Address Space Layout Randomization (ASLR) jumbles the memory locations of important components of a program making it problematic for attackers to determine where the components exist in in order to exploit them. ASLR is the most effective mans for averting a Windows security breach. However, Current trends in malware show a shift toward an ASLR bypass technique. The technique exploits common programming mistakes that lead to memory corruption, which is when the contents of a memory location are inadvertently changed.

Nearly 10 percent of application crashes on Windows systems are due to memory corruption. If the corruption exists, then the malware tries to extrapolate where the crashing application’s library is in memory by locating the pointer to the library. Reading that pointer will let the malware know where that library is.

TrendMicro has found that attackers can corrupt a JavaScript Array Object so that address data runs into memory. Then using that information the pointer can be located leading to the address in memory where the library is located. With this information any application can be compromised. This technique will work with any Microsoft application such as Internet Explorer, Microsoft Office as well as most other applications.

Due to the sophistication of this type of attack the most likely attackers using this method would be state sponsored attackers, and those who are paid handsomely to steal sensitive documents from large organizations, defense contractors and government agencies.