Risk
6/8/2010
03:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches IE Flaw Used In Attack That Bypassed Its Built-In Security Controls

Winning 'Pwn2Own' flaw was memory corruption bug, its patch among 10 released by Microsoft today

Among the 10 patches fixing 34 vulnerabilities that were released today by Microsoft is one that repairs a major hole in Internet Explorer that was used to help bypass the built-in security features in Windows 7 and Internet Explorer 8.

The memory corruption flaw, which was discovered and used by a Dutch researcher to win $10,000 in the March Pwn2Own hacking contest at the CanSecWest conference, was exploited along with another stage of attack on IE 8 to bypass Microsoft's much-lauded anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Peter Vreugdenhil, the researcher who discovered the bug, didn't reveal the actual vulnerability he exploited in his hack, so Microsoft's MS10-035 security update today was the first time the nature of the flaw was made public: The memory corruption vulnerability could allow an attacker to take over the victim's machine due to the way IE tries to access incorrectly initialized memory. That memory can be corrupted by an attacker such that he can execute code on the logged-on user's machine.

Aaron Portnoy, manager of security research for HP TippingPoint, which sponsors the Pwn2Own contest, says this bug was at the heart of the Pwn2Own hack. "This was the crux of actually exploiting something -- this is the one that triggers memory corruption in IE," Portnoy says. "The other [part of the attack] was more for bypassing ASLR and DEP."

While Vreugdenhil wasn't the first researcher to crack Microsoft's DEP and ASLR, his widely publicized hack placed potential weaknesses in DES and ASLR in the spotlight, and security experts say it basically opened the floodgates for finding other ways to beat the anti-exploit features. Prior to his work, Core Security Technologies disclosed a flaw in the Microsoft Virtual PC hypervisor's memory management that can be used by an attacker to cheat DEP and ASLR. Microsoft, however, has maintained that it's not a new vulnerability, but that the exploit takes advantage of existing vulnerabilities. VUPEN Security earlier this year said it was able to bypass DEP on IE 8 and execute arbitrary code.

DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.

Dan Kaminsky, director of penetration testing for IOActive, says memory corruption flaws, if exploited, mean "ownage."

"At the end of the day, memory corruption leads to system compromise, period," Kaminsky says. "That doesn't mean it's not worth it to try to make it more difficult to exploit corrupted memory: ASLR and DEP have raised the bar on what it takes to exploit memory corruption ... Locking down memory is a useful temporary mitigation," but there's no way to altogether eliminate these types of flaws and attacks, he says.

Kaminsky and other security experts say that despite the bypass hacks, ASLR and DEP remain valuable for browser security.

"The fact that Peter was able to bypass these for this particular exploit doesn't mean his method will apply to all vulnerabilities," says HD Moore, chief security officer and Metasploit chief architect at Rapid7. "The reason we hear about cases where it is possible to bypass these mitigations is that nobody cares about the dozens of other cases where it was not possible."

These exploit-mitigation methods always struggle when it comes to client-side applications, Moore says. The Google Chrome browser's sandbox is one method that seems to be effective here: "The Chrome approach plans for failure and tries to limit the impact of a successful attack. The low-privilege mode in Internet Explorer is similar, but doesn't go nearly far enough," Moore says. "The key difference is that with Chrome, each website runs in its own isolated process, so a successful compromise is not able to read data stored by another site, which is not the case with the low-privilege mode of IE -- even in a separate process, websites share the same limited user account."

Moore says that as more critical information gets stored in the browser, the more they need to isolate individual websites. "More work should be done to prevent a compromise initiated from one site being able to access the data of another," he says.

The good news is that additional layers of security for the browser can sufficiently prevent an exploit from being exploitable in the real world. "Each of these is just another layer to add to the mix -- what we have seen so far is that the requirements to bypass SEHOP, DEP, ASLR, and even basic stack protection are sometimes enough to make the exploit unreliable, or even impossible, in a real-world environment," Moore says. "There will always be exceptions to the rule, but the overall trend is that typical memory corruption exploits will only become harder as we move forward."

TippingPoint's Portnoy describes ASLR and DEP as exploit hurdles: "They are just another hurdle you need to jump through when you write an exploit. They are helpful in stopping [less] complex exploits," he says.

Meanwhile, the newly patched memory corruption bug used in the Pwn2Own contest is basically a standard, JavaScript-type vulnerability, he says. "It's not specific to IE. It's about object reuse and 'use-after-free' types of vulnerabilities," he says.

Microsoft provides details about all of its patches released today in this blog post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.