Researchers Bypass IE Protected Mode

Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."

Dupe.

Seen it before.

Well color me surprised

[StuartHankins]

It's Windows and it's IE. They have had a long time to create a reputation for security issues. This comes as just another fail behind a long long long string of fails. Face it, it's time to throw the code out and start fresh.

Re:Well color me surprised

[interval1066]

I guess this justifies the howls of laughter my friends and I gave after reading another post on /. earlier in the week wherein a poster described his process for using ie in a sandbox environment that included "IE Protected Mode" that he believed protected him from virii and fishers. One of my mates even said some one would find a new flaw that would render his setup useless. Damned if that guy wasn't right.

Re:Well color me surprised

[icebike]

The surprising part is that Verizon employees found this. They can't find my cell phone half the time, but they got time to find Microsoft bugs?

Re:Well color me surprised

[hedwards]

The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer. From what I gather it's chaining together multiple vulnerabilities to gain control. First bypassing the potected mode then gaining administrative control over the computer.

Assuming I'm reading things correctly that's to be expected. The real news is that MS' approach of letting security fixes ripen before release has caused what was bad to be far worse. Of course by real news I mean something that's known to everybody except MS.

Re:Well color me surprised

You mean like the howls of laughter over the fact that Firefox routinely gets hacked the fastest out of all browsers in the pwn2own contests?

Re:Well color me surprised

[vistapwns]

Probably my post. Anyway, you can (and I have for a while) just enable Protected Mode in the intranet and trusted zones to defeat this 'bypass'. Even without that, the malware has to bypass ASLR, DEP, SEHOP, GS, and possibly several other things. But even so, what's your point? These are the same protections unix OSes have. If Windows is insecure while using them, then so is unix. (and supposively Windows ASLR, for instance, is a lot more secure than Mac OS X's.)

Re:Well color me surprised

If Windows is insecure while using them, then so is unix.

Not automatically so. It is quite likely that since *nix and Windows are so different, security mechanisms that are critical on one platform are not necessarily as important to be implemented on the other. Particularly since up until very recently, it was almost always assumed that every user on a Windows computer had Administrator privileges and many programs currently in use still make that assumption and won't work otherwise. Of course in an environment, you are going to need everything security bell and whistle you can get and you still will have people breaking through it. That just isn't the case on *nix.

Re:Well color me surprised

[tenex]

This thread might be a bit off topic, but my guess is that the Verizon employees reckon that finding a Microsoft bug is far easier than locating your cell phone transmission even when its being directed straight into one of their towers.

Re:Well color me surprised

[vistapwns]

Total nonsense, you are going to need every security bell and whistle in unix and people are going to be trying to break through it on unix as well. And the security will not be exactly the same, but it's more or less equivalent on both unix and Windows. Saying things like DEP provides more protection on unix than Windows is hogwash, in some specific circumstances they will be different but unless there's some evidence to show otherwise, it's probably insignficant and could go either way (more secure in Windows or more secure in Unix, for instance.)

Re:Well color me surprised

[interval1066]

I think I should have been modded up just for the sheer number of tangential replies I've received.

Re:Well color me surprised

Why would you think facts matter to anti-ms trolls?

Re:Well color me surprised

[metrix007]

That would be Safari.

Re:Well color me surprised

[metrix007]

That ain't how it works kiddo. Early posts always get the most replies.

Why bother?

Seriously, protected mode does nothing more than throw a UAC "Are you sure you want to do this?" prompt at the user, which nearly all of the users I know would click right past. Unlike UAC, you can't configure it to ask for an administrator username and password, or even configure it to never allow changing integrity levels.

It was already easily bypassed anyway, by design. Showing a vague warning to a non-savvy user and hoping they don't click OK isn't security.

Re:Why bother?

Seriously, protected mode does nothing more than throw a UAC "Are you sure you want to do this?" prompt at the user

Completely incorrect; you may want to read up on what protected mode in IE is (and what a "low integrity process" is on Vista and later. It really doesn't have anything to do with UAC.

Re:Why bother?

[man_of_mr_e]

Actually, that's not what protected mode is. Nothing like it in fact.

Protected mode runs the browser at the bare minimum privilege level, and only allows the browser to interact with the browsers cache files. When a user loads a page or performs a download, the file is downloaded to the temporary internet files. Then, a new process with higher privleges is launched to copy the downloaded file to the users chosen location.

What you're referring to is the simple act of adding metadata to the downloaded file to let the OS know that the file was downloaded from the internet, that's what puts up the UAC like dialog, but there are no lower permissions associated with that.

