Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 。 FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue. Windows XP已被微軟宣告終止更新服務，因此並未列入此次更新名單。
PS1 “Use After Free” Flaws: A New Theme for IE Vulnerability (CVE-2012-4969) http://security.stackexchange.com/questions/20371/from-a-technical-standpoint-how-does-the-zero-day-internet-explorer-vulnerabili How an attacker exploits them: By enticing(引誘) one of your users to visit a malicious web page 宣告一個物件指標malloc, 然後這個物件執行某些網頁被意外的free掉 但原本的pointer還是指向該位置 所以我們存取該位置改他的值jmp到我們的shellcode(有DEP用ROP) 所以後面的IE瀏覽器執行Exec()那個指標就刺激了 Internet Explorer在打開攻擊頁面時， CMshtmlEd對像被刪除並釋放， 且釋放後的內存被重用，導致Use-After-Free
PS2 Flash exploitation technique (Bypass ASLR) http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html Here are just a few interesting bypass techniques that we have tracked in the past year: 1.Using non-ASLR modules Loading a non-ASLR module is the easiest and most popular way to defeat ASLR protection. Two popular non-ASLR modules are used in IE zero-day exploits: MSVCR71.DLL and HXDS.DLL MSVCR71.DLL, JRE 1.6.x By default, this DLL is loaded into the IE process at a fixed location in Windows 7 + IE8.9 HXDS.DLL The most frequently used ASLR bypass for IE 8/9 on Windows 7. This DLL is loaded when the browser loads a page with ‘ms-help://’ in the URL. Limitations non-ASLR module technique requires IE 8 and IE 9 to run with old software such as JRE 1.6 or Office 2007/2010. 2.Modifying the BSTR length/null terminator Corrupt the length of a BSTR so that using the BSTR can access memory outside of its original boundaries. Some vulnerabilities can only increase/decrease memory pointers by one or two bytes. In this case, the attacker can modify the null terminator of a BSTR to concatenate the string with the next object. 3.Modifying the Array object (CVE-2013-0634) Adobe Flash player regex handling buffer overflow Set up a continuous memory layout by allocating the objects: Free the object at index 1 of the above objects as follows: obj = NELL; Allocate the new RegExp object. This allocation reuses memory in the obj position as follows: boom = "(?i)()()(?-i)||||||||||||||||||||||||"; var trigger = new RegExp(boom, ""); Later, the malformed expression overwrites the length of a Vector. object in obj to enlarge it. With a corrupted size, the attacker can use obj to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload.
PS3 heap feng shui(風水) - Heap spraying http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf http://blog.csdn.net/magictong/article/details/7391397 Heap spraying在正常使用的heap上面增加大量的slidecode和shellcode 為什麼要slidecode(例如nop 0x90), 因為觸發shellcode的方法是從第一行開始執行 這樣命中率很低,但是如果放入大量的slidecode只要中滑道就有了!