A fully patched version of Internet Explorer running on the most secure version of Windows yet was the second browser to fall at an annual hacker competition designed to test resistance of internet software to real-world attacks.
The attackers were able to take complete control of the underlying laptop by exploiting two previously unknown vulnerabilities in version 9 of the Microsoft browser running on Windows 7 SP 1. Like Tuesday's hacks on Google's Chrome browser, multiple vulnerabilities had be targeted in tandem to penetrate protections developers have added over the past few years, to harden their wares to sophisticated exploits.
Chief among the protections is what's known as a security sandbox. This funnels web content into a highly restricted perimeter condoned off from operating-system functions that carry out sensitive actions (such as modifying registry settings). The team from France-based Vupen Security was able to penetrate Chrome's sandbox on Wednesday. CEO Chaouki Bekrar said his group had enough zero-day attacks on hand to compromise all browsers subject to the Pwn2Own contest. In addition to IE and Chrome, the group included Apple, Safari, and Mozilla Firefox.
"What we want to show is there is no 100-percent security," he told Ars moments after unleashing code that remotely caused a high-end Asus laptop to open a calculator program. "So even if you have a fully updated system, you can still get your system compromised. "
The overall message? Security is an arms race being fought between attackers out to plant the kinds of sophisticated espionage malware used to spy on Google and dozens of other companies and the software companies trying to prevent such exploits. While defenses such as sandboxing, data execution (DEP), and address space layout randomization (ASLR) significantly raise the bar for such attacks, hackers inevitably find ways to work around them.
In Thursday's attack, the Vupen team used a heap overflow to bypass DEP and ASLR so they could run shell code in what's known as the low integrity level of the operating system. They combined stage one of their code with a separate attack that exploited a memory corruption vulnerability. That allowed a stage-two payload to break out of the sandbox. Bekrar said the attack surface exploited was "100-percent IE code" and it didn't involve any kernel code or third-party plugins. By contrast, he said, his team's attack that pierced Chrome's sandbox on Wednesday exploited code that's available in the "default installation" of the Google browser.
That and other clues provided from analysis of the exploit has led to speculation the bypass was achieved by exploiting Adobe Flash.
Closing Google's security advantage with Windows 8
All of that isn't to say all defenses are created equal. The sandbox fortifying IE, which is often referred to as Protected Mode, is easier to bypass than a similar protection in Google's browser according to Bekrar.
"Unfortunately for Microsoft, it's easier to escape the sandbox in IE than escape the sandbox in Chrome," he said while within earshot of several senior Microsoft security managers. "The IE sandbox is less restrictive and has many memory corruptions, which is not the case with the Google chrome sandbox."
Bekrar quickly added that Protected Mode in the beta version of IE 10 running on Windows 8 is close to gaining parity with the current Chrome sandbox. Among the improvements is a mitigation blocking attacks that exploit a class of vulnerabilities known as use after free bugs.
The new sandbox also expands ASLR to more locations, making it hard for attackers trying to exploit a vulnerability to know where in memory their malicious payload will be loaded. Currently, ASLR can often be defeated by exploiting memory corruption bugs. Additional protections such as those preventing attacks on null pointer dereferencing are being extended from user mode to include the OS kernel as well.
"The (new) protected mode is much more secure, much more restrictive," Bekrar said. "IE 10 on Windows 8 will be a big challenge for us to create an exploit for it."
Senior Director of Microsoft Security Response Center Mike Reavey was onsite to watch the IE exploit and to listen to Bekrar compare the relative security of IE and Chrome. He said the comments were an affirmation of Microsoft's Secure Development Lifecycle, which aims to incorporate security into products at the earliest stage of their design.
"We know how we do the SDL, that we try to make our next version of our products more secure, version over version," he said. "What's great is to hear an external security researcher tell us that, to say outright it's a lot harder on the next version. "That's what we like to see and hear from researchers outside our company."
Listing image by Photograph by lazytechguys.zippykidcdn.com
reader comments
42