Web browsers are among the most important applications in our business lives, yet they are also the most vulnerable to attack. The simple act of loading a malicious web page suffices to compromise the user’s endpoint, leading to malware installation, data theft, and penetration of corporate networks. Unfortunately, an ever-increasing set of browser features ensures that attackers will continue to have an unlimited supply of vulnerabilities to exploit.
A critical ingredient in today’s browser exploits is active content. In the modern web, active content comes in two predominant forms: Flash and JavaScript. Regardless of form, active content executes in the context of the user’s browser and enables significant attacker control and visibility into the browser’s workings and vulnerabilities. For instance, active content enables the attacker to discern memory locations (address space disclosure), influence data layout (heap spray), and dictate code generation (JIT spray)—all of which are key techniques in crafting a successful exploit.
Modern endpoints have built-in defenses against simple browser exploits, but active content execution enables determined adversaries to bypass these defenses with sophisticated, multi-stage attacks. In particular, two pervasive defenses—Data Execution Prevention (DEP/NX) and Address Space Layout Randomization (ASLR)—thwart simple code injection and Return-Oriented Programming (ROP) exploits, respectively. However, with the aid of active content, an exploit can bypass both DEP and ASLR, typically by triggering a secondary vulnerability—one that, for instance, reveals the memory location of native code. The exploit can then use that code to craft ROP code sequences that execute the attacker’s bidding.