Researchers have found a chink in Internet Explorer’s ‘protected mode’ security armour that hints at trouble for other Windows apps built around the technology, including Google’s Chrome and Adobe’s new Reader X.
The principle behind Protected Mode is to limit the privileges of an application process, which first appeared with the advent of Explorer 7 on Vista. These are set by the OS for IE according to six Mandatory Integrity Control (MIC) levels, the lowest of which is applied to all apps running from untrusted zones such as the internet.
In a new paper, however, Verizon Business researchers document ways that an attacker could elevate the privileges of a process to zones where Protected Mode would not apply, such as the local intranet network (which uses UNC paths) or by spoofing the trusted sites list.
This leads to the possibility of a relatively simple attack in which malware executes as a low priority process which creates a virtual web server tied to a local software ‘loopback’ port. Although this process will also be shut out by protected mode, it would be able to point IE to a web address which appears to be in the Local Internet Zone.
By this point, the web page will be able to render at medium integrity, a potentially dangerous privilege escalation.
“By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode,” the authors note.
As the authors admit, the degree of protection offered by IE protected mode has always been ambiguous. Microsoft has made few direct claims for it, but has not downplayed its abilities either.
The weakness found by Verizon doesn’t directly affect other applications that use protected mode security, such as Adobe Reader X or Google Chrome, but it does show how such protection mechanisms will remain open to attack based on the fact that some elements of a system have to be trusted.
Adobe’s Reader X 'sandbox' was launched recently to overcome persistent and successful attacks using crafted PDF files opened with prior versions.
In reality, the need to attack IE and Reader X using clever and stealthy attacks is low given that so many users persist in using older and even more vulnerable versions of the software.