

Vulnerability in All Versions of Internet Explorer Allows Remote Code Execution - mrmaddog
https://technet.microsoft.com/en-us/library/security/2963983.aspx

======
JoeAltmaier
Is that very different from any buffer-overrun bug? Isn't this a common
problem in every browser?

The interesting bit is, its been around for so long in this product line.

~~~
xyzzy123
Not exactly. Classic stack-based buffer overruns are _generally_ mitigated by
the /GS flag in visual studio and heap overruns are usually caught by heap
hardening.

There are normally a ton of memory corruption vulnerabilities in every
browser, but given modern memory protections the gaps are in "use after free"
bugs, mostly.

UAFs where an object is allocated, then freed somehow, but (ideally) through
Javascript you can somehow get a handle to the object, or put something in
memory where that object used to be, such that a method gets called on it.
Since you control that part of memory, you can control where the method
invocation goes.

Typically browsers have additional sandboxing to make UAFs and general memory
corruption hard to exploit.

See say:
[https://technet.microsoft.com/library/security/ms13-may](https://technet.microsoft.com/library/security/ms13-may)

Search for "use after free" and see how many there were.

P.S: the fact that EMET mitigates this means it's likely the exploit uses a
heap spray.

