox doesn’t seem to be missing ASLR/DEP protection; the process will have DEP enabled and neither firefox.exe nor the DLL’s seem to be missing ASLR. Headache for an exploit writer. However, many typical users and organizations will install a security suite from typical antivirus vendors like McAfee and Symantec.
I obtained an evaluation copy of McAfee’s premier product, their “Ultimate” “Total Protection” to test out and installed it on a Vista VM.
McAfee injected no fewer than seven DLL’s into Firefox, and no fewer than seven fail to enable ASLR. The attacker is provided megabytes of surface to launch an exploit off of.
It is easy for an attacker to detect if the McAfee extension has been loaded into the browser by referencing a resource in the extension.
In summary, McAfee’s security suite opens a hole through the best defenses of Microsoft and Mozilla against exploitation