Re: Microsoft not always eating their own /DYNAMICBASE dogfood

[Jeffrey Walton <noloader () gmail com>]

On Thu, Dec 23, 2010 at 6:20 PM, Larry Seltzer <larry () larryseltzer com> wrote:
> http://blogs.pcmag.com/securitywatch/2010/12/exploit_for_unpatched_ie_vulne.php
>
> http://blogs.pcmag.com/securitywatch/2010/12/ie_0-day_shows_microsoft_devel.php
>
> In case you hadn’t heard, there was an IE 0-day which, because a particular
> DLL was linked without /DYNAMICBASE, can bypass ASLR and DEP.
>
> MS says there’s no reason not to use EMET to rebase the DLL, so I ask why
> they didn’t make it that way to begin with. Turns out /DYNAMICBASE isn’t
> really required by the SDL. Shouldn’t it be required unless you have a damn
> good reason not to use it? Something’s wrong with this picture.
In 'Writing Secure Code for Windows Vista', Howard and LeBlanc
dedicate 4 pages to ASLR. In their "Call for Action" (page 72), they
state all software should use ASLR, Heap Defenses, NX, /GS, and
SafeSEH. I wonder what else was not followed.

Jeff

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.