New “JIT Spray” Penetrates Best Windows Defenses

New attack techniques have proven capable of penetrating the state of the art in Windows systemic defenses, specifically DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). A demonstration was made today at BlackHat in DC and one firm has released a proof of concept to their customers.
Attacks against ASLR and DEP individually have been around for some time, but the two have tended to reinforce each other; a bypass of DEP is usually blocked by ASLR, and a bypass of ASLR is usually blocked by DEP. The new technique works on systems with both defenses in place. DEP has been supported in Windows since Windows XP SP2, although not turned on by default. ASLR was introduced in Windows Vista. In both cases the program or the user has to opt-in to use the feature. Many modern versions of program, like IE8, Acrobat and Flash all opt-in.

The attack is a "JIT Spray," the details of which may have been released at Black Hat today, but they aren't documented well yet. DEP stops attackers from writing executable code to the heap and running it because the heap is marked as non-executable. JIT spraying solves this by spraying pages which are marked as executable.

We first heard of the exploit a (continue reading...)