Internet Explorer is possibly the most popular target for vulnerabilities around today. In 2014 alone, a total of 243 memory corruption vulnerabilities in Internet Explorer were disclosed and patched.
Every Microsoft Patch Tuesday cycle contains one bulletin that covers multiple IE vulnerabilities – the monthly “Cumulative Security Update for Internet Explorer”, as it is called by Microsoft. There have been many zero-day attacks that specifically targeted vulnerabilities in Internet Explorer, such as:
As a result, the reputation of Internet Explorer is a bit tarnished. Its reputation for lack of security has become an obstacle to its development. For Windows 10, Microsoft decided to release a “new” browser (Microsoft Edge), with improved security as an important feature.
Security Improvements in Microsoft Edge
Edge is not entirely all-new. Its HTML rendering engine is a forked version of Trident (the engine found in Internet Explorer), which is now called Microsoft Edge HTML. However, much of the underlying code has been modified to remove IE-specific technologies that will not be a part of Edge. In addition, several new features have been introduced to the browser as well.
MemGC uses mark-and-sweep garbage collection to help defeat use-after-free (UAF) exploits. Edge uses MemGC to manage DOM and supporting objects’s memory.
In the past two years, UAF vulnerabilities have been a significant problem for Internet Explorer. Each Patch Tuesday cumulative update contains various fixes for UAF vulnerabilities. To help remedy the situation, in the summer of 2014 Microsoft added two mitigation techniques to IE: one is called the Isolated Heap, which manages most DOM objects and their supporting objects. The second is MemoryProtection.
The Isolated Heap makes it harder for attackers to fill the free object. MemoryProtection can prevent UAF exploits where the free object pointer remain in the stack. In other situations, MemoryProtection can make UAF exploits more difficult.
Figure 1. MemoryProtection flow chart (Click to enlarge)
These two mitigations increased the difficulty of UAF exploits, but there are still many ways to bypass these, especially in cases where the pointer to the free block didn’t remain on the stack.
Figure 2. UAF exploit steps
UAF exploits frequently follow the following steps:
- Object A’s heap block is allocated.
- Object A is freed.
- Attacker fills the heap block with their own data.
- Object B references Object A. This means the attacker can access object A with attacker controlled data.
MemGC is designed to mitigate these attacks. When a heap block is freed, MemGC will first attempt to detect whether there is an existing object reference to it. If that is the case, the heap block won’t be freed. This helpes prevent UAF vulnerability exploits from being successful.
Figure 3. How MemGC prevents UAF exploits
Memory corruption is a common class of vulnerabilities which deserves special attention. The Microsoft Edge HTML rendering engine found in the file edgehtml.dll introduced a new class called Abandonment.
Abandonment detects exception and throws a FAIL_FAST_EXCEPTION exception if one is detected. This prevent the error from spreading further, stopping any potential exploits.
Figure 4. Abandonment class
The Abandonment class can detect and deal with the following abnormalities:
- Double Free
- Out Of Memory
- Invalid Pointer
- Invalid Arguments
- Unreachable Code
- Not Yet Implemented Function
- Excepted return value
Default EPM (Enhanced Protected Mode) Sandbox and 64-bit usage
Windows Vista first introduced mandatory integrity control to Windows. Internet Explorer 7 on Vista was the first to provide a sandbox for the browser called Protected Mode. The PM sandbox provided a limited degree of protection.
Windows 8 introduced app containers, and IE 10 on Windows 8 provided a sandbox based on this technology called Enhanced Protected Mode (EPM).
However, there was a problem. IE plugins would need to be re-written to support EPM, as these didn’t support app containers. To retain compatibility, the EPM sandbox was disabled by default. For similar reasons, the IE rendering process ran in 32-bit mode in 64-bit systems, even if the broker process was in 64-bit mode.
As a new browser, Edge does not have the backward compatibility concerns that hamstrung IE. By default, the EPM sandbox is now enabled. In addition, the rendering process now users 64-bit mode on supported systems.
Removal of legacy features
As mentioned earlier, Edge removed several features that Microsoft felt were no longer required in a modern browser. One of these features that was removed was support for previous ways to extend IE, such as Browser Helper Objects (BHOs) and toolbars. However, both of these have been used to attack IE in the past. Neither of these are supported in Edge; Microsoft has indicated that Edge will use an extensions model similar to Google Chrome and Mozilla Firefox. However, this will not be introduced until later this year.
Support for several scripting languages has also been deprecated. ActiveX is a way to run native binaries via the browser which was introduced almost two decades ago with IE 3. Historically, plug-ins (such as Flash and Java) in IE have needed ActiveX to run on Internet Explorer.
VBScript is an alternative scripting language which was never supported by other browsers; IE’s VBScript support has been the source of vulnerabilities such as CVE-2014-6332. VML (Vector Markup Language) is a markup language used to display vector graphics; HTML5 can now be used to do this as well. Another vulnerability (CVE-2013-2551) was found in the code that supported this language as well.
Edge will no longer include support for any of these languages, which Microsoft considers legacy technologies. This reduces the possible ways that Edge can be subject to various attacks. One key consequence of the elimination of ActiveX is that Java support has been completely removed for the time being, removing one potential threat vector.
Another feature that has been dropped from Edge as legacy technology is the X-UA -Compatible header. This was a mode that allows developers to specify a legacy document mode that Windows Internet Explorer should use to display a webpage. However, this has been the source of multiple vulnerabilities, such as:
All of these removed features have a similar goal: reduce the potential attack surface by removing features (and corresponding code) that is no longer necessary in today’s usage environment.
To summarize, Microsoft has made significant under-the-hood changes and improvements to Edge compared to Internet Explorer. This will improve the security of what is still the default browser for Windows, and accordingly is used by many users. However, some of the changes introduced in Edge will also introduce new potential attack vectors – which we will document in a succeeding post.
Updated July 22, 2015 3:05 AM PM UTC-7 to clarify some technical information about the Abandonment class.