Microsoft Patches IE Flaw Used In Attack That Bypassed Its Built-In Security Controls
Winning 'Pwn2Own' flaw was memory corruption bug, its patch among 10 released by Microsoft today
Among the 10 patches fixing 34 vulnerabilities that were released today by Microsoft is one that repairs a major hole in Internet Explorer that was used to help bypass the built-in security features in Windows 7 and Internet Explorer 8.
The memory corruption flaw, which was discovered and used by a Dutch researcher to win $10,000 in the March Pwn2Own hacking contest at the CanSecWest conference, was exploited along with another stage of attack on IE 8 to bypass Microsoft's much-lauded anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Peter Vreugdenhil, the researcher who discovered the bug, didn't reveal the actual vulnerability he exploited in his hack, so Microsoft's MS10-035 security update today was the first time the nature of the flaw was made public: The memory corruption vulnerability could allow an attacker to take over the victim's machine due to the way IE tries to access incorrectly initialized memory. That memory can be corrupted by an attacker such that he can execute code on the logged-on user's machine.
Aaron Portnoy, manager of security research for HP TippingPoint, which sponsors the Pwn2Own contest, says this bug was at the heart of the Pwn2Own hack. "This was the crux of actually exploiting something -- this is the one that triggers memory corruption in IE," Portnoy says. "The other [part of the attack] was more for bypassing ASLR and DEP."
While Vreugdenhil wasn't the first researcher to crack Microsoft's DEP and ASLR, his widely publicized hack placed potential weaknesses in DES and ASLR in the spotlight, and security experts say it basically opened the floodgates for finding other ways to beat the anti-exploit features. Prior to his work, Core Security Technologies disclosed a flaw in the Microsoft Virtual PC hypervisor's memory management that can be used by an attacker to cheat DEP and ASLR. Microsoft, however, has maintained that it's not a new vulnerability, but that the exploit takes advantage of existing vulnerabilities. VUPEN Security earlier this year said it was able to bypass DEP on IE 8 and execute arbitrary code.
DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.
Dan Kaminsky, director of penetration testing for IOActive, says memory corruption flaws, if exploited, mean "ownage."
"At the end of the day, memory corruption leads to system compromise, period," Kaminsky says. "That doesn't mean it's not worth it to try to make it more difficult to exploit corrupted memory: ASLR and DEP have raised the bar on what it takes to exploit memory corruption ... Locking down memory is a useful temporary mitigation," but there's no way to altogether eliminate these types of flaws and attacks, he says.
Kaminsky and other security experts say that despite the bypass hacks, ASLR and DEP remain valuable for browser security.
"The fact that Peter was able to bypass these for this particular exploit doesn't mean his method will apply to all vulnerabilities," says HD Moore, chief security officer and Metasploit chief architect at Rapid7. "The reason we hear about cases where it is possible to bypass these mitigations is that nobody cares about the dozens of other cases where it was not possible."
These exploit-mitigation methods always struggle when it comes to client-side applications, Moore says. The Google Chrome browser's sandbox is one method that seems to be effective here: "The Chrome approach plans for failure and tries to limit the impact of a successful attack. The low-privilege mode in Internet Explorer is similar, but doesn't go nearly far enough," Moore says. "The key difference is that with Chrome, each website runs in its own isolated process, so a successful compromise is not able to read data stored by another site, which is not the case with the low-privilege mode of IE -- even in a separate process, websites share the same limited user account."
Moore says that as more critical information gets stored in the browser, the more they need to isolate individual websites. "More work should be done to prevent a compromise initiated from one site being able to access the data of another," he says.
The good news is that additional layers of security for the browser can sufficiently prevent an exploit from being exploitable in the real world. "Each of these is just another layer to add to the mix -- what we have seen so far is that the requirements to bypass SEHOP, DEP, ASLR, and even basic stack protection are sometimes enough to make the exploit unreliable, or even impossible, in a real-world environment," Moore says. "There will always be exceptions to the rule, but the overall trend is that typical memory corruption exploits will only become harder as we move forward."
TippingPoint's Portnoy describes ASLR and DEP as exploit hurdles: "They are just another hurdle you need to jump through when you write an exploit. They are helpful in stopping [less] complex exploits," he says.
Meanwhile, the newly patched memory corruption bug used in the Pwn2Own contest is basically a standard, JavaScript-type vulnerability, he says. "It's not specific to IE. It's about object reuse and 'use-after-free' types of vulnerabilities," he says.
Microsoft provides details about all of its patches released today in this blog post.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like