Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Bypass IE Protected Mode

Posted by Soulskill on from the locked-doors-open-windows dept.

Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."

16 of 91 comments (clear)

  1. It pays to be (at least somewhat) obscure. by windcask · · Score: 2

    We hear about vulnerabilities involving services and programs that the majority of internet consumers use everyday on a constant basis; it's pretty much expected...not just from pre-installed Windows applications like Internet Explorer, but from GMail, Facebook, Twitter, Wordpress etc. By contrast, when was the last time you heard of a Filemaker exploit, a malicious Opera toolbar, an identica worm, or someone having their Fastmail hacked? Good services with solid support that aren't used by the clueless masses are probably the best way to go when deciding what online applications to patronize.

  2. The trouble with sandboxes by tryone · · Score: 5, Funny

    Have you ever looked at a real life sandbox, that kids have been playing in? Notice how there's sand scattered all over the surrounding ground up to six feet away from the box? That's Microsoft's security model right there.

    1. Re:The trouble with sandboxes by Penguinisto · · Score: 3, Funny

      Question: Would that be before or after the neighborhood cats discover it?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  3. Re:Oh great. by TheLink · · Score: 3, Funny

    How do i know that pdf isn't maliciously crafted to infect my system. Html and css people, it's what is made for presentation of content on multiple systems.

    HTML and CSS is for the "Researchers exploit PDF reader" report.
    PDF is for the "Researchers exploit browser" report. :).

    --
  4. Re:Well color me surprised by hedwards · · Score: 4, Informative

    The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer. From what I gather it's chaining together multiple vulnerabilities to gain control. First bypassing the potected mode then gaining administrative control over the computer.

    Assuming I'm reading things correctly that's to be expected. The real news is that MS' approach of letting security fixes ripen before release has caused what was bad to be far worse. Of course by real news I mean something that's known to everybody except MS.

  5. Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 3, Insightful

    "The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer."

    Actually, the whole point of a sandbox is to make it so that crackers cannot punch through the wall, even if they compromise a given application.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Not exactly what a sandbox is for, actually by Anonymous Coward · · Score: 2, Insightful

      That assumes perfect software, and there is no perfect software.

      At best the sandbox is an additional layer. It's not enough to compromise the application, that only leaves you within the sandbox itself. The attacker has to figure out how to compromise the application and then compromise the subsequent sandbox. That leaves the attacker in the same position as if they had compromised the application if it wasn't sandboxed. That leaves you in the context of the current user, which, under Windows Vista and Windows 7, leaves you in yet another sandbox. You'd have to find a third vulnerability to exploit in order to elevate to Administrator in order to actually own the box. Although, these days, owning the box is usually not the goal as taking the user context is enough to set up a zombie.

      It's extremely noteworthy to mention that other browsers (with the exception of Chrome) don't take advantage of a sandbox. So, whereas a vulnerable plug-in combined with a payload designed to break out of the sandbox might land you user context in IE, on Firefox you don't need to go that far. To make light of the sandbox because, rarely, it is vulnerable, is silly and stupid. You laugh at someone who had their house broken into by someone who picked their locks while you have no doors.

    2. Re:Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 4, Insightful

      "That assumes perfect software, and there is no perfect software."

      No, it doesn't assume that. Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. Once you set your standards lower, "From we hope to make it impossible to break in" to "we hope to make it more difficult to break in", you have already formed the mindset that some bugs are not important. The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 4, Insightful

      "Once you assume it is perfect, or can be perfect, you give up trying to improve it."

      What a ridiculous statement. It completely ignores that I stated that it was important to remember that the sandbox is not invulnerable, for starters.

      "Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams."

      I am privy to it. Microsoft announces that they have no current plans to fix various known security flaws on a regular basis. You will never see that with the Linux Kernel, ever.

      "You just like to suck on the cock that you imagine as it makes you feel superior."

      And there it is, the hat trick. Three ridiculous assertions of equal absurdity. Good job!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:Not exactly what a sandbox is for, actually by metrix007 · · Score: 2

      Actually, you have the treatment of bugs per the Linux and Windows camps backwards. Windows development rightfully assigns security vulnerabilities as more important than a random bug that may cause a crash in some circumstances, while Linux development classifies security bugs as just another bug, and not worthy of disclosure or hastened patching.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    5. Re:Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 2

      "Sorry, but no. I can even find the quotes where Linus or Greg K-H or whoever it was basically said that security bugs should not be treated any differently to normal bugs, don't need to be disclosed etc."

