Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Researchers Remotely Defeat IE Protected Mode

Attackers can bypass the Microsoft browser's sandbox and install persistent malware, according to researchers at Verizon Business.

Microsoft Internet Explorer 9 Beta Revealed
Slideshow: Microsoft Internet Explorer 9 Beta Revealed
(click image for larger view and for full slideshow)
A previously undisclosed vulnerability allows attackers to bypass Protected Mode on both Internet Explorer 7 and 8. The flaw was discovered by researchers at managed services firm Verizon Business, which is part of Verizon Communications.

The related attack works by escalating the browser's privilege level from low to medium integrity. "Once the initial, remote exploit has been used to execute arbitrary code at low integrity on the client, the payload can create a web server listening on any port on the loopback interface," according to the Verizon Business researchers. This web server then serves an attack locally, which the browser typically grants medium integrity, because it's being rendered in the Local Intranet Zone. At that point, repeating the attack can introduce persistent malware, because the medium-integrity setting allows for code to persist.

Since Internet Explorer 7 and Windows Vista -- which added User Account Control (UAC) -- Microsoft has offered a Protected Mode for IE, meant to stop these types of attacks. Furthermore, this mode, which is activated by default for all non-local browsing, has been pitched by Microsoft as a last-ditch defense for ensuring that even if malicious code compromises IE, Protected Mode will prevent the code from being able to persist or do much damage.

Except that according to the new report, Protected Mode doesn't appear to be doing that.

According to the Verizon Business researchers, this begs the question of how much protection Protected Mode is really supposed to do. "The fact that a single exploit can be used for both the remote exploit and local privilege escalation is central to why this is a significant issue," they said in their related report, "Escaping from Microsoft's Protected Mode Internet Explorer." The report says, "features such as Protected Mode can only be effective if they either significantly raise the cost of an attack, or reduce the probability of a successful attack." But this feature doesn't appear to do either very reliably.

Even so, Verizon Business researchers said that Protected Mode is helpful, since "currently, most malicious code that runs at low integrity will likely fail to persist across reboots, since it will not be aware that it is running at low integrity." For example, they said, the Metasploit Framework, an open source penetration testing toolkit with the world's largest database of publicly tested exploits, is mostly not aware of integrity level.

But the Verizon Business researchers called on vendors such as Microsoft to separate their products' security features and functionality from marketing hype. "Microsoft and other software vendors should clearly document which features do and do not have associated security claims. Clearly stating which features make security claims, and which do not, will allow informed decisions to be made on IT security issues. This will benefit vendors, customers and even security researchers."

For Further Reading

Internet Explorer Vulnerable To Browser History Hijacking

Microsoft Issues Zero-Day IE Warning

UniBrows Adds Security To Internet Explorer 6 Apps

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.