Internet Explorer is possibly the most popular target for vulnerabilities around today. In 2014 alone, a total of 243 memory corruption vulnerabilities in Internet Explorer were disclosed and patched. Every Microsoft Patch Tuesday cycle contains one bulletin that covers multiple IE vulnerabilities - the monthly "Cumulative Security Update for Internet Explorer", as it is called by Microsoft. There have been many zero-day attacks that specifically targeted vulnerabilities in Internet Explorer, such as: not entirely all-new. Its HTML rendering engine is a forked version of Trident (the engine found in Internet Explorer), which is now called Microsoft Edge HTML. However, much of the underlying code has been modified to remove IE-specific technologies that will not be a part of Edge. In addition, several new features have been introduced to the browser as well. MemGC MemGC uses mark-and-sweep garbage collection to help defeat use-after-free (UAF) exploits. Edge uses MemGC to manage DOM and supporting objects's memory. In the past two years, UAF vulnerabilities have been a significant problem for Internet Explorer. Each Patch Tuesday cumulative update contains various fixes for UAF vulnerabilities. To help remedy the situation, in the summer of 2014 Microsoft added two mitigation techniques to IE: one is called the Isolated Heap, which manages most DOM objects and their supporting objects. The second is MemoryProtection. The Isolated Heap makes it harder for attackers to fill the free object. MemoryProtection can prevent UAF exploits where the free object pointer remain in the stack. In other situations, MemoryProtection can make UAF exploits more difficult.
Figure 1. MemoryProtection flow chart (Click to enlarge)These two mitigations increased the difficulty of UAF exploits, but there are still many ways to bypass these, especially in cases where the pointer to the free block didn't remain on the stack.
Figure 2. UAF exploit stepsUAF exploits frequently follow the following steps:
- Object A's heap block is allocated.
- Object A is freed.
- Attacker fills the heap block with their own data.
- Object B references Object A. This means the attacker can access object A with attacker controlled data.
Figure 3. How MemGC prevents UAF exploitsAbandonment Memory corruption is a common class of vulnerabilities which deserves special attention. The Microsoft Edge HTML rendering engine found in the file edgehtml.dll introduced a new class called Abandonment. Abandonment detects exception and throws a FAIL_FAST_EXCEPTION exception if one is detected. This prevent the error from spreading further, stopping any potential exploits.
Figure 4. Abandonment classThe Abandonment class can detect and deal with the following abnormalities:
- Double Free
- Out Of Memory
- Invalid Pointer
- Invalid Arguments
- Unreachable Code
- Not Yet Implemented Function
- Excepted return value