Long the bane of the security industry, browser exploits just keep getting more dangerous as techniques grow more refined to get the most leverage from browser and browser extension flaws. According to speakers lined up for a lively panel session at Black Hat USA this week, achieving the highest levels of system privileges from a simple browser vulnerability has pretty much become de rigueur for attacks these days.
In a run-down of the exploits that took prizes in this year's Pwn2Own competition, members of the Zero Day Initiative (ZDI) program at Trend Micro are going to offer a number of observations about the techniques and methods behind this year's winning attacks. Among them is the key takeaway that attacks these days are going to increasingly go for the jugular -- namely achieving root privileges on the machine.
According to Matt Molinyawe, a vulnerability analyst and exploit developer for ZDI, this was the first time in Pwn2Own that every single winning submission in the competition was able to execute code to the highest privilege possible. That's across a pool of researchers who won a total of $460,000 for 21 discovered flaws.
"In previous contests, having a userland vulnerability, achieve code execution, and then escalating to the highest privileged user was a very, very rare thing," says Molinyawe, who will speak on the the Black Hat panel called $hell on Earth: From Browser to System Compromise.
While there were some browser exploits that escalated to from browser to root rather quickly, including one in OSX that manipulated a sudo command, Molinyawe and his colleagues say that improvements in browser security over the last few years is making researchers--and, consequently, attackers--work harder to develop browser exploits. Whereas many Pwn2Own submissions were often found over the course of a weekend, researchers now need to spend significantly more time perfecting their attacks.
"There’s multiple bugs now that have to be utilized in order to get these levels of execution. Back in the day, you could drop a font bug on somebody that’s through the browser and all of a sudden you're in the kernel. Nowadays, there’s multiple stages and multiple exploits occurring just to achieve the same level of execution," says Josh Smith, a senior vulnerability researcher for ZDI, also speaking on the Black Hat panel. "It shows that things are getting harder and that a lot of these defenses are having an impact."
However, the way attack techniques have shifted shows that while effective, certain defense mechanisms can't be counted on as final solutions to the browser problem. For example, now that many sandbox protections for browsers have improved, the competition no longer sees easy sandbox escapes and vulnerabilities playing a hand in browser attack scenarios--instead, researchers have shifted their sights to kernel vulnerabilities.
"It seemed like the sandbox, which is a great innovation, hasn’t necessarily slowed that many people down--it is almost just a speed bump in reality. They've moved on to other attack surfaces—for instance, the portions of the kernel that they can reach from within the sandbox, But they have not had a problem making that pivot, if that pivot was necessary," Smith says.
The point is to always remember that "attackers will ultimately go for the weakest link," says Jasiel Spellman, vulnerability analyst and exploit developer for ZDI. They key for security ops is to remember that they need to take a well-rounded approach rather than looking for silver bullets.