      It is your assumption that "they don't need to be treated differently" means they aren't important. It is a complete misrepresentation of their position, which is that all bugs are unacceptable. It is exactly the mindset that some bugs are "not important, or "not as important" that leads to poor quality. Empirical evidence proves that this is the correct mindset. It is foolish of you to argue that the Microsoft position is the correct one, when anyone with a clue knows which OS has more security holes.

      "I mean, look at that last big Linux vulnerability...that was quite serious and known about for a few weeks in advance. Terrible."

      I am vacillating between categorizing you as a troll, or merely clueless. You cannot seriously complain about a single flaw that wasn't fixed in a matter of weeks while simultaneously supporting a position that results in flaws that are identified but are not considered important enough to fix at all.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  6. Re:window lol by camperdave · · Score: 2

    I do! There's no better vector for malware delivery than IE.

    --
    When our name is on the back of your car, we're behind you all the way!
  7. If you think there's perfect security by Sycraft-fu · · Score: 2

    You are dead wrong. In the real world, with physical security, people have long had to understand there is no perfect, unbreakable, security. It just cannot happen. the best locks in the world can be picked, the most trained guards can be killed, the strongest materials can be cut. There is no such thing as the one item, one method, etc that cannot be broken so you just implement that can call it good. As such you must build security that has defense in depth, multiple layers that if one is bypassed or fails the other can keep things secure. You also have to be vigilant, watching things to make sure they are secure and fixing problems. That is just what security is.

    Computer people for some reason have convinced themselves that isn't true in the virtual world, that you can perfect, unbreakable security and that so long as you have one perfect item everything else is irrelevant. That's not the case.

    So saying "This sandbox is not unbreakable," isn't lowering standards, it is being realistic. It is realizing that saying you've got something that is perfect is extremely arrogant and stupid. It is being aware that it is helpful to increase security but cannot be the only layer.

    1. Re:If you think there's perfect security by Zero__Kelvin · · Score: 2
      I am not even close to wrong. You are wrong when you say I am wrong. You also completely misunderstood everything I wrote, so much so in fact that I am not about to address each thing point by point. I will address this, as it is characteristic of your ability to ignore what I said and put words in my mouth:

      "So saying "This sandbox is not unbreakable," isn't lowering standards, it is being realistic."

      I specifically stated that Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. I never said the goal was achievable. In fact specifically said it is not, and that it is important to remember that fact. No need to reply back; I accept your apology.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Also two other things to note by Sycraft-fu · · Score: 3, Interesting

    One is that they say "This attack assumes the existence of exploitable memory corruption vulnerability." As in this isn't something that actually works, it presumes you've already found an exploit. However I will grant them that is the kind of thing protected mode should help defend against (not stopping the bug from happening, but that it can't be used to do much).

    However the bigger one is that it allows you to gain normal user privileges. You can break out of the low privilege for the app (that's what protected mode is, running at a lower privilege level than the user who ran it) in to the regular user, NOT an administrator. Thus what it does is make IE the same as every other browser, which do not make use of Mandatory Integrity Control. If you find an exploit in Firefox (and don't say there haven't been any, look at their patch history) or Chrome or whatever you are already at user privilege level since they do not use MIC to run at a lower level. This does not give admin privileges unless the user has either turned off UAC and logged in as an admin or run the browser with admin privileges.

    So does it need to be fixed? For sure, and I'm sure it will be. However it is not an "OMG do this and you get admin through IE!" thing. It is "Supposing a proper kind of exploit is found in IE, which has not been done yet, you could use it to gain regular user access on a system instead of reduced access."

    Also I'm not sure where you thing about "letting security fixes ripen" comes from. As far as I can tell this is a new paper. If you think they should have a fix out for something that was just announced, well then you've not done a lot of programming at least not on major projects. First off they have to figure out HOW to fix it. This isn't always simple. From reading the white paper it isn't just a case of "There's a buffer overflow," or something like that which is pretty simple. They may need to do some more significant changes. So once that is done you have to implement them, and then do a lot of testing. People get extremely whiny if a Windows update breaks something. They even whine about it when the reason somethign broke was that they had malware on their system. So MS has to do a massive set of testing to make sure it works with all sorts of hardware, drivers, apps, and so on.

    I'm not saying MS is as fast as they should be with patches but the "PATCH NEXT DAY!" crowd needs to chill and realize the level of testing that is necessary.

  9. Parts of Chrome run with low integrity by Sits · · Score: 2

    The chromium sandbox design documents discuss how on Windows Vista and later different parts of the browser run with low integrity mode like IE 7+.