Maintaining backward compatibility in software products ishard. Technology evolves on a daily basis, and while it feels "right" to goahead and ditch the old technology in favor of the new, it sometimes mightcause issues, especially when a software platform which millions of developers developfor is in question. However, it turns out that the desire of software vendorsto keep backward compatibly is abused by malware authors.
Let's have a look at a piece of malware recently spotted inthe wild:
Most of you will find it familiar, since it is the latest MSXML Core Services vulnerability (CVE-2012-1889) along with the notoriousheaplib which became popular once more thanks to this vulnerability. But wait,something is weird about this snippet from heaplib… look at the if-elsestatement at the beginning of the screenshot – it was modified from theoriginal version and now has those semicolons. So why did the malware authorsput them there?
Let's have a look at a simpler case:
So why did the malware author modify heaplib like this? Itshould be quite clear now that:
- It can be used as anevasion technique and avoid running unnecessary heap spraying on browsers thataren't relevant to this specific CVE.
Great, so we know what the problem is, and what it is goodfor, but what about a solution?
We learn 2 things from this event:
- Straying too far away fromstandards and supporting all sorts of quirks not only can, but will, turn into asecurity risk.
- Malware authors continuewith their efforts to not only discover new vulnerabilities, but also to find interestingways to evade security engines.
Unfortunately, it is not possible to force IE to use thestandards mode for internet sites, so our best advice for IE users would be tokeep the system up-to-date with the latest security updates at all times.