Researchers Bypass IE Protected Mode 91
Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."
Not exactly what a sandbox is for, actually (Score:4, Insightful)
Actually, the whole point of a sandbox is to make it so that crackers cannot punch through the wall, even if they compromise a given application.
Re:Not exactly what a sandbox is for, actually (Score:2, Insightful)
That assumes perfect software, and there is no perfect software.
At best the sandbox is an additional layer. It's not enough to compromise the application, that only leaves you within the sandbox itself. The attacker has to figure out how to compromise the application and then compromise the subsequent sandbox. That leaves the attacker in the same position as if they had compromised the application if it wasn't sandboxed. That leaves you in the context of the current user, which, under Windows Vista and Windows 7, leaves you in yet another sandbox. You'd have to find a third vulnerability to exploit in order to elevate to Administrator in order to actually own the box. Although, these days, owning the box is usually not the goal as taking the user context is enough to set up a zombie.
It's extremely noteworthy to mention that other browsers (with the exception of Chrome) don't take advantage of a sandbox. So, whereas a vulnerable plug-in combined with a payload designed to break out of the sandbox might land you user context in IE, on Firefox you don't need to go that far. To make light of the sandbox because, rarely, it is vulnerable, is silly and stupid. You laugh at someone who had their house broken into by someone who picked their locks while you have no doors.
Re:Not exactly what a sandbox is for, actually (Score:5, Insightful)
No, it doesn't assume that. Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. Once you set your standards lower, "From we hope to make it impossible to break in" to "we hope to make it more difficult to break in", you have already formed the mindset that some bugs are not important. The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.
Re:Not exactly what a sandbox is for, actually (Score:5, Insightful)
What a ridiculous statement. It completely ignores that I stated that it was important to remember that the sandbox is not invulnerable, for starters.
I am privy to it. Microsoft announces that they have no current plans to fix various known security flaws on a regular basis. You will never see that with the Linux Kernel, ever.
And there it is, the hat trick. Three ridiculous assertions of equal absurdity. Good job!