Risk
6/8/2010
03:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches IE Flaw Used In Attack That Bypassed Its Built-In Security Controls

Winning 'Pwn2Own' flaw was memory corruption bug, its patch among 10 released by Microsoft today

Among the 10 patches fixing 34 vulnerabilities that were released today by Microsoft is one that repairs a major hole in Internet Explorer that was used to help bypass the built-in security features in Windows 7 and Internet Explorer 8.

The memory corruption flaw, which was discovered and used by a Dutch researcher to win $10,000 in the March Pwn2Own hacking contest at the CanSecWest conference, was exploited along with another stage of attack on IE 8 to bypass Microsoft's much-lauded anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Peter Vreugdenhil, the researcher who discovered the bug, didn't reveal the actual vulnerability he exploited in his hack, so Microsoft's MS10-035 security update today was the first time the nature of the flaw was made public: The memory corruption vulnerability could allow an attacker to take over the victim's machine due to the way IE tries to access incorrectly initialized memory. That memory can be corrupted by an attacker such that he can execute code on the logged-on user's machine.

Aaron Portnoy, manager of security research for HP TippingPoint, which sponsors the Pwn2Own contest, says this bug was at the heart of the Pwn2Own hack. "This was the crux of actually exploiting something -- this is the one that triggers memory corruption in IE," Portnoy says. "The other [part of the attack] was more for bypassing ASLR and DEP."

While Vreugdenhil wasn't the first researcher to crack Microsoft's DEP and ASLR, his widely publicized hack placed potential weaknesses in DES and ASLR in the spotlight, and security experts say it basically opened the floodgates for finding other ways to beat the anti-exploit features. Prior to his work, Core Security Technologies disclosed a flaw in the Microsoft Virtual PC hypervisor's memory management that can be used by an attacker to cheat DEP and ASLR. Microsoft, however, has maintained that it's not a new vulnerability, but that the exploit takes advantage of existing vulnerabilities. VUPEN Security earlier this year said it was able to bypass DEP on IE 8 and execute arbitrary code.

DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.

Dan Kaminsky, director of penetration testing for IOActive, says memory corruption flaws, if exploited, mean "ownage."

"At the end of the day, memory corruption leads to system compromise, period," Kaminsky says. "That doesn't mean it's not worth it to try to make it more difficult to exploit corrupted memory: ASLR and DEP have raised the bar on what it takes to exploit memory corruption ... Locking down memory is a useful temporary mitigation," but there's no way to altogether eliminate these types of flaws and attacks, he says.

Kaminsky and other security experts say that despite the bypass hacks, ASLR and DEP remain valuable for browser security.

"The fact that Peter was able to bypass these for this particular exploit doesn't mean his method will apply to all vulnerabilities," says HD Moore, chief security officer and Metasploit chief architect at Rapid7. "The reason we hear about cases where it is possible to bypass these mitigations is that nobody cares about the dozens of other cases where it was not possible."

These exploit-mitigation methods always struggle when it comes to client-side applications, Moore says. The Google Chrome browser's sandbox is one method that seems to be effective here: "The Chrome approach plans for failure and tries to limit the impact of a successful attack. The low-privilege mode in Internet Explorer is similar, but doesn't go nearly far enough," Moore says. "The key difference is that with Chrome, each website runs in its own isolated process, so a successful compromise is not able to read data stored by another site, which is not the case with the low-privilege mode of IE -- even in a separate process, websites share the same limited user account."

Moore says that as more critical information gets stored in the browser, the more they need to isolate individual websites. "More work should be done to prevent a compromise initiated from one site being able to access the data of another," he says.

The good news is that additional layers of security for the browser can sufficiently prevent an exploit from being exploitable in the real world. "Each of these is just another layer to add to the mix -- what we have seen so far is that the requirements to bypass SEHOP, DEP, ASLR, and even basic stack protection are sometimes enough to make the exploit unreliable, or even impossible, in a real-world environment," Moore says. "There will always be exceptions to the rule, but the overall trend is that typical memory corruption exploits will only become harder as we move forward."

TippingPoint's Portnoy describes ASLR and DEP as exploit hurdles: "They are just another hurdle you need to jump through when you write an exploit. They are helpful in stopping [less] complex exploits," he says.

Meanwhile, the newly patched memory corruption bug used in the Pwn2Own contest is basically a standard, JavaScript-type vulnerability, he says. "It's not specific to IE. It's about object reuse and 'use-after-free' types of vulnerabilities," he says.

Microsoft provides details about all of its patches released today in this blog post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?