Microsoft Patches Remote Code Execution Hole for Internet Explorer

mask.of.sanity writes: Microsoft has released an out-of-band patch for Internet Explorer versions seven to 11 that closes a dangerous remote code execution flaw allowing attackers to commandeer machines. From their advisory: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability." The attack could assist in watering hole and malvertising campaigns. The Windows 10 Edge browser is not impacted.

Really

This bug has been around since IE 7? Wow, this just confirms that MS will only patch bugs once others find them and then they have to work on fixing them.

Re:For the love of...

[cbhacking]

It actually goes a bit beyond this: even since Vista, IE has (by default) run with a *restricted* token that has even less privileges than the normal use. It is Low integrity level, meaning it can't interact with Medium integrity processes or write to most of the file system, registry, or other secured resources.

Unfortunately, as Microsoft is wont to do, they fucked up the sandbox. The default configuration of IE only uses Protected Mode (Low IL) for the Internet and Restricted security zones. Notably, this excludes pages hosted on the local machine. Now, if you've got a code execution bug in IE, you can use that to run a webserver (on localhost). That webserver can host the exploit itself. Then you direct your hijacked, sandboxed IE to the localhost page, watch as the tab's process gets re-launched with normal privileges, and then you compromise that new process. You can protect yourself from this by going to Internet Options -> Security -> Local Intranet -> Enable Protected Mode.

Similarly, the default "Don't notify me when I make changes to Windows settings" feature of UAC in Win7 (and above) is breakable; it's possible to get from medium IL to High IL (Administrator) if you have it enabled and are logged in as a member of the Administrators group. The fix is simple - just set it back to always prompting even for Windows settings (or do what I do, and have it actually ask for your password Sudo-style, though you need to use the Local Security Policy editor, secpol.msc, for that), or run as a non-member of Administrators - but most people never do any of these things.

Microsoft is aware of both issues, and has issued no fixes for them. The POC program to silently elevate an arbitrary binary from Medium IL is blocked by Windows Defender (and probably other antivirus programs) but it would be easy enough to disguise it in such a way that the AV programs miss it.