The IE zero-day is a parsing bug
September 17, 2012  

Once again, a parsing bug has led to a serious and widespread security vulnerability that is actively being exploited.

This time the vulnerability affects Internet Explorer. It is often difficult to determine the root cause for vulnerabilities, especially when they occur in proprietary software, but in this case the vulnerability has been explained by Eric Romang and an example exploit has been developed in Metasploit.

Here’s a key step in the exploit, according to Romang:

After decompression “Moh2010.swf” file is spraying the heap…

The Metasploit blog post points to this Metasploit update, which points to an exploit titled “Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow,” with this description:

By supplying a specially crafted .otf font file with a large nTables value in the ‘kern’ header, it is possible to trigger an integer overflow, which results in remote code execution under the context of the user.

This is clearly a parsing bug. (And in case you missed it, it’s a bug in Adobe’s Flash Player, which has inflicted collateral damage on Microsoft.)

It is also a very serious bug. sinn3r points out that IE is used by 41% of Internet users in the United States and 32% of Internet users world wide. Microsoft is advising users to apply a temporary protection, but of course others are pointing out that it is probably easier to just switch to a competing browser. All of this is costly for Microsoft and is likely to damage their marketshare.

The programming language community has neglected parser research for decades now, considering it a solved problem. Parsing is not a solved problem. If it were a solved problem, we would not be seeing vulnerability after vulnerability being exploited in parsers.