Researchers Bypass IE Protected Mode 91
Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."
Re:Well color me surprised (Score:2, Informative)
Re:Well color me surprised (Score:5, Informative)
Assuming I'm reading things correctly that's to be expected. The real news is that MS' approach of letting security fixes ripen before release has caused what was bad to be far worse. Of course by real news I mean something that's known to everybody except MS.
Re:Why bother? (Score:2, Informative)
Actually, that's not what protected mode is. Nothing like it in fact.
Protected mode runs the browser at the bare minimum privilege level, and only allows the browser to interact with the browsers cache files. When a user loads a page or performs a download, the file is downloaded to the temporary internet files. Then, a new process with higher privleges is launched to copy the downloaded file to the users chosen location.
What you're referring to is the simple act of adding metadata to the downloaded file to let the OS know that the file was downloaded from the internet, that's what puts up the UAC like dialog, but there are no lower permissions associated with that.
So it would help if you actually understood what it was you were commenting on before being such a jack ass.