Researchers Bypass IE Protected Mode

Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."

Well color me surprised

[StuartHankins]

It's Windows and it's IE. They have had a long time to create a reputation for security issues. This comes as just another fail behind a long long long string of fails. Face it, it's time to throw the code out and start fresh.

Also two other things to note

[Sycraft-fu]

One is that they say "This attack assumes the existence of exploitable memory corruption vulnerability." As in this isn't something that actually works, it presumes you've already found an exploit. However I will grant them that is the kind of thing protected mode should help defend against (not stopping the bug from happening, but that it can't be used to do much).

However the bigger one is that it allows you to gain normal user privileges. You can break out of the low privilege for the app (that's what protected mode is, running at a lower privilege level than the user who ran it) in to the regular user, NOT an administrator. Thus what it does is make IE the same as every other browser, which do not make use of Mandatory Integrity Control. If you find an exploit in Firefox (and don't say there haven't been any, look at their patch history) or Chrome or whatever you are already at user privilege level since they do not use MIC to run at a lower level. This does not give admin privileges unless the user has either turned off UAC and logged in as an admin or run the browser with admin privileges.

So does it need to be fixed? For sure, and I'm sure it will be. However it is not an "OMG do this and you get admin through IE!" thing. It is "Supposing a proper kind of exploit is found in IE, which has not been done yet, you could use it to gain regular user access on a system instead of reduced access."

Also I'm not sure where you thing about "letting security fixes ripen" comes from. As far as I can tell this is a new paper. If you think they should have a fix out for something that was just announced, well then you've not done a lot of programming at least not on major projects. First off they have to figure out HOW to fix it. This isn't always simple. From reading the white paper it isn't just a case of "There's a buffer overflow," or something like that which is pretty simple. They may need to do some more significant changes. So once that is done you have to implement them, and then do a lot of testing. People get extremely whiny if a Windows update breaks something. They even whine about it when the reason somethign broke was that they had malware on their system. So MS has to do a massive set of testing to make sure it works with all sorts of hardware, drivers, apps, and so on.

I'm not saying MS is as fast as they should be with patches but the "PATCH NEXT DAY!" crowd needs to chill and realize the level of testing that is necessary.