dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4338
SUMware2
Premium Member
join:2002-05-21

4 edits

1 recommendation

SUMware2

Premium Member

Microsoft Confirms Critical 0-Day IE8 Vulnerability

From Softpedia
23rd of March 2009 -
quote:
Microsoft has confirmed officially the zero-day vulnerability impacting Internet Explorer 8, the latest iteration of its IE browser. The security flaw was demonstrated on the first day of the Pwn2Own hacking context of the CanSecWest 2009 in Vancouver the past week. A security researcher identified only as Nils managed to own a Sony Vaio running Windows 7 via a vulnerability in IE8. Terri Forslof, the manager of Security Response for TippingPoint, revealed that Microsoft had acknowledged to her the existence of the issue.

“The MSRC (Microsoft Security Response Center) (...) let me know that they had reproduced and validated IE8 vulnerability discovered by the mysterious Nils. Of course, we can't tell you anything more than that..."
From SC Magazine
March 24, 2009 -
quote:
Internet Explorer 8 "critical" flaw in final version

Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

“This is a single-click-and-you're-owned exploit,” she told SCMagazineUS.com on Tuesday. “You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's ‘critical' bar [in its vulnerabilities and rating system].”

The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

“Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well.”

EdG
@eastlink.ca

EdG

Anon

As we all know, all software is flawed - some more than others!

The trick is in how quickly the software can be patched. Let's see how MS does - typically they are very slow.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to SUMware2

MVM

to SUMware2
Some of us were stubborn enough not to to be running IE8. Therefore, no 0-Day problem.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to SUMware2

MVM

to SUMware2
This Nils guy laid quite the whooping on the browsers at CanSecWest smacking IE8, Firefox and Safari, so are there any notices published concerning the other browsers?

Actually the score was IE8 (one exploit - Nils), Firefox (