Microsoft said it is is investigating a report from Alexander Anisimov of the Russian security firm Positive Technologies that details how to bypass Windows XP SP2 heap protection to create an attack vector for a buffer overflow attack.
According to Positive Technologies’ security scanning product MaxPatrol, it initially notified Microsoft of the bypass on Dec. 21, 2004, and sent proof of concept code to the company on Dec. 22nd. MaxPatrol also indicated that Microsoft provided an initial response on the same day, though at this point it does not appear as though a fix or patch has been issued.
The exploitation of buffer overflows/overruns are a common approach vector for
malicious users to gain control of a user’s PC. A spokesperson for Microsoft noted that heap overflow technology was never meant to be foolproof.
According to Positive Technologies officials, the effect of a successful attack utilizing the detailed method they explain is that an attacker will be able to execute arbitrary code, including arbitrary memory region write access.
The report said an attack could also effectively bypass Microsoft’s Data Execution Prevention (DEP)
measures, which could leave a PC wide open to further infiltration and damage.
Windows XP SP2 contains mechanisms that are supposed to prevent and/or limit
buffer overflows, NX protection for 64-bit processors (which is a chip-level “No Execute” flag) and something called Sandboxing, which was added in Service Pack 2 (SP2) for 32-bit processors.
Sandboxing protects the stack
According to an e-mail statement from a Microsoft representative, the company’s early analysis indicates that this attempt to bypass these features is not a security vulnerability. An attacker cannot use this method by itself to attempt to run malicious code on a user’s system. There is no attack that utilizes this, and customers are not at risk from the situation, in Microsoft’s opinion.
However, Microsoft isn’t saying that SP2’s method for preventing a buffer overflow
will prevent all such attacks.
“It’s important to note that data execution protection and heap overflow protection
were never meant to be foolproof; the purpose of these features is to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun,” the Microsoft e-mail states.
“We will continue to modify these technologies as appropriate to
improve them and will evaluate ways to mitigate against this method of bypass while retaining performance on the system, either through an update as part of our monthly bulletin release
process, or in a future service pack.”