Community feedback helped build fortified IE8 Print
Written by Rebecca Mints   
Tuesday, 24 March 2009 01:21
Microsoft Corporation’s security team has applauded its colleagues in the security community for giving factual and accurate feedback that help them develop their products. The latest case is that of the Internet Explorer which the security community had reported to be vulnerable to attacks using the .NET framework DLL files. Jonathan Ness of the Microsoft Security Response Center Engineering posted on the latest MSRC bulletin that the IE team was able to install mitigating measures on the IE version 8 owing mainly from the security community’s feedback. 

The new IE8 on Windows Vista is now capable of blocking the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. 

“We are always learning from the security community. The feedback we receive from the community is invaluable. It is usually a different view of our products that we can use to help protect customers,” said Ness.

Ness cited a particular feedback they received about IE that prompted the team to develop IE8.

“Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.exe process. They were then able to demonstrate how .NET behavior could be combined with a separate exploitable memory corruption vulnerability to run arbitrary code,” Ness began in his post.

“Last week, the IE team launched IE8 with an interesting mitigation that comes directly from the security community's feedback,” he then added.

The latest IE8 has a new URLAction that regulates loading of the .NET MIME filter. “By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone,” Ness explained.

The MSRC says IE8’s strength is that it has a layer of defenses on top of defenses. “No browser is 100% secure but we are hoping if we keep adding defenses they will be harder and harder to exploit,” the group said.