Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Bypass IE Protected Mode

Posted by Soulskill on from the locked-doors-open-windows dept.

Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."

8 of 91 comments (clear)

  1. The trouble with sandboxes by tryone · · Score: 5, Funny

    Have you ever looked at a real life sandbox, that kids have been playing in? Notice how there's sand scattered all over the surrounding ground up to six feet away from the box? That's Microsoft's security model right there.

    1. Re:The trouble with sandboxes by Penguinisto · · Score: 3, Funny

      Question: Would that be before or after the neighborhood cats discover it?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  2. Re:Oh great. by TheLink · · Score: 3, Funny

    How do i know that pdf isn't maliciously crafted to infect my system. Html and css people, it's what is made for presentation of content on multiple systems.

    HTML and CSS is for the "Researchers exploit PDF reader" report.
    PDF is for the "Researchers exploit browser" report. :).

    --
  3. Re:Well color me surprised by hedwards · · Score: 4, Informative

    The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer. From what I gather it's chaining together multiple vulnerabilities to gain control. First bypassing the potected mode then gaining administrative control over the computer.

    Assuming I'm reading things correctly that's to be expected. The real news is that MS' approach of letting security fixes ripen before release has caused what was bad to be far worse. Of course by real news I mean something that's known to everybody except MS.

  4. Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 3, Insightful

    "The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer."

    Actually, the whole point of a sandbox is to make it so that crackers cannot punch through the wall, even if they compromise a given application.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 4, Insightful

      "That assumes perfect software, and there is no perfect software."

      No, it doesn't assume that. Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. Once you set your standards lower, "From we hope to make it impossible to break in" to "we hope to make it more difficult to break in", you have already formed the mindset that some bugs are not important. The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:Not exactly what a sandbox is for, actually by Zero__Kelvin · · Score: 4, Insightful

      "Once you assume it is perfect, or can be perfect, you give up trying to improve it."

      What a ridiculous statement. It completely ignores that I stated that it was important to remember that the sandbox is not invulnerable, for starters.

      "Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams."

      I am privy to it. Microsoft announces that they have no current plans to fix various known security flaws on a regular basis. You will never see that with the Linux Kernel, ever.

      "You just like to suck on the cock that you imagine as it makes you feel superior."

      And there it is, the hat trick. Three ridiculous assertions of equal absurdity. Good job!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  5. Also two other things to note by Sycraft-fu · · Score: 3, Interesting

    One is that they say "This attack assumes the existence of exploitable memory corruption vulnerability." As in this isn't something that actually works, it presumes you've already found an exploit. However I will grant them that is the kind of thing protected mode should help defend against (not stopping the bug from happening, but that it can't be used to do much).

    However the bigger one is that it allows you to gain normal user privileges. You can break out of the low privilege for the app (that's what protected mode is, running at a lower privilege level than the user who ran it) in to the regular user, NOT an administrator. Thus what it does is make IE the same as every other browser, which do not make use of Mandatory Integrity Control. If you find an exploit in Firefox (and don't say there haven't been any, look at their patch history) or Chrome or whatever you are already at user privilege level since they do not use MIC to run at a lower level. This does not give admin privileges unless the user has either turned off UAC and logged in as an admin or run the browser with admin privileges.

    So does it need to be fixed? For sure, and I'm sure it will be. However it is not an "OMG do this and you get admin through IE!" thing. It is "Supposing a proper kind of exploit is found in IE, which has not been done yet, you could use it to gain regular user access on a system instead of reduced access."

    Also I'm not sure where you thing about "letting security fixes ripen" comes from. As far as I can tell this is a new paper. If you think they should have a fix out for something that was just announced, well then you've not done a lot of programming at least not on major projects. First off they have to figure out HOW to fix it. This isn't always simple. From reading the white paper it isn't just a case of "There's a buffer overflow," or something like that which is pretty simple. They may need to do some more significant changes. So once that is done you have to implement them, and then do a lot of testing. People get extremely whiny if a Windows update breaks something. They even whine about it when the reason somethign broke was that they had malware on their system. So MS has to do a massive set of testing to make sure it works with all sorts of hardware, drivers, apps, and so on.

    I'm not saying MS is as fast as they should be with patches but the "PATCH NEXT DAY!" crowd needs to chill and realize the level of testing that is necessary.