Thread-injection attacks from browser exploits are increasing: Invincea

Discussion in 'other security issues & news' started by MrBrian, Dec 28, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Prediction 2012: Hackers Will Find New Fertile Ground to Pharm:
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Oh, I love this article haha Thank you MrBrian.
     
  3. wat0114

    wat0114 Guest

    What was that about blacklisting again? :p
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Haha, oh I definitely agree with them. Blacklisting is reactionary and ineffective. But if I were to design a program it would include it though in a very different form.

    I am not quite done with the article but I do agree with them.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    With the exception of infrastructure attacks, which I very much believe are going to come, and come hard, I think 2012 will still be the same old, same old. The security industry isn't learning anything, so hackers don't have to work much harder than they have been. That said, I believe the coming year will see more attempts, and serious ones to eat away at the Chrome sandbox. It can and will happen, but perhaps it won't fully succeed in 2012. They'll still keep trying though and, if they can pull it off, I can easily see Chrome popularity taking a nose dive.
     
  6. wat0114

    wat0114 Guest

    Sometimes this is all good fun. I felt you might have had someone in mind with your initial post, HM :D
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, I don't necessarily think that suddenly the hackers will go "Hey, it's 2012 let's change it up." But I do agree with their points, whether the predictions based on them will happen or not.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why talking always about the doom that will happen to Chrome's sandbox? I don't see anyone talking about IE's sandbox doom... and that one exists since late 2006.

    As anyone ever seen any exploits successfully bypassing IE's sandbox?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Sandboxes in general may be bypassed as kernel exploits start popping up. I doubt that IE's sandbox will somehow last forever while Chrome's falls to pieces since Chrome has quite a few more restrictions. Both bare ACL based so they're both going to fall apart at the same time.
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's inevitable, M00n. You don't necessarily have to break the sandbox in IE (if you can really call it a true sandbox) to screw with it. In Chrome, it's all but required to crack the sandbox to have any real harm done. I say all but required since extensions in Chrome are still a wild card. Honestly, it really doesn't matter what you throw at hackers, they'll bust it wide open in time. Back in 2006 the security and malware landscape looked different as well.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I would absolutely call it a true sandbox. Who wouldn't?

    I agree on some level though. If I use IE as a vector of attack I can still accomplish a lot in the sandbox. If I use chrome as a vector of attack there's much less I can accomplish in the sandbox.
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Agreed. Once the kernel bombardments start becoming more common, all bets are off. Guys, the war with malware is only going to get worse. The big problem is that the good guys are still using the same technology and weapons they always have. It's like putting your boots on the ground in Afghanistan with muskets.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If you face a kernel exploit attack, a browser's sandbox bypassed should be the least of your concerns.

    Forever is a long time, isn't it? ;) We also don't know what the future will bring us in terms of browser security (an operating system security). By then, we'll have other security technology for sure. If we don't, then you can say it's doom... or not... even by then there will be easier fish in the ocean to catch... as it happens today.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Depends on the exploit. Let's say the exploit is in a system driver stored at C:/driver/

    and your sandbox doesn't give access to that driver. Kernel exploit mitigated! =p

    Still, I think attackers won't focus on Chrome or IE9 sandboxes. Why bother? The payoff is great (millions of users + kernel access) but nearly as much can be accomplished with a nice simple OS portable exploit in the Oracle VM.

    Attackers want to make money. Save the 0days for cyberwarfare, spray as many cheap and easily mitigated exploits as you can at the rest of teh world.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I can't argue with that point. There are a lot of easier ways to get the job done. Busting open Chrome will happen, but perhaps it will be more of an epeen thing at first. Eh, crap, our brains may be wired to the net in 10 years, if we even still have a net, I don't know, lol.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I was talking about a successful kernel exploit. :p

    But, as you pointed out, it isn't all doom. Which was my point.

    Exactly. Why bother, when there's easier fish out there? Which is why I also said that it isn't all doom. And, if it was that easy to bypass those sandboxes, we'd be seeing it everyday.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, extensions are the weakest vector in Chrome, since there's no vetting process. :mad:

    But, I wouldn't call it inevitable. Yes, back in 2006 it was different; but, I'm also pretty sure everyone thought it was all doom for Windows and IE. Microsoft introduced a lot of security technologies for both Windows and IE. Nowadays, it isn't that easy to infect a system using IE9 in Protected Mode (read bypassing it).

    Windows 8 will bring more, including an enhanced ASLR, if my memory isn't degrading by now. :D

    Sure, there's still social engineering and all that. But, that's the easy fish out there, isn't it? :argh:

    -edit-

    Could security be different (=more efficient)? Totally, and hopefully over time we'll see something different... Let's hope... lol
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I don,t understand how it can happen?
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    By living in RAM or within a process that's already on disk I assume.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Extensions are weaker in that there's no vetting and therefor more exploits or even a malicious extension.

    But in the case of an exploit there still is the sandbox - if your Twitter extension (for example) gets attacked but it doesn't have access to your passwords neither will the attacker.

    Windows 8 will include a more randomized ASLR, which is nice but no real biggie for Chrome or IE - Chrome already randomizes its own address space and then has the OS randomize it further, IE uses (I believe) Null Pages so overflows are considerably more difficult and the 64bit version will already be very random.
     
  21. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    num me vexo
     
  22. wat0114

    wat0114 Guest

    Did I miss out on these exploits, because I don't remember seeing any in the news?
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think they're saying that the browser/ plugin was exploited and it hopped over to the OS services, which would let them elevate in the case of Windows 7 default UAC.
     
  24. wat0114

    wat0114 Guest

    Oh. maybe that's it then. Thanks!
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Just my interpretation but I think that makes the most sense.

    The big deal there is that they can go from, say, Flash over to your explorer.exe via thread injection probably making use of ROP and then elevate straight to admin on any common system. They avoid AV's and they gain admin privileges in one exploit.

    This is where AV's just fall to pieces and something like Sandboxie might do a better job.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.