Risk
6/8/2010
03:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches IE Flaw Used In Attack That Bypassed Its Built-In Security Controls

Winning 'Pwn2Own' flaw was memory corruption bug, its patch among 10 released by Microsoft today

Among the 10 patches fixing 34 vulnerabilities that were released today by Microsoft is one that repairs a major hole in Internet Explorer that was used to help bypass the built-in security features in Windows 7 and Internet Explorer 8.

The memory corruption flaw, which was discovered and used by a Dutch researcher to win $10,000 in the March Pwn2Own hacking contest at the CanSecWest conference, was exploited along with another stage of attack on IE 8 to bypass Microsoft's much-lauded anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Peter Vreugdenhil, the researcher who discovered the bug, didn't reveal the actual vulnerability he exploited in his hack, so Microsoft's MS10-035 security update today was the first time the nature of the flaw was made public: The memory corruption vulnerability could allow an attacker to take over the victim's machine due to the way IE tries to access incorrectly initialized memory. That memory can be corrupted by an attacker such that he can execute code on the logged-on user's machine.

Aaron Portnoy, manager of security research for HP TippingPoint, which sponsors the Pwn2Own contest, says this bug was at the heart of the Pwn2Own hack. "This was the crux of actually exploiting something -- this is the one that triggers memory corruption in IE," Portnoy says. "The other [part of the attack] was more for bypassing ASLR and DEP."

While Vreugdenhil wasn't the first researcher to crack Microsoft's DEP and ASLR, his widely publicized hack placed potential weaknesses in DES and ASLR in the spotlight, and security experts say it basically opened the floodgates for finding other ways to beat the anti-exploit features. Prior to his work, Core Security Technologies disclosed a flaw in the Microsoft Virtual PC hypervisor's memory management that can be used by an attacker to cheat DEP and ASLR. Microsoft, however, has maintained that it's not a new vulnerability, but that the exploit takes advantage of existing vulnerabilities. VUPEN Security earlier this year said it was able to bypass DEP on IE 8 and execute arbitrary code.

DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.

Dan Kaminsky, director of penetration testing for IOActive, says memory corruption flaws, if exploited, mean "ownage."

"At the end of the day, memory corruption leads to system compromise, period," Kaminsky says. "That doesn't mean it's not worth it to try to make it more difficult to exploit corrupted memory: ASLR and DEP have raised the bar on what it takes to exploit memory corruption ... Locking down memory is a useful temporary mitigation," but there's no way to altogether eliminate these types of flaws and attacks, he says.

Kaminsky and other security experts say that despite the bypass hacks, ASLR and DEP remain valuable for browser security.

"The fact that Peter was able to bypass these for this particular exploit doesn't mean his method will apply to all vulnerabilities," says HD Moore, chief security officer and Metasploit chief architect at Rapid7. "The reason we hear about cases where it is possible to bypass these mitigations is that nobody cares about the dozens of other cases where it was not possible."

These exploit-mitigation methods always struggle when it comes to client-side applications, Moore says. The Google Chrome browser's sandbox is one method that seems to be effective here: "The Chrome approach plans for failure and tries to limit the impact of a successful attack. The low-privilege mode in Internet Explorer is similar, but doesn't go nearly far enough," Moore says. "The key difference is that with Chrome, each website runs in its own isolated process, so a successful compromise is not able to read data stored by another site, which is not the case with the low-privilege mode of IE -- even in a separate process, websites share the same limited user account."

Moore says that as more critical information gets stored in the browser, the more they need to isolate individual websites. "More work should be done to prevent a compromise initiated from one site being able to access the data of another," he says.

The good news is that additional layers of security for the browser can sufficiently prevent an exploit from being exploitable in the real world. "Each of these is just another layer to add to the mix -- what we have seen so far is that the requirements to bypass SEHOP, DEP, ASLR, and even basic stack protection are sometimes enough to make the exploit unreliable, or even impossible, in a real-world environment," Moore says. "There will always be exceptions to the rule, but the overall trend is that typical memory corruption exploits will only become harder as we move forward."

TippingPoint's Portnoy describes ASLR and DEP as exploit hurdles: "They are just another hurdle you need to jump through when you write an exploit. They are helpful in stopping [less] complex exploits," he says.

Meanwhile, the newly patched memory corruption bug used in the Pwn2Own contest is basically a standard, JavaScript-type vulnerability, he says. "It's not specific to IE. It's about object reuse and 'use-after-free' types of vulnerabilities," he says.

Microsoft provides details about all of its patches released today in this blog post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.