Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Prevent Setting of non-image UEF

One approach that could be used to solve this issue for the general case is the modification of kernel32!SetUnhandledExceptionFilter to ensure that the function pointer being passed in is associated with an image region. By adding this check at the time this function is called, the attack vector described in this document can be mitigated. However, doing it in this manner may have negative implications for backward compatibility. For instance, there are likely to be cases where this scenario happens completely legitimately without malicious intent. If a check like this were to be added, a once-working application would begin to fail due to the added security checks. This is not an unlikely scenario. Just because an unhandled exception filter is is invalid doesn't mean that it will eventually cause the application to crash because it may, in fact, never be executed.