So it would help if you actually understood what it was you were commenting on before being such a jack ass.

Re:Why bother?

Completely incorrect; you may want to read up on what protected mode in IE is (and what a "low integrity process" is on Vista and later. It really doesn't have anything to do with UAC.

No, it doesn't have anything to do with UAC, but its prompting behavior is more-or-less identical to UAC's. My bad for saying UAC instead of "UAC-style". Don't some of the statements have to be false before the post is "completely incorrect"?

Re:Why bother?

Actually, that's not what protected mode is. Nothing like it in fact.

Protected mode runs the browser at the bare minimum privilege level, and only allows the browser to interact with the browsers cache files. When a user loads a page or performs a download, the file is downloaded to the temporary internet files. Then, a new process with higher privleges is launched to copy the downloaded file to the users chosen location.

What you're referring to is the simple act of adding metadata to the downloaded file to let the OS know that the file was downloaded from the internet, that's what puts up the UAC like dialog, but there are no lower permissions associated with that.

So it would help if you actually understood what it was you were commenting on before being such a jack ass.

When traversing integrity levels, Protected Mode prompts the user, just like the OP said.

I suggest some reading before you post too much more on this topic: http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

Note what happens when switching to Medium Integrity Level. There's even a screenshot of the dialog the OP was complaining about.

Re:Why bother?

Yes, they do. You were completely incorrect. With protected mode there IS NO PROMPTING period. There is no supported way (there is this bug that was found) to get from a low integrity process in IE (like "Internet Zone Protected Mode: On") over to a medium or high integrity process. With UAC, there IS prompting. With IE protected mode there is none.

Re:Why bother?

Yes, they do. You were completely incorrect. With protected mode there IS NO PROMPTING period. There is no supported way (there is this bug that was found) to get from a low integrity process in IE (like "Internet Zone Protected Mode: On") over to a medium or high integrity process. With UAC, there IS prompting. With IE protected mode there is none.

Please read http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

Particularly the part about the prompt you get when switching from low to medium integrity levels, screenshot included.

Re:Why bother?

There are very few elevatable commands, which yes, are prompted, by a different process running as a broker. As far as I know they're basically all for user initiated actions and not for the sort of things that a toolbar can do anyway. One-off commands being handed off. For the most part, there's no prompt at all for evil. The filesystem gets silently virtualized so there's no elevation but shitty toolbars don't actually get to write files to directories outside of a special sandboxed areas, *thinking* that they're writing to C:\Windows\System32 or wherever it is.

There's no carte blanche way to elevate yourself from a low process, aside from exploits like this. It looks like it works on domain-joined machines only, by using some other exploit to seize control of low and using it to spoof a webserver hosted on the LAN and navigate to it, since the local intranet gets medium-privileges by default. Turning on protected mode for every zone would neuter the attack.

I don't use IE a lot but even when I do (on Win7 or Vista) I basically never see an elevation prompt anyway. I honestly think it would surprise somebody to start seeing them.

Re:Why bother?

That's not the same as switching: that's for creating a whole new process at medium from low code. That's not something that IE does on its own, so it's not something that gets a lot of prompts in the first place. A well-written add-on can broker itself. That prompt should basically be surprising.

Re:Why bother?

Seriously, protected mode does nothing more than throw a UAC "Are you sure you want to do this?" prompt at the user

Completely incorrect; you may want to read up on what protected mode in IE is (and what a "low integrity process" is on Vista and later. It really doesn't have anything to do with UAC.

Well, the boot loader and all its descendents have nothing to do with UAC.

Re:Why bother?

(Not the GP.) This behavior was apparently changed in a recent W7 patch. You used to be able to launch low-IL processes via runas /trustlevel 0x10000 ... and the process would show the UAC prompt when attempting to access restricted file locations. Now the process just silently fails.

Re:Why bother?

[vistapwns]

Loading programs at higher integrity levels can be disabled completely (vs. the default prompt that you say people 'cick through'), it's in internet options->security->custom level->allow applications and unsafe files to be run. Set to disabled. Assuming you are actually talking about the integrity level aspect, and not the download metadata as someone else supposed.

Oh great.

[jack2000]

How do i know that pdf isn't maliciously crafted to infect my system.
Html and css people, it's what is made for presentation of content on multiple systems. Why don't you use those tags and specify different styles for display,print and what-have-you

Re:Oh great.

[TheLink]

How do i know that pdf isn't maliciously crafted to infect my system. Html and css people, it's what is made for presentation of content on multiple systems.

