Thursday, 31 March 2011


Structured Exception Handler Overwrite Protection

A timely reminder from somewhere near the middle of the new Microsoft SDL Progress Report (1.8MB pdf, including lots of lovely graphs):
Certain types of vulnerabilities can allow an attacker to make use of an exploitation technique known as a Structured Exception Handler Overwrite (SEH overwrite). This technique involves corrupting a data structure that is used when handling exceptional conditions that may occur while a program is running. The act of corrupting this data structure can enable the attacker to execute code from anywhere in memory. This technique is mitigated by SEHOP, which checks to ensure that the integrity of the data structures used for handling exceptions is intact. This new invariant makes it possible to detect the corruption that occurs when an exploit uses the SEH overwrite technique and is ultimately what makes it possible to break exploits that make use of it. SEHOP is a relatively new mitigation technology and is expected to become a requirement in future versions of the SDL.
Windows Vista SP1, 7, Server 2008 and 2008 R2 introduced support for SEHOP as a runtime feature, helping protect applications regardless of whether they were compiled using previously available mitigations such as the /SAFESEH option.

By default this protection is enabled on Windows Server SKUs (Srv08/R2) and disabled on Client SKUs (Vista SP1/2, Windows 7). If you're running one of these clients, clicking on the Microsoft Fix it graphic above will enable SEHOP for all applications.

"If you cannot enable SEHOP for all applications we strongly recommend enabling SEHOP for all internet facing applications, such as your preferred browser and mail client."
- Matt Miller, MSEC Science

No comments:

Post a Comment