Denys Rudyi - Fotolia
ASLR bypass flaws have been in the news lately; I read about one in Internet Explorer that Microsoft will not patch. What are the best ways to improve Web browser security and prevent falling victim to ASLR bypass vulnerabilities?
Microsoft has made significant advances in securing Windows in the last 10-plus years and one of the significant improvements was adding address space layout randomization. ASLR "is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory." It is one of the key operating system protections for software with vulnerabilities, but does not mitigate all potential vulnerabilities.
In 2014, Microsoft introduced ASLR features called Isolated Heap and MemoryProtection, but it did not address all potential ways memory can be exploited as part of an attack. These two new memory protections required Microsoft to test the impact of the new ASLR features on legitimate software and on the operating system to help determine if the new ASLR features broke legitimate software or introduced new software defects into the operating system. Given the complexity of ASLR and other memory protections, it is difficult and resource intensive to implement new protections. The complexity of ASLR also requires Microsoft to do a cost-benefit analysis and understand the overall additional protection for its customer base.
Not all security vulnerabilities are high enough risk to merit the potential significant resources needed to fix them. This is a very delicate balance, and in the past Microsoft has decided to introduce major security changes for comprehensive service packs or the next version of Windows.
Since 32-bit Internet Explorer is not being patched for the disclosed vulnerability, potential additional protections against an ASLR bypass vulnerability include deploying Microsoft's Enhanced Mitigation Experience Toolkit and running Internet Explorer in a sandbox or secure VM. These protections could also defend against other future vulnerabilities similar to the ASLR bypass flaw. HP TippingPoint also has protections in place for its customers.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how to adapt your security program for emerging threats
Find out how to defend against digitally signed malware
Discover whether it's time to ditch the RC4 algorithm
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading