Researchers Bypass IE Protected Mode

Trailrunner7 writes "A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine (PDF). The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account."

Well color me surprised

[StuartHankins]

It's Windows and it's IE. They have had a long time to create a reputation for security issues. This comes as just another fail behind a long long long string of fails. Face it, it's time to throw the code out and start fresh.

Re:

[interval1066]

I guess this justifies the howls of laughter my friends and I gave after reading another post on /. earlier in the week wherein a poster described his process for using ie in a sandbox environment that included "IE Protected Mode" that he believed protected him from virii and fishers. One of my mates even said some one would find a new flaw that would render his setup useless. Damned if that guy wasn't right.

Re:Well color me surprised

[hedwards]

The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer. From what I gather it's chaining together multiple vulnerabilities to gain control. First bypassing the potected mode then gaining administrative control over the computer.

Assuming I'm reading things correctly that's to be expected. The real news is that MS' approach of letting security fixes ripen before release has caused what was bad to be far worse. Of course by real news I mean something that's known to everybody except MS.

Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"The whole point of a sandbox is to add another layer that the attacker has to punch through before getting root access to the computer."

Actually, the whole point of a sandbox is to make it so that crackers cannot punch through the wall, even if they compromise a given application.

Re:

[Anonymous Coward]

That assumes perfect software, and there is no perfect software.

At best the sandbox is an additional layer. It's not enough to compromise the application, that only leaves you within the sandbox itself. The attacker has to figure out how to compromise the application and then compromise the subsequent sandbox. That leaves the attacker in the same position as if they had compromised the application if it wasn't sandboxed. That leaves you in the context of the current user, which, under Windows Vista and

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"That assumes perfect software, and there is no perfect software."

No, it doesn't assume that. Recognition of the fact that the sandbox is not invulnerable is certainly important, but it is equally important to remember that the goal is t have a perfect sandbox. Once you set your standards lower, "From we hope to make it impossible to break in" to "we hope to make it more difficult to break in", you have already formed the mindset that some bugs are not important. The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

Re:

[Anonymous Coward]

Once you assume it is perfect, or can be perfect, you give up trying to improve it. Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams. I doubt you're on either. You just like to suck on the cock that you imagine as it makes you feel superior. Wake me when Firefox runs under a sandbox by default on all normal distributions of Linux, and don't try to claim that the user context is that sandbox because you and I both know wh

Re:Not exactly what a sandbox is for, actually

[Zero__Kelvin]

"Once you assume it is perfect, or can be perfect, you give up trying to improve it."

What a ridiculous statement. It completely ignores that I stated that it was important to remember that the sandbox is not invulnerable, for starters.

"Don't project your high-and-mighty assumptions on others just because you're not privy to how they work. You are not on those teams."

I am privy to it. Microsoft announces that they have no current plans to fix various known security flaws on a regular basis. You will never see that with the Linux Kernel, ever.

"You just like to suck on the cock that you imagine as it makes you feel superior."

And there it is, the hat trick. Three ridiculous assertions of equal absurdity. Good job!

Re:

[Anonymous Coward]

Congratulations! You win the contest for the most meaningless and useless comment in a Slashdot story today!

If you think there's perfect security

[Sycraft-fu]

You are dead wrong. In the real world, with physical security, people have long had to understand there is no perfect, unbreakable, security. It just cannot happen. the best locks in the world can be picked, the most trained guards can be killed, the strongest materials can be cut. There is no such thing as the one item, one method, etc that cannot be broken so you just implement that can call it good. As such you must build security that has defense in depth, multiple layers that if one is bypassed or fail

Re:

[Zero__Kelvin]

I am not even close to wrong. You are wrong when you say I am wrong. You also completely misunderstood everything I wrote, so much so in fact that I am not about to address each thing point by point. I will address this, as it is characteristic of your ability to ignore what I said and put words in my mouth:

"So saying "This sandbox is not unbreakable," isn't lowering standards, it is being realistic."

I specifically stated that Recognition of the fact that the sandbox is not invulnerable is certainly impo

Re:

[dumbnose]

The biggest difference between Linux Kernel development and Windows OS development is that the former treats all bugs as important, while the latter tries to classify some of them us not important, even when they are known to make the system less secure. It is this difference, and not some imaginary idea that crackers only target Windows systems, that accounts for the much higher failure rate of Windows vs. Linux in the malware susceptibility domain.

This has absolutely nothing to do with the Windows kernel. AFAIK, there are zero known vulnerabilities in the Windows kernel as of today. So, I guess you are trying to compare the Linux kernel with the entire Windows operating system. How does that comparison make any sense?

Re:

[Zero__Kelvin]

"This has absolutely nothing to do with the Windows kernel"

Hey, that's probably why I didn't say Windows kernel then! I was talking about development methodologies. The kernel development team is a managed entity, and the Windows OS is a managed entity. It is the management, and not the developers, that matter when discussing attitudes, and what gets released. I guess I could have compared Linus to Balmer, but somehow I suspect people would get even more upset then [especially Linus ;-) ]

Re:

[metrix007]

Actually, you have the treatment of bugs per the Linux and Windows camps backwards. Windows development rightfully assigns security vulnerabilities as more important than a random bug that may cause a crash in some circumstances, while Linux development classifies security bugs as just another bug, and not worthy of disclosure or hastened patching.

Re:

[Zero__Kelvin]

No. In the linux kernel all bugs are worthy of immediate patching.

"Windows development rightfully assigns security vulnerabilities as more important than a random bug that may cause a crash in some circumstances"

This part is half right. It is wrong to classify them this way, but they certainly do seem to have a "fix some 'important' bugs and far fewer 'less important' bugs" philosophy. ;-)

Re:

[metrix007]

Sorry, but no. I can even find the quotes where Linus or Greg K-H or whoever it was basically said that security bugs should not be treated any differently to normal bugs, don't need to be disclosed etc. That attitude is simply wrong, and it's hard to take Linux security seriously when the developers have such an approach.

At least with MS, or basically any other OS, security bugs are rightfully treated as more critical, and will be patched sooner. I mean, look at that last big Linux vulnerability...that was

Re:

[Zero__Kelvin]

"Sorry, but no. I can even find the quotes where Linus or Greg K-H or whoever it was basically said that security bugs should not be treated any differently to normal bugs, don't need to be disclosed etc."

It is your assumption that "they don't need to be treated differently" means they aren't important. It is a complete misrepresentation of their position, which is that all bugs are unacceptable. It is exactly the mindset that some bugs are "not important, or "not as important" that leads to poor quality.

Re:

[metrix007]

I am not misrepresenting their position at all. In fact, the original quote essentially says that security bugs are not particular important, and then goes on to state that it doesn't make sense to disclose them, because it creates pressure to focus on them more than other bugs.

You don't seem to get it, but THIS IS WRONG

Security bugs are a much greater threat than other kind of bugs, and should be treated and given precedence accordingly.

I'm sorry, but bugs do have varying levels of important, and it's stu

People like you don't know HOW to learn

[Zero__Kelvin]

You are obviously correct. The Linux kernel team has a really bad security attitude. The fact that it is much more secure than Windows happens by magic. Have a nice life.

Re:

[metrix007]

Wow, talk about blinders. Yes, the linux devs have a horrible security attitude. Given they don't disclose security bugs, it's hard to say if it is actually more secure than recent versions of Windows or not, since Microsoft does disclose Windows bugs.

I mean, your not the kind of idiot that just assumes are you? I'm sure your smart enough to that if a product does not disclose vulnerabilities that does not mean it is more secure than a product which does, right? You understand the absence of responsible dis

Re:

[Zero__Kelvin]

The presence of significantly less vulnerabilities proves significantly less vulnerabilities. The fact that you think that there is more visibility when Microsoft reluctantly acknowledges the occasional vulnerability, when the Linux kernel is developed transparently where every single person on the planet is free to view all knowledge anyone has regarding said vulnerabilities speaks volumes.

You also don't seem to get that the people who need to know, the people who create distributions, already know about

Re:

[metrix007]

I was right. You have extreme blinders on guy.

The linux devs don't openly disclose security bugs. They have said as much, giving the appalling reason they don't want them to take precedence, as they should.

I know this is hard for you to follow, but given the Linux devs attitude, we don't actually know that there are less vulnerabilities. If anything, Linux appears to have far more vulnerabilities than a given release of Windows. Of course, your ignorance and zealotry won't let you realize that.

Let's look at

Re:

[Zero__Kelvin]

How many different ways can I say it. There is 100% disclosure with the Linux kernel all the time, Microsoft continues to be insecure and always will be, they specifically state that they are not going to fix security holes on a regular basis, and all bugs are equally important because every bug is critical. Oh yes, and I forgot ... you are either a troll or a clueless moron.

Now you can either respond to this with more ridiculous claims that completely misrepresent everything I say and the facts and then

Re:

[LO0G]

There is 100% disclosure only if you audit every single change to the kernel to determine if the fix is a fix for a security vulnerability or not.

Don't forget that applying a bug fix has a level of risk associated with it - every bug fix has the potential for regressing some mission critical functionality. The OS vendor attempts to ensure that nothing is broken by the patch, but it *does* happen.

As a customer deciding to take a patch, I need to assess if the risk associated with taking the patch is greater

Re:

[Zero__Kelvin]

"The Linux approach moves the responsibility for determining if a bug is a security bug from the developer (who best knows the code and potential consequences of a bug) to the end-user. "

That is a ridiculous statement, and cuts to the core your lack of understanding of the model. You've heard of Red Hat, right? The "end user the responsibility is pushed off on" is them, and other distribution teams. They are qualified to know, and work directly with the kernel developers, what with them employing many of

Re:

[metrix007]

You're an idiot. Note, I'm not dismissing your argument because I believe you to be an idiot, just noting that you appear to be an idiot as a consequence.

There is NOT 100% disclosure with Linux. That, put simply, is bullshit.

What they actually state [kerneltrap.org] is that disclosure of security bugs should be mostly avoided so they can treat bugs as they want to, without being pressured by an exploit. No where do they state that all bugs are treated equally. So, here we have bugs that allow to compromise not being disclos

No English Mutch ?

[Zero__Kelvin]

"You're an idiot."

Right, I'm the idiot:

"No where do they state"

Yes, in the LKML do they state it. ROTFLMAO

"Also, you have to stop with the Linux is more secure because of the many eyes bullshit."

I'm more of a "Linux is more secure because it is more secure" kind of guy.

Also, it has come to my attention that you are a known troll [slashdot.org] on Slashdot, so Plonk

Re:

[metrix007]

Am I surprised that you ignore evidence that hurts your worldview, and submit an insult from an AC as evidence that I am a troll, despite the fact I have excellent karma?

No, no I am not. Zealotry FTW.

Also two other things to note

[Sycraft-fu]

One is that they say "This attack assumes the existence of exploitable memory corruption vulnerability." As in this isn't something that actually works, it presumes you've already found an exploit. However I will grant them that is the kind of thing protected mode should help defend against (not stopping the bug from happening, but that it can't be used to do much).

However the bigger one is that it allows you to gain normal user privileges. You can break out of the low privilege for the app (that's what protected mode is, running at a lower privilege level than the user who ran it) in to the regular user, NOT an administrator. Thus what it does is make IE the same as every other browser, which do not make use of Mandatory Integrity Control. If you find an exploit in Firefox (and don't say there haven't been any, look at their patch history) or Chrome or whatever you are already at user privilege level since they do not use MIC to run at a lower level. This does not give admin privileges unless the user has either turned off UAC and logged in as an admin or run the browser with admin privileges.

So does it need to be fixed? For sure, and I'm sure it will be. However it is not an "OMG do this and you get admin through IE!" thing. It is "Supposing a proper kind of exploit is found in IE, which has not been done yet, you could use it to gain regular user access on a system instead of reduced access."

Also I'm not sure where you thing about "letting security fixes ripen" comes from. As far as I can tell this is a new paper. If you think they should have a fix out for something that was just announced, well then you've not done a lot of programming at least not on major projects. First off they have to figure out HOW to fix it. This isn't always simple. From reading the white paper it isn't just a case of "There's a buffer overflow," or something like that which is pretty simple. They may need to do some more significant changes. So once that is done you have to implement them, and then do a lot of testing. People get extremely whiny if a Windows update breaks something. They even whine about it when the reason somethign broke was that they had malware on their system. So MS has to do a massive set of testing to make sure it works with all sorts of hardware, drivers, apps, and so on.

I'm not saying MS is as fast as they should be with patches but the "PATCH NEXT DAY!" crowd needs to chill and realize the level of testing that is necessary.

Parts of Chrome run with low integrity

[Sits]

The chromium sandbox design documents [chromium.org] discuss how on Windows Vista and later different parts of the browser run with low integrity mode like IE 7+.

Re:

[metrix007]

That would be Safari.

Re:

[vistapwns]

Probably my post. Anyway, you can (and I have for a while) just enable Protected Mode in the intranet and trusted zones to defeat this 'bypass'. Even without that, the malware has to bypass ASLR, DEP, SEHOP, GS, and possibly several other things. But even so, what's your point? These are the same protections unix OSes have. If Windows is insecure while using them, then so is unix. (and supposively Windows ASLR, for instance, is a lot more secure than Mac OS X's.)

Re:

[vistapwns]

Total nonsense, you are going to need every security bell and whistle in unix and people are going to be trying to break through it on unix as well. And the security will not be exactly the same, but it's more or less equivalent on both unix and Windows. Saying things like DEP provides more protection on unix than Windows is hogwash, in some specific circumstances they will be different but unless there's some evidence to show otherwise, it's probably insignficant and could go either way (more secure in W

regarding the plural of "virus"

[Onymous Coward]

• "Viruses" is correct. It's what you should use if you're not trying to be wrong or silly (or both).
• "Viri" is bad Latin -- there is no record of virus being pluralized. It's like saying "many poison".
• "Virii" is right out. (Plural of "virius"?) But feel free to use it because it's so obviously wrong folks will (mostly) assume it's ironic, like lolspeak.

(more detail [slashdot.org])

"mai kumpootur haz mutch virii!"

Wasn't sure whether you knew. Just posting this as a PSA.

Re:

[perryizgr8]

the plural of virus is anything a person wants it to be, as long as the meaning is unambiguously conveyed. i understand that language should be 'correct', but the underlying reason behind this is that everyone should be able to properly infer meaning. if a reader/listener can infer meaning, it should not matter if the language breaks any spelling/grammar conventions.

embracing and extending English considered harmful

[Onymous Coward]

I'm pretty sure it's better not to let language rot through poor grammar. So, please keep the protocol from being corrupted or unnecessarily fragmented. The more inaccurate languages get the more heat loss humanity suffers.

Maybe you don't think it matters much. Well, okay. But for those who think correctness and standards compliance are good, the correct plural of virus is offered.

Re:

[interval1066]

I think I should have been modded up just for the sheer number of tangential replies I've received.

Re:

[metrix007]

That ain't how it works kiddo. Early posts always get the most replies.

Re:

[icebike]

The surprising part is that Verizon employees found this. They can't find my cell phone half the time, but they got time to find Microsoft bugs?

Re:

[tenex]

This thread might be a bit off topic, but my guess is that the Verizon employees reckon that finding a Microsoft bug is far easier than locating your cell phone transmission even when its being directed straight into one of their towers.

Why bother?

[Anonymous Coward]

Seriously, protected mode does nothing more than throw a UAC "Are you sure you want to do this?" prompt at the user, which nearly all of the users I know would click right past. Unlike UAC, you can't configure it to ask for an administrator username and password, or even configure it to never allow changing integrity levels.

It was already easily bypassed anyway, by design. Showing a vague warning to a non-savvy user and hoping they don't click OK isn't security.

Re:

[Anonymous Coward]

Seriously, protected mode does nothing more than throw a UAC "Are you sure you want to do this?" prompt at the user

Completely incorrect; you may want to read up on what protected mode in IE is (and what a "low integrity process" is on Vista and later. It really doesn't have anything to do with UAC.

Re:

[Anonymous Coward]

(Not the GP.) This behavior was apparently changed in a recent W7 patch. You used to be able to launch low-IL processes via runas /trustlevel 0x10000 ... and the process would show the UAC prompt when attempting to access restricted file locations. Now the process just silently fails.

Re:

[man_of_mr_e]

Actually, that's not what protected mode is. Nothing like it in fact.

Protected mode runs the browser at the bare minimum privilege level, and only allows the browser to interact with the browsers cache files. When a user loads a page or performs a download, the file is downloaded to the temporary internet files. Then, a new process with higher privleges is launched to copy the downloaded file to the users chosen location.

What you're referring to is the simple act of adding metadata to the downloaded file

Re:

[Anonymous Coward]

Actually, that's not what protected mode is. Nothing like it in fact.

Protected mode runs the browser at the bare minimum privilege level, and only allows the browser to interact with the browsers cache files. When a user loads a page or performs a download, the file is downloaded to the temporary internet files. Then, a new process with higher privleges is launched to copy the downloaded file to the users chosen location.

What you're referring to is the simple act of adding metadata to the downloaded file to let the OS know that the file was downloaded from the internet, that's what puts up the UAC like dialog, but there are no lower permissions associated with that.

So it would help if you actually understood what it was you were commenting on before being such a jack ass.

When traversing integrity levels, Protected Mode prompts the user, just like the OP said.

I suggest some reading before you post too much more on this topic: http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

Note what happens when switching to Medium Integrity Level. There's even a screenshot of the dialog the OP was complaining about.

Re:

[vistapwns]

Loading programs at higher integrity levels can be disabled completely (vs. the default prompt that you say people 'cick through'), it's in internet options->security->custom level->allow applications and unsafe files to be run. Set to disabled. Assuming you are actually talking about the integrity level aspect, and not the download metadata as someone else supposed.

Oh great.

[jack2000]

How do i know that pdf isn't maliciously crafted to infect my system.
Html and css people, it's what is made for presentation of content on multiple systems. Why don't you use those tags and specify different styles for display,print and what-have-you

Re:Oh great.

[TheLink]

How do i know that pdf isn't maliciously crafted to infect my system. Html and css people, it's what is made for presentation of content on multiple systems.

HTML and CSS is for the "Researchers exploit PDF reader" report.
PDF is for the "Researchers exploit browser" report. :).

Re:

[postbigbang]

Actually, that's what I thought, too. What an amusement that might be: get the download on a crack, whilst being cracked. I know a few jokers that would do just that and laugh their butts off at the list succumbing to the hack, in between rounds of WoW.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Meshach]

Hackers go after more popular systems because that way they can infect exponentially more machines. The trouble is that every software manufacture want to be big enough and have enough market capitalization; no one is happy being the small fish. Any good piece of software is going to get more market capitalization and eventually get attacked. Ones that never get attacked are either niche markets or not very good.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bunratty]

That's why I use GNU Savannah [gnu.org] for all my services. Oh, wait...

Re:

[account_deleted]

Comment removed based on user account deletion

The trouble with sandboxes

[tryone]

Have you ever looked at a real life sandbox, that kids have been playing in? Notice how there's sand scattered all over the surrounding ground up to six feet away from the box? That's Microsoft's security model right there.

Re:The trouble with sandboxes

[Penguinisto]

Question: Would that be before or after the neighborhood cats discover it?

Re:

[tryone]

Guess this sandbox is vulnerable to drive-by downloads.

A PDF?

[fluffy99]

Like I'm really going to open up an untrusted PDF file. In other news "Virus destroys computers, open up attached exe for demonstration...."

Untrusted for you; trusted for most

[Zero__Kelvin]

"Like I'm really going to open up an untrusted PDF file."

The keyword is trust. While you are free to be so paranoid that you don't trust Verizon's researchers, most of us have a realistic trust model, and consider it to be a trusted resource.

window lol

[thetoadwarrior]

Does anyone honestly trust IE these days?

Re:

[camperdave]

I do! There's no better vector for malware delivery than IE.

Re:

[thewils]

Sheeit man, I use it all the time, unless of course I'm on my own computer.

Re:

[vistapwns]

It doesn't give admin access. It's still better than Firefox, since firefox doesn't have a sandbox at all. And you can disable this bypass easily by enabling protected mode in the intranet and trusted zones. Another clueless reply on slashdot about Windows security, "color me shocked."

Re:

[vistapwns]

Enable protected mode in trusted and intranet zones if you are concerned about it. But I'm guessing you're less interested in a solution, than just whining about the problem.

Re:

[cyber-vandal]

I'll try that at work but if it breaks any of my intranet applications I'm coming after you with a sharpened Vista DVD.

No changes for the average user

[Bloem]

No worries for the average user. Most people I talk to aren't even aware that there was a sandbox-option that could be used. So it's a hole in a door that nobody knew was there. Kinda philosophical: "If a sandbox was cracked that no-one knew existed, is it really cracked".

Re:

[tgd]

Protected mode is the default.

I doubt 99% of people using Windows Vista or 7 with IE would have the first idea how to shut it off.

Re:

[sparkler99]

not 99% some people need to keep the crappy browser on there pc for capability reasons and does protected mode work anyway as i use firefox 4 beta9 instead so don't know