"JIT spraying" might not mean anything to you, but to hackers, it's a dangerous new exploit tool in their ever-increasing arsenal of methods.
At the Black Hat Security Conference here, researchers Sung-ting Tsai and Ming-chieh Pan demonstrated the new hacking technique of just-in-time (JIT) spraying. A JIT spraying attack sprays an application's memory with large amounts of exploit code that effectively overwhelms the application's address space randomization (ASR) and data execution prevention (DEP) security protocols.
After being JIT sprayed, these infected applications — Tsai and Pan chose Adobe Flash as an example of a program that can be exploited — are then attached to emails to launch successful spear-phishing attacks.
Spear-phishing attacks are executed when a criminal sends a legitimate-looking email containing an attached document — often created by Flash, Microsoft Word or Microsoft Windows Media Player — that contains corrupted code that launches on the target's computer.
"These kind of silent threats are attacking the whole world, especially governments and large enterprises," Tsai, a staff research engineer with Trend Micro, told the audience in his presentation, "Weapons of Targeted Attack: Modern Document Exploit Techniques."
To prove just how vulnerable typical programs are to JIT spraying, Tsai and Pan, a senior vulnerability researcher with Net-Hack Inc., took the audience through several proof-of-concept hacks.
In one, Tsai used a JIT spraying attack to create a rogue version of Flash 10.3.181.34, which evaded detection by Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a program specifically designed to protect users from such strikes.
Tsai and Pan also JIT sprayed Flash to create a malicious file capable of bypassing a system's sandbox, a security feature designed to isolate corrupt files and prevent them from spreading.
Of the constant push and pull between security vendors and the hackers that keep them in business, Tsai explained that as long as high-tech attacks like JIT spraying work, preventing hackers from launching such attacks will "always be a cat-and-mouse game."
"We believe attackers are working hard on these topics," Tsai added. "We wish security vendors could address these problems to come out with solutions ahead of the attackers."