HTML and CSS is for the "Researchers exploit PDF reader" report.
PDF is for the "Researchers exploit browser" report. :).

Re:Oh great.

[postbigbang]

Actually, that's what I thought, too. What an amusement that might be: get the download on a crack, whilst being cracked. I know a few jokers that would do just that and laugh their butts off at the list succumbing to the hack, in between rounds of WoW.

It pays to be (at least somewhat) obscure.

[windcask]

We hear about vulnerabilities involving services and programs that the majority of internet consumers use everyday on a constant basis; it's pretty much expected...not just from pre-installed Windows applications like Internet Explorer, but from GMail, Facebook, Twitter, Wordpress etc. By contrast, when was the last time you heard of a Filemaker exploit, a malicious Opera toolbar, an identica worm, or someone having their Fastmail hacked? Good services with solid support that aren't used by the clueless masses are probably the best way to go when deciding what online applications to patronize.

Re:It pays to be (at least somewhat) obscure.

[Meshach]

Hackers go after more popular systems because that way they can infect exponentially more machines. The trouble is that every software manufacture want to be big enough and have enough market capitalization; no one is happy being the small fish. Any good piece of software is going to get more market capitalization and eventually get attacked. Ones that never get attacked are either niche markets or not very good.

Re:It pays to be (at least somewhat) obscure.

[bunratty]

That's why I use GNU Savannah for all my services. Oh, wait...

Re:It pays to be (at least somewhat) obscure.

[windcask]

Ones that never get attacked are either niche markets or not very good.

I'm not sure I would paint with such a broad brush. For example, I am using the Opera browser as we speak and have been for about two years now. I can count on one hand the number of sites I've had a problem using this program with. It's been around since the late '90s and from what I understand, it's been one of the major innovators in the field. It's just never had the megabucks for advertising or the benefit of being an automatically installed application on a commercial OS like IE or Safari and didn't have the benefit of being Netscape's closest successor and the most popular Linux/BSD application around (Firefox). It's played its quiet little role for some time now and has a small but devoted following...not because it fills some sort of niche but because it's a capable product for those who happen to seek it out.

There are many other applications like this: not huge players but do what they do very well and have certain features that set them apart from the mainstream players.

Re:It pays to be (at least somewhat) obscure.

You might not ever HEAR about an exploit in a program like that. Which in a way, is just as scary.

Re:It pays to be (at least somewhat) obscure.

[windcask]

Or nobody will even notice. Which is somewhat relieving.

The trouble with sandboxes

[tryone]

Have you ever looked at a real life sandbox, that kids have been playing in? Notice how there's sand scattered all over the surrounding ground up to six feet away from the box? That's Microsoft's security model right there.

Re:The trouble with sandboxes

[Penguinisto]

Question: Would that be before or after the neighborhood cats discover it?

Re:The trouble with sandboxes

But were they Script cats or Script kitties?

Re:The trouble with sandboxes

[tryone]

Guess this sandbox is vulnerable to drive-by downloads.

A PDF?

[fluffy99]

Like I'm really going to open up an untrusted PDF file. In other news "Virus destroys computers, open up attached exe for demonstration...."

window lol

[thetoadwarrior]

Does anyone honestly trust IE these days?

Re:window lol

[camperdave]

I do! There's no better vector for malware delivery than IE.

Re:window lol

[thewils]

Sheeit man, I use it all the time, unless of course I'm on my own computer.

Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer."

Actually, the whole point of a sandbox is to make it so that crackers cannot punch through the wall, even if they compromise a given application.

Re:Not exactly what a sandbox is for, actually

That assumes perfect software, and there is no perfect software.

At best the sandbox is an additional layer. It's not enough to compromise the application, that only leaves you within the sandbox itself. The attacker has to figure out how to compromise the application and then compromise the subsequent sandbox. That leaves the attacker in the same position as if they had compromised the application if it wasn't sandboxed. That leaves you in the context of the current user, which, under Windows Vista and Windows 7, leaves you in yet another sandbox. You'd have to find a third vulnerability to exploit in order to elevate to Administrator in order to actually own the box. Although, these days, owning the box is usually not the goal as taking the user context is enough to set up a zombie.

It's extremely noteworthy to mention that other browsers (with the exception of Chrome) don't take advantage of a sandbox. So, whereas a vulnerable plug-in combined with a payload designed to break out of the sandbox might land you user context in IE, on Firefox you don't need to go that far. To make light of the sandbox because, rarely, it is vulnerable, is silly and stupid. You laugh at someone who had their house broken into by someone who picked their locks while you have no doors.

