Researchers bypass Internet Explorer Protected Mode

trismegistos · Dec 3, 2010

http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/

Researchers bypass Internet Explorer Protected Mode

Just add exploit
By Dan Goodin in San Francisco
Posted in Security, 3rd December 2010 21:52 GMT

Researchers say they have devised a way to carry out stealthy drive-by exploits even when victims are using recent versions of Internet Explorer with a feature known as Protected Mode.

The attack, described in a paper released by Verizon Business, requires the attacker to have an exploit for a vulnerability that's not currently patched. It works only against machines that have the Local Intranet Zone enabled, as is the default for domain-joined workstations.

Protected Mode, which was introduced in version 7 of IE, is intended to prevent exploit code from accessing sensitive parts of the Windows operating system, such as those that create files or change registry settings. But the Verizon Business researchers said they figured out a reliable way to bypass the measure that requires no interaction on the part of the victim.

“The attack combines the facts that sockets are not subject to Mandatory Integrity Control and that sites in the Local Intranet Zone are rendered with Protected Mode disabled,” the paper states.

“The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”

A PDF of the paper is here
Click to expand...

Jav · Dec 4, 2010

It seems turning on protected mode for Local Intranet will defeat it.
Which I think most Wilders users already do?

Boyfriend · Dec 4, 2010

Thanks trismegistos

@Jav: I have enabled Protected Mode for all zones, but do not use IE.

elapsed · Dec 4, 2010

Jav said:

It seems turning on protected mode for Local Intranet will defeat it.
Which I think most Wilders users already do?
Click to expand...

Yup, I already have Protected Mode enabled on all 4 zones.

xxJackxx · Dec 6, 2010

I hadn't realized it was disabled per zone. It's on now.

loverboy · Dec 6, 2010

How do I set "Protected Mode" in Internet Explorer 8?

Do I have to set it anyway for Intranet even if I am using a "Home PC" that is (for this reason) not connected to any Intranet?

ronjor · Dec 6, 2010

http://technet.microsoft.com/en-us/ie/dd878120.aspx

loverboy · Dec 7, 2010

ronjor said:

http://technet.microsoft.com/en-us/ie/dd878120.aspx
Click to expand...

So it is only for Vista / Seven
Since I have Windows XP SP3 there is no way to set "Protected Mode" on?

xxJackxx · Dec 7, 2010

loverboy said:

So it is only for Vista / Seven
Since I have Windows XP SP3 there is no way to set "Protected Mode" on?
Click to expand...

Nope, it's part of UAC.

m00nbl00d · Dec 7, 2010

loverboy said:

So it is only for Vista / Seven
Since I have Windows XP SP3 there is no way to set "Protected Mode" on?
Click to expand...

IE Protected Mode is applied by something called integrity levels (this is the most common name you'll find around), and these were only introduced with Windows Vista, and then 7.

What you can do is minimize at maximum what IE under XP can do to the system.

MrBrian · Feb 26, 2011

From Familiar faces, new names step up at Pwn2Own hacking contest:

[Vupen's] hack of IE will be a first of its kind, added Bekrar, because it will bypass the browser's sandbox, dubbed Protected Mode. "This is the first time such a critical weakness has been discovered in Protected Mode," said Bekrar.
Click to expand...

Log in or Sign up

Researchers bypass Internet Explorer Protected Mode

trismegistos Registered Member

Jav Guest

Boyfriend Registered Member

elapsed Registered Member

xxJackxx Registered Member

loverboy Registered Member

ronjor Global Moderator

loverboy Registered Member

xxJackxx Registered Member

m00nbl00d Registered Member

MrBrian Registered Member

Log in or Sign up

Researchers bypass Internet Explorer Protected Mode

trismegistos Registered Member

Jav Guest

Boyfriend Registered Member

elapsed Registered Member

xxJackxx Registered Member

loverboy Registered Member

ronjor Global Moderator

loverboy Registered Member

xxJackxx Registered Member

m00nbl00d Registered Member

MrBrian Registered Member

Useful Searches