- Jan 24, 2011
- 9,378
In late December, Microsoft researchers responding to publicly posted attack code that exploited a vulnerability in the FTP service of IIS told users it wasn't much of a threat because the worst it probably could do was crash the application.
Thanks at least in part to security mitigations added to recent operating systems, attackers targeting the heap-overrun flaw had no way to control data that got overwritten in memory, IIS Security Program Manager Nazim Lala blogged. It was another victory for Microsoft's defense-in-depth approach to code development, which aims to make exploitation harder by adding multiple security layers.
However, it turned out that wasn't the case. White-hat hackers Chris Valasek and Ryan Smith of security firm Accuvant Labs soon posted screenshots showing they had no trouble accessing parts of memory in the targeted machine that the protection – known as heap exploitation mitigation – should have made off limits. With that hurdle cleared, they had shown the IIS zero-day bug was much more serious than Microsoft's initial analysis had let on.
“The point was proven that you could actually start to execute code, as opposed to them saying: 'Don't worry about it. It can only crash your server',” said Valasek, who is a senior research scientist for Accuvant.
More details - link
Thanks at least in part to security mitigations added to recent operating systems, attackers targeting the heap-overrun flaw had no way to control data that got overwritten in memory, IIS Security Program Manager Nazim Lala blogged. It was another victory for Microsoft's defense-in-depth approach to code development, which aims to make exploitation harder by adding multiple security layers.
However, it turned out that wasn't the case. White-hat hackers Chris Valasek and Ryan Smith of security firm Accuvant Labs soon posted screenshots showing they had no trouble accessing parts of memory in the targeted machine that the protection – known as heap exploitation mitigation – should have made off limits. With that hurdle cleared, they had shown the IIS zero-day bug was much more serious than Microsoft's initial analysis had let on.
“The point was proven that you could actually start to execute code, as opposed to them saying: 'Don't worry about it. It can only crash your server',” said Valasek, who is a senior research scientist for Accuvant.
More details - link