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"That assumes perfect software, and there is no perfect software."

No, it doesn't assume that. Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. Once you set your standards lower, "From we hope to make it impossible to break in" to "we hope to make it more difficult to break in", you have already formed the mindset that some bugs are not important. The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

Re:Not exactly what a sandbox is for, actually

Once you assume it is perfect, or can be perfect, you give up trying to improve it. Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams. I doubt you're on either. You just like to suck on the cock that you imagine as it makes you feel superior. Wake me when Firefox runs under a sandbox by default on all normal distributions of Linux, and don't try to claim that the user context is that sandbox because you and I both know what a crock of shit that is. Don't bitch about the imperfections on something you lack.

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"Once you assume it is perfect, or can be perfect, you give up trying to improve it."

What a ridiculous statement. It completely ignores that I stated that it was important to remember that the sandbox is not invulnerable, for starters.

"Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams."

I am privy to it. Microsoft announces that they have no current plans to fix various known security flaws on a regular basis. You will never see that with the Linux Kernel, ever.

"You just like to suck on the cock that you imagine as it makes you feel superior."

And there it is, the hat trick. Three ridiculous assertions of equal absurdity. Good job!

Re:Not exactly what a sandbox is for, actually

Congratulations! You win the contest for the most meaningless and useless comment in a Slashdot story today!

Re:Not exactly what a sandbox is for, actually

TFA isn't an IE8 sandbox (or Mandatory Integrity Control) exploit. Nothing is demonstrably wrong with the sandbox itself. It's an IE8 bypass (no code needed) using a browser design flaw to get around the sandbox. In other words, the sandbox was never activated. The reason this weakness exists is because of stupid corporate policies dictating that IE8 should run their IE6-designed ActiveX controls on the local intranet. Chromium, which uses the same sandbox measure as IE8, does not suffer this problem.

Re:Not exactly what a sandbox is for, actually

[dumbnose]

The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

This has absolutely nothing to do with the Windows kernel. AFAIK, there are zero known vulnerabilities in the Windows kernel as of today. So, I guess you are trying to compare the Linux kernel with the entire Windows operating system. How does that comparison make any sense?

Re:Not exactly what a sandbox is for, actually

[metrix007]

Actually, you have the treatment of bugs per the Linux and Windows camps backwards. Windows development rightfully assigns security vulnerabilities as more important than a random bug that may cause a crash in some circumstances, while Linux development classifies security bugs as just another bug, and not worthy of disclosure or hastened patching.

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"This has absolutely nothing to do with the Windows kernel"

Hey, that's probably why I didn't say Windows kernel then! I was talking about development methodologies. The kernel development team is a managed entity, and the Windows OS is a managed entity. It is the management, and not the developers, that matter when discussing attitudes, and what gets released. I guess I could have compared Linus to Balmer, but somehow I suspect people would get even more upset then [especially Linus ;-) ]

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

No. In the linux kernel all bugs are worthy of immediate patching.

"Windows development rightfully assigns security vulnerabilities as more important than a random bug that may cause a crash in some circumstances"

This part is half right. It is wrong to classify them this way, but they certainly do seem to have a "fix some 'important' bugs and far fewer 'less important' bugs" philosophy. ;-)

Re:Not exactly what a sandbox is for, actually

[metrix007]

Sorry, but no. I can even find the quotes where Linus or Greg K-H or whoever it was basically said that security bugs should not be treated any differently to normal bugs, don't need to be disclosed etc. That attitude is simply wrong, and it's hard to take Linux security seriously when the developers have such an approach.

At least with MS, or basically any other OS, security bugs are rightfully treated as more critical, and will be patched sooner. I mean, look at that last big Linux vulnerability...that was quite serious and known about for a few weeks in advance. Terrible.

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"Sorry, but no. I can even find the quotes where Linus or Greg K-H or whoever it was basically said that security bugs should not be treated any differently to normal bugs, don't need to be disclosed etc."

It is your assumption that "they don't need to be treated differently" means they aren't important. It is a complete misrepresentation of their position, which is that all bugs are unacceptable. It is exactly the mindset that some bugs are "not important, or "not as important" that leads to poor quality. Empirical evidence proves that this is the correct mindset. It is foolish of you to argue that the Microsoft position is the correct one, when anyone with a clue knows which OS has more security holes.

"I mean, look at that last big Linux vulnerability...that was quite serious and known about for a few weeks in advance. Terrible."

I am vacillating between categorizing you as a troll, or merely clueless. You cannot seriously complain about a single flaw that wasn't fixed in a matter of weeks while simultaneously supporting a position that results in flaws that are identified but are not considered important enough to fix at all.

