Java runs with different integrity level in Internet Explo. vs. low integrity Firefox

Discussion in 'other security issues & news' started by MrBrian, Feb 18, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    When Java is launched from Internet Explorer with Protected Mode on, the Java processes have medium integrity. When Java is launched from Firefox configured to run as low integrity, the Java processes have low integrity. Thus, Firefox may be safer from Java exploits than Internet Explorer.
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Which IE process makes the request? Parent or child? If it's parent... I wonder why?

    If it's the child process, then Java should inherit low integrity level.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I think it's because IE has been engineered to be able to launch some processes with medium integrity for the sake of compatibility. Running Java with low integrity causes Java applications that need to write to the local file system to not run properly.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It beats the purpose of protected mode/low integrity level, though. After all, Java is quite exploited by attackers.

    I don't use Java, so I truly cannot say much, but one way it could run is virtualized by the O.S, at the image of what happens with other applications, to avoid compatibility problems. IE does run virtualized... I wonder if this would have impact on Java, creating an additional boundary?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm wondering if the same happens with Chrome.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    If you can live without java - ditch it.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That was my thought too.

    From Attacking Interoperability - hxxp://dslrouter.sourceforge.net/stuff/HTB/D1T2%20-%20Mark%20Dowd%20-%20Attacking%20Interoperability.pdf .
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From the paper in my last post, about Internet Explorer:
    I see a lot of Policy Value #3 entries in my registry.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tested Chrome; Java processes have medium integrity. Adobe Flash also has medium integrity.

    How to secure plugins in Chrome.
    Chromium's "safe-plugins" switch.

    From Chromium Sandbox FAQ:
     
    Last edited: Feb 19, 2011
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't know too much about IE8 - it's not my primary browser, but I was a bit surprised at how easy it is to find exploits that work against it, when I searched yesterday.

    WinXP SP3 IE8 at default settings:

    Here is a Java exploit-- the Java logo appeared briefly, then my firewall alerted to an outbound connection,
    and the alert blocking the executable:

    [​IMG]

    In all fairness, I don't think I have the latest Java program, but are you saying that IE should protect against Java exploits anyway?

    Below is the DLL POC -- here, the LNK file is on the Desktop and when IE8 browses there, the exploit is triggered, attempting to run the DLL:

    [​IMG]

    Should the user have to make other tweaks to have IE8 more secure?

    thanks,

    rich
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Medium integrity Java means Java isn't running in IE's sandbox, so I'm afraid not. It would be interesting to test to confirm...

    An IE user could perhaps manually make the Java processes run with low integrity with icacls or chml. I haven't tried this though.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    How exactly is this IE's fault? The same happens in Chrome as described above. Also, if flash can run fine on low, why can't java? I reckon for the same reason it needed 24 updates so far - poor coding.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If either of these run as low integrity, one can run into problems.

    I run Firefox as low integrity. I manually adjusted a folder so that Flash cookies can be written. I remembered from the past that some websites break otherwise. I use the BetterPrivacy extension to delete Flash cookies when I clear history.

    Some Java apps need local system access, but I never tried to adjust integrity levels for Java. Instead, for those few websites that don't work properly because they need local file system access, I visit those websites in a virtual machine.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that.

    Is it easy to show the average user how to do this? (I would have to be shown, as I don't know what "icals" or "chml" are)

    One reason I've liked Opera for the average user is that it's easy to explain how to control plugins and scripting both globally and per site.

    ----
    rich
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Chrome antics: did Google reverse-engineer Windows?:
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are correct -- the exploit targets Java, not the browser. The same with PDF exploits which target the PDF reader, not the browser.

    But I raise the point because there seems to be the thought that IE can be configured to prevent Java and Flash from running their processes.


    ----
    rich
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Icacls usage is described in this thread, but not in regards to Java.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe someone can test some Java exploits against protected mode IE, Chrome, etc.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thanks for the confirmation. Just as I suspected. I believe that in Chromium based browsers case, the scenario would be perhaps far worse. Under certain circumstances (Google developers cannot reproduce this issue, so I highly doubt it has been fixed.) both chrome.exe parent and child processes run with the same integrity level (medium or high, if we're dealing with a standard user account or administrator account w/o UAC).

    I wonder if a mix of both these two scenarios would be more catastrophic than with IE.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not to prevent such process to run, rather to lower their permissions in the system.

    Taking as an example IE Protected Mode, there will be two iexplore.exe processes (considering only two instances of IE): parent and child.

    Parent runs in medium level, otherwise users could not save files to medium level areas, for example.

    What we're discussing is that it should be the child process, running with low integrity level/in protected mode, initiating Java/Flash. I run Chromium with an explicit low integrity level, and Youtube runs fine, and other websites run too, even Microsoft sites with their Silverlight. So I wonder how hard it would be to make Java run with low integrity level as well.

    I believe it could be possible to have it that way and virtualize Java by O.S itself, writing to the needed areas, just not the real ones, virtualized ones.

    I don't have Java, nor can I play with virtual machines, unfortunately, but it would be nice if someone would be willing to give this a shot.
     
  21. wat0114

    wat0114 Guest

    Hi MrBrian,

    are you using PowerBroker to set the integrity level on Firefox? If so, could the same not be done with IE?

    Another question I have regards ICACLES; Can it be configured in Win7 as easily as it could in Vista? I see Sully's examples from your link, but I remember him mentioning some odd differences between Win7 and Vista when he was discussing the develoment of his SafeAdmin project.
     
    Last edited by a moderator: Feb 19, 2011
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can set integrity levels with icacls, chml or runasil (Didier Stevens tool). runasil as a plus (I haven't actually tried it and compare it with chml), because creates a registry entry remembering process names, which is useful in case you upgrade an application, and during upgrade the process gets deleted.

    I wouldn't personally mess with IE integrity levels, before doing it in a test machine and test every possible scenario you'd be using it for and see what happens.

    I see no point in paying for a tool to do that. For what I could see PowerBroker is a paid-for product; at least the link shows it's an evaluation version.
     
  23. wat0114

    wat0114 Guest

    Thanks m00nbl00d. I'm not really heck bent :) on playing with integrity levels too much, rather just curious, although I did try with the PowerBroker utility without too much success.

    Actually, I got I got it for free courstesy of MrBrian's link here. As I mentioned above, I had problems getting it to work as expected in my Win7x64 vm.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Obviously, I'm not familiar with how PowerBroker works, but you can place chml (I guess runasil too) in C:\Windows\System32, and then you just need to invoke its name like chml "C:\Users\User\Desktop\Some folder" -i:l (In this example, we're setting folder "Some folder" with a low integrity level.) chml actually has a very detailed help (-http://www.minasi.com/apps/). Right now I don't recall which command to invoke in cmd line to see more help. I'll see if I can find my notes. ;)

    icacls (Microsoft's own tool) isn't as powerful as chml, though. I can't say much about runasil, except for the nice feature it provides, as I mentioned previously.


    OK. I'll see if I can still download it, and when I get my new external hard disk, play with in a virtual machine.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I haven't spent any time with PowerBroker Desktops since I posted about it, but I will one of these days. I'd give same advice as m00nbl00d regarding changing IE integrity levels.

    I don't know any reason why icacls would be any different in Vista vs Windows 7. I haven't used Vista much though.
     
Loading...
Thread Status:
Not open for further replies.