03:07 PM
Connect Directly

Microsoft Patches IE Flaw Used In Attack That Bypassed Its Built-In Security Controls

Winning 'Pwn2Own' flaw was memory corruption bug, its patch among 10 released by Microsoft today

Among the 10 patches fixing 34 vulnerabilities that were released today by Microsoft is one that repairs a major hole in Internet Explorer that was used to help bypass the built-in security features in Windows 7 and Internet Explorer 8.

The memory corruption flaw, which was discovered and used by a Dutch researcher to win $10,000 in the March Pwn2Own hacking contest at the CanSecWest conference, was exploited along with another stage of attack on IE 8 to bypass Microsoft's much-lauded anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Peter Vreugdenhil, the researcher who discovered the bug, didn't reveal the actual vulnerability he exploited in his hack, so Microsoft's MS10-035 security update today was the first time the nature of the flaw was made public: The memory corruption vulnerability could allow an attacker to take over the victim's machine due to the way IE tries to access incorrectly initialized memory. That memory can be corrupted by an attacker such that he can execute code on the logged-on user's machine.

Aaron Portnoy, manager of security research for HP TippingPoint, which sponsors the Pwn2Own contest, says this bug was at the heart of the Pwn2Own hack. "This was the crux of actually exploiting something -- this is the one that triggers memory corruption in IE," Portnoy says. "The other [part of the attack] was more for bypassing ASLR and DEP."

While Vreugdenhil wasn't the first researcher to crack Microsoft's DEP and ASLR, his widely publicized hack placed potential weaknesses in DES and ASLR in the spotlight, and security experts say it basically opened the floodgates for finding other ways to beat the anti-exploit features. Prior to his work, Core Security Technologies disclosed a flaw in the Microsoft Virtual PC hypervisor's memory management that can be used by an attacker to cheat DEP and ASLR. Microsoft, however, has maintained that it's not a new vulnerability, but that the exploit takes advantage of existing vulnerabilities. VUPEN Security earlier this year said it was able to bypass DEP on IE 8 and execute arbitrary code.

DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.

Dan Kaminsky, director of penetration testing for IOActive, says memory corruption flaws, if exploited, mean "ownage."

"At the end of the day, memory corruption leads to system compromise, period," Kaminsky says. "That doesn't mean it's not worth it to try to make it more difficult to exploit corrupted memory: ASLR and DEP have raised the bar on what it takes to exploit memory corruption ... Locking down memory is a useful temporary mitigation," but there's no way to altogether eliminate these types of flaws and attacks, he says.

Kaminsky and other security experts say that despite the bypass hacks, ASLR and DEP remain valuable for browser security.

"The fact that Peter was able to bypass these for this particular exploit doesn't mean his method will apply to all vulnerabilities," says HD Moore, chief security officer and Metasploit chief architect at Rapid7. "The reason we hear about cases where it is possible to bypass these mitigations is that nobody cares about the dozens of other cases where it was not possible."

These exploit-mitigation methods always struggle when it comes to client-side applications, Moore says. The Google Chrome browser's sandbox is one method that seems to be effective here: "The Chrome approach plans for failure and tries to limit the impact of a successful attack. The low-privilege mode in Internet Explorer is similar, but doesn't go nearly far enough," Moore says. "The key difference is that with Chrome, each website runs in its own isolated process, so a successful compromise is not able to read data stored by another site, which is not the case with the low-privilege mode of IE -- even in a separate process, websites share the same limited user account."

Moore says that as more critical information gets stored in the browser, the more they need to isolate individual websites. "More work should be done to prevent a compromise initiated from one site being able to access the data of another," he says.

The good news is that additional layers of security for the browser can sufficiently prevent an exploit from being exploitable in the real world. "Each of these is just another layer to add to the mix -- what we have seen so far is that the requirements to bypass SEHOP, DEP, ASLR, and even basic stack protection are sometimes enough to make the exploit unreliable, or even impossible, in a real-world environment," Moore says. "There will always be exceptions to the rule, but the overall trend is that typical memory corruption exploits will only become harder as we move forward."

TippingPoint's Portnoy describes ASLR and DEP as exploit hurdles: "They are just another hurdle you need to jump through when you write an exploit. They are helpful in stopping [less] complex exploits," he says.

Meanwhile, the newly patched memory corruption bug used in the Pwn2Own contest is basically a standard, JavaScript-type vulnerability, he says. "It's not specific to IE. It's about object reuse and 'use-after-free' types of vulnerabilities," he says.

Microsoft provides details about all of its patches released today in this blog post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.