Re:Not exactly what a sandbox is for, actually

[metrix007]

I am not misrepresenting their position at all. In fact, the original quote essentially says that security bugs are not particular important, and then goes on to state that it doesn't make sense to disclose them, because it creates pressure to focus on them more than other bugs.

You don't seem to get it, but THIS IS WRONG

Security bugs are a much greater threat than other kind of bugs, and should be treated and given precedence accordingly.

I'm sorry, but bugs do have varying levels of important, and it's stupid to say otherwise. All the empirical evidence we have shows that developers rate bugs at different levels of importance, and that security bugs generally are generally deemed more important, for good reason.

There is NO empirical evidence that even suggests that treating bugs at different levels of priority lead to poor quality code. That is speculation on your part, and contrary to what you post unsupported by the evidence.

You also need to catch up with current times. Microsoft has had an excellent security record for the past few years, and Windows is now one of the more secure OS's. I'd say it actually beats Linux in a lot of areas, although that is another discussion.

Simply the fact the Linux developers think it is fine not to disclose critical security or treat them more importantly (in contradiction of many decades of developed good practices) says more about their attitude toward security than you care to admit.

You cannot seriously complain about a single flaw that wasn't fixed in a matter of weeks while simultaneously supporting a position that results in flaws that are identified but are not considered important enough to fix at all.

Nice Strawman.

I am maintaining that critical security bugs should be given precedence for patching, and disclosed and berating the Linux developers for not doing this. At no stage do I or have I supported a position that results in flaws that should not be fixed (hence your strawman).

The linux security attitude is atrocious, contrary to accept good practice, and puts people at risk. I don't know you would argue otherwise, unless it were due to zealotry.

Untrusted for you; trusted for most

[Zero__Kelvin]

"Like I'm really going to open up an untrusted PDF file."

The keyword is trust. While you are free to be so paranoid that you don't trust Verizon's researchers, most of us have a realistic trust model, and consider it to be a trusted resource.

I'm shocked...

An IE exploit giving admin status on a Windows machine, color me shocked!

Re:I'm shocked...

[vistapwns]

It doesn't give admin access. It's still better than Firefox, since firefox doesn't have a sandbox at all. And you can disable this bypass easily by enabling protected mode in the intranet and trusted zones. Another clueless reply on slashdot about Windows security, "color me shocked."

So headline is wrong again

[EricFr]

Its not Microsoft's fault but people are jumping to blame them, its ADOBE, the reason for security problems on the web.

Silverlight 5

Umm, doesn't the enhanced access design of Sliverlight 5 DEPEND upon this Protected Mode?

For once, Microsoft lack of secure design can be demonstrated before anybody can get their hands on it.

Re:Silverlight 5

[vistapwns]

Enable protected mode in trusted and intranet zones if you are concerned about it. But I'm guessing you're less interested in a solution, than just whining about the problem.

Re:Silverlight 5

[cyber-vandal]

I'll try that at work but if it breaks any of my intranet applications I'm coming after you with a sharpened Vista DVD.

regarding the plural of "virus"

[Onymous+Coward]

• "Viruses" is correct. It's what you should use if you're not trying to be wrong or silly (or both).
• "Viri" is bad Latin -- there is no record of virus being pluralized. It's like saying "many poison".
• "Virii" is right out. (Plural of "virius"?) But feel free to use it because it's so obviously wrong folks will (mostly) assume it's ironic, like lolspeak.

(more detail)

"mai kumpootur haz mutch virii!"

Wasn't sure whether you knew. Just posting this as a PSA.

Re:regarding the plural of "virus"

[perryizgr8]

the plural of virus is anything a person wants it to be, as long as the meaning is unambiguously conveyed. i understand that language should be 'correct', but the underlying reason behind this is that everyone should be able to properly infer meaning. if a reader/listener can infer meaning, it should not matter if the language breaks any spelling/grammar conventions.

If you think there's perfect security

[Sycraft-fu]

You are dead wrong. In the real world, with physical security, people have long had to understand there is no perfect, unbreakable, security. It just cannot happen. the best locks in the world can be picked, the most trained guards can be killed, the strongest materials can be cut. There is no such thing as the one item, one method, etc that cannot be broken so you just implement that can call it good. As such you must build security that has defense in depth, multiple layers that if one is bypassed or fails the other can keep things secure. You also have to be vigilant, watching things to make sure they are secure and fixing problems. That is just what security is.

