However, remember the IFRAME buffer overrun discussed earlier and our friend Skylined
who wrote JavaScript to exploit that vulnerability for arbitrary code execution?
We??™ll go into detail about how his InternetExploiter framework works later in the chapter,
but the short story is that it uses JavaScript to allocate a bunch of heap memory, fills
that memory with nop sleds and shellcode, and then releases the memory back to the
OS to reuse. The Windows heap manager itself by default does not zero-out memory
between uses. It could, but that would incur a performance hit. The memory allocation
function called by the component requesting the memory allocation can specify a flag
asking for zero-initialized memory, but that is not the default option. So if the component
does not specifically request zeroed-out memory, it doesn??™t get it. Now with the
attackers writing the HTML page and able to include things like Skylined??™s
InternetExploiter JavaScript, they control the contents of uninitialized memory when
the victim loads web pages with Active Scripting enabled. Let??™s see how that factors into
a security vulnerability by examining the first exploitable COM object that started a
stream of vulnerable COM objects in summer 2005.
Pages:
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662