Computer people for some reason have convinced themselves that isn't true in the virtual world, that you can perfect, unbreakable security and that so long as you have one perfect item everything else is irrelevant. That's not the case.

So saying "This sandbox is not unbreakable," isn't lowering standards, it is being realistic. It is realizing that saying you've got something that is perfect is extremely arrogant and stupid. It is being aware that it is helpful to increase security but cannot be the only layer.

Re:If you think there's perfect security

[Zero__Kelvin]

I am not even close to wrong. You are wrong when you say I am wrong. You also completely misunderstood everything I wrote, so much so in fact that I am not about to address each thing point by point. I will address this, as it is characteristic of your ability to ignore what I said and put words in my mouth:

"So saying "This sandbox is not unbreakable," isn't lowering standards, it is being realistic."

I specifically stated that Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. I never said the goal was achievable. In fact specifically said it is not, and that it is important to remember that fact. No need to reply back; I accept your apology.

Re:If you think there's perfect security

While it is true that no sandbox is unbreakable, it is kind of sad that this sandbox is breakable using the exact same exploits that you use to break the security of the web browser.

If you have a system that is somewhat secure because it requires a password, you can't say it is extra secure because it requires you to type the same password 2 times. Likewise this IE sandbox is designed to protect against situations where there is a vulnerability in IE that allows arbitrary code execution. But, any such vulnerability automatically also is a vulnerability that allows you to also bypass the sandbox. So, that means the sandbox is defeated by making a small generic change to any IE exploit...

Also two other things to note

[Sycraft-fu]

One is that they say "This attack assumes the existence of exploitable memory corruption vulnerability." As in this isn't something that actually works, it presumes you've already found an exploit. However I will grant them that is the kind of thing protected mode should help defend against (not stopping the bug from happening, but that it can't be used to do much).

However the bigger one is that it allows you to gain normal user privileges. You can break out of the low privilege for the app (that's what protected mode is, running at a lower privilege level than the user who ran it) in to the regular user, NOT an administrator. Thus what it does is make IE the same as every other browser, which do not make use of Mandatory Integrity Control. If you find an exploit in Firefox (and don't say there haven't been any, look at their patch history) or Chrome or whatever you are already at user privilege level since they do not use MIC to run at a lower level. This does not give admin privileges unless the user has either turned off UAC and logged in as an admin or run the browser with admin privileges.

So does it need to be fixed? For sure, and I'm sure it will be. However it is not an "OMG do this and you get admin through IE!" thing. It is "Supposing a proper kind of exploit is found in IE, which has not been done yet, you could use it to gain regular user access on a system instead of reduced access."

Also I'm not sure where you thing about "letting security fixes ripen" comes from. As far as I can tell this is a new paper. If you think they should have a fix out for something that was just announced, well then you've not done a lot of programming at least not on major projects. First off they have to figure out HOW to fix it. This isn't always simple. From reading the white paper it isn't just a case of "There's a buffer overflow," or something like that which is pretty simple. They may need to do some more significant changes. So once that is done you have to implement them, and then do a lot of testing. People get extremely whiny if a Windows update breaks something. They even whine about it when the reason somethign broke was that they had malware on their system. So MS has to do a massive set of testing to make sure it works with all sorts of hardware, drivers, apps, and so on.

I'm not saying MS is as fast as they should be with patches but the "PATCH NEXT DAY!" crowd needs to chill and realize the level of testing that is necessary.

embracing and extending English considered harmful

[Onymous+Coward]

I'm pretty sure it's better not to let language rot through poor grammar. So, please keep the protocol from being corrupted or unnecessarily fragmented. The more inaccurate languages get the more heat loss humanity suffers.

Maybe you don't think it matters much. Well, okay. But for those who think correctness and standards compliance are good, the correct plural of virus is offered.

No changes for the average user

[Bloem]

No worries for the average user. Most people I talk to aren't even aware that there was a sandbox-option that could be used. So it's a hole in a door that nobody knew was there. Kinda philosophical: "If a sandbox was cracked that no-one knew existed, is it really cracked".

Re:No changes for the average user

[tgd]

Protected mode is the default.

I doubt 99% of people using Windows Vista or 7 with IE would have the first idea how to shut it off.

Re:No changes for the average user

[sparkler99]

not 99% some people need to keep the crappy browser on there pc for capability reasons and does protected mode work anyway as i use firefox 4 beta9 instead so don't know

http://www.jordaner.com

--------- http://www.jordaner.com ----------

JORDANER,Inc. We are the best online dealer,about all kinds of Nike shox .run retailing and wholesale trade wordwidely for years. Free S hipping And Customs,Super Sale Off Retailing,With 1Week Delivery to your door.

People like you don't know HOW to learn

[Zero__Kelvin]

You are obviously correct. The Linux kernel team has a really bad security attitude. The fact that it is much more secure than Windows happens by magic. Have a nice life.

Re:People like you don't know HOW to learn

[metrix007]

Wow, talk about blinders. Yes, the linux devs have a horrible security attitude. Given they don't disclose security bugs, it's hard to say if it is actually more secure than recent versions of Windows or not, since Microsoft does disclose Windows bugs.

I mean, your not the kind of idiot that just assumes are you? I'm sure your smart enough to that if a product does not disclose vulnerabilities that does not mean it is more secure than a product which does, right? You understand the absence of responsible disclosures does not equate to the absence of vulnerabilities?

Re:People like you don't know HOW to learn

[Zero__Kelvin]

The presence of significantly less vulnerabilities proves significantly less vulnerabilities. The fact that you think that there is more visibility when Microsoft reluctantly acknowledges the occasional vulnerability, when the Linux kernel is developed transparently where every single person on the planet is free to view all knowledge anyone has regarding said vulnerabilities speaks volumes.

You also don't seem to get that the people who need to know, the people who create distributions, already know about any issues and it is them, not the kernel team, that decides when to package fixes and make them available.

In case I wasn't clear the last time, you are a clueless moron, and not the always happy benign kind. You are a malignant cancer on the ass of humanity.

Re:People like you don't know HOW to learn

[metrix007]

I was right. You have extreme blinders on guy.

The linux devs don't openly disclose security bugs. They have said as much, giving the appalling reason they don't want them to take precedence, as they should.

I know this is hard for you to follow, but given the Linux devs attitude, we don't actually know that there are less vulnerabilities. If anything, Linux appears to have far more vulnerabilities than a given release of Windows. Of course, your ignorance and zealotry won't let you realize that.

Let's look at your behaviour in this discussion:

1. Failing to understand the importance of responsible disclosure
2. Defending the Linux dev's choice to hide and not disclose security vulnerability
3. Assuming that Windows is currently horribly insecure, because it once was, when Linux and OS X are now far worse
4. Worst of all, thinking that the lack of disclosed vulnerabilities is equivalent to a lack of vulnerabilities. This alone says a lot
5. Spreading FUD RE Microsoft - they acknowledge *every* vulnerability that a third party informs them of, and patch it accordingly -- unlike Linux
6. Resorting to insults and personal attacks due to the lack of an argument

It's a shame dude. Ignorant people like you are actually holding Linux back. I use and like Linux, but if retarded practices like ignoring security vulnerabilities because a scheduler is more interesting to work on don't get rectified, then it's going to continue going down the drain. Something that started after Greg K-H took over.

Re:People like you don't know HOW to learn

[Zero__Kelvin]

How many different ways can I say it. There is 100% disclosure with the Linux kernel all the time, Microsoft continues to be insecure and always will be, they specifically state that they are not going to fix security holes on a regular basis, and all bugs are equally important because every bug is critical. Oh yes, and I forgot ... you are either a troll or a clueless moron.

Now you can either respond to this with more ridiculous claims that completely misrepresent everything I say and the facts and then go on about your life as a clueless idiot, or just go straight to the last step. Either way, I'm done trying to help you get a clue, because you are either by accident of birth, or intentional asininity, a moron.

Re:People like you don't know HOW to learn

[LO0G]

There is 100% disclosure only if you audit every single change to the kernel to determine if the fix is a fix for a security vulnerability or not.

Don't forget that applying a bug fix has a level of risk associated with it - every bug fix has the potential for regressing some mission critical functionality. The OS vendor attempts to ensure that nothing is broken by the patch, but it *does* happen.

As a customer deciding to take a patch, I need to assess if the risk associated with taking the patch is greater than the risk of the that the patch fixes.

Knowing that by not taking a patch I put my data (and my customers data) at risk (which is the case for security bugs) allows me to give a higher priority to the patch.

The reason that MSFT (and AAPL) disclose their kernel vulnerabilities up is to give their customers this critical information. For Linux distributions, the only way to know if a patch fixes a security related problem is to audit the source code.

For most users (and organizations) the Linux way is simply too much work.

The Linux approach moves the responsibility for determining if a bug is a security bug from the developer (who best knows the code and potential consequences of a bug) to the end-user. And as the end user, how would you know if (for example) the addition of:

        MD_Update(&m,buf,j);

is a security bug fix (or more importantly that the removal of that code would introduce a critical vulnerability in the Debian random number generator)?

And that doesn't help the end-user at all.

Re:People like you don't know HOW to learn

[Zero__Kelvin]

"The Linux approach moves the responsibility for determining if a bug is a security bug from the developer (who best knows the code and potential consequences of a bug) to the end-user. "

That is a ridiculous statement, and cuts to the core your lack of understanding of the model. You've heard of Red Hat, right? The "end user the responsibility is pushed off on" is them, and other distribution teams. They are qualified to know, and work directly with the kernel developers, what with them employing many of the key players. I could counter each of your other equally off base claims with the truth, but suffice it to say I'm too busy to keep trying to educate people, whom experience shows, aren't interested in understanding.

Re:People like you don't know HOW to learn

[metrix007]

You're an idiot. Note, I'm not dismissing your argument because I believe you to be an idiot, just noting that you appear to be an idiot as a consequence.

There is NOT 100% disclosure with Linux. That, put simply, is bullshit.

What they actually state is that disclosure of security bugs should be mostly avoided so they can treat bugs as they want to, without being pressured by an exploit. No where do they state that all bugs are treated equally. So, here we have bugs that allow to compromise not being disclosed and maybe not being patched for a month(just like the last big Linux vulnerability).

On the Microsoft side we have people contacting microsoft, microsoft working on a fix and then publically releasing a patch. That's how proper full disclosure works, kiddo.

Since The Linux devs would rather rely on security through obscurity, you have to rely on sites like xorl.wordpress.com or read bugtraq and hope that someone has a patch before the next kernel release. I'll give the point that at least people can patch it themselves if they need to.

Also, you have to stop with the Linux is more secure because of the many eyes bullshit. Just because everyone can read the code does not mean they are, and you still have the same small number of developers, most of which are not actively looking for security problems.

I really hope you try and look this stuff up, because your ignorance hurts, and I hate to think you will be spreading misinformation to other people.

Parts of Chrome run with low integrity

[Sits]

The chromium sandbox design documents discuss how on Windows Vista and later different parts of the browser run with low integrity mode like IE 7+.

No English Mutch ?

[Zero__Kelvin]

"You're an idiot."

Right, I'm the idiot:

"No where do they state"

Yes, in the LKML do they state it. ROTFLMAO

"Also, you have to stop with the Linux is more secure because of the many eyes bullshit."

I'm more of a "Linux is more secure because it is more secure" kind of guy.

Also, it has come to my attention that you are a known troll on Slashdot, so Plonk

Re:No English Mutch ?

[metrix007]

Am I surprised that you ignore evidence that hurts your worldview, and submit an insult from an AC as evidence that I am a troll, despite the fact I have excellent karma?

No, no I am not. Zealotry FTW.

Funny how you ran here though

http://yro.slashdot.org/comments.pl?sid=1888084&cid=34378092 and you called others here idiots? You're the idiot that ran when he was confronted on his trolling because you weren't able to dispute and disprove what was posted and you were asked to. You talk a big game metrix007, but you can't even show anyone here that you've done more than those you called "ignorant and misinformed" in that URL above. You're a noob, and we all know it, just based on that URL above.

Why did you run here then, troll?

http://yro.slashdot.org/comments.pl?sid=1888084&cid=34378092 You're the troll that ran when he was confronted on his trolling there in that URL I just put up, because you weren't able to dispute and disprove what was posted and you were asked to. You talk a big game metrix007, but you can't even show anyone here that you've done more than those you called "ignorant and misinformed" in that URL above. You're a noob, and we all know it, just based on that URL above as well as your repeated insults (obvious or attempted subtle ones) and name calling of others that is shown in your posting history here this week alone. Grow up, do something with your life, before you try to play "expert" with anyone here or elsewhere that have (which is what you tried above, and you ran, lol!).

metrix007 RAN like a cowardly little troll here

http://yro.slashdot.org/comments.pl?sid=1888084&cid=34378092 You're the troll that ran when he was confronted on his trolling there in that URL I just put up, because you weren't able to dispute and disprove what was posted and you were asked to. You talk a big game metrix007, but you can't even show anyone here that you've done more than those you called "ignorant and misinformed" in that URL above. You're a noob, and we all know it, just based on that URL above as well as your repeated insults (obvious or attempted subtle ones) and name calling of others that is shown in your posting history here this week alone, like this one also. Grow up, do something with your life, before you try to play "expert" with anyone here or elsewhere that have (which is what you tried above, and you ran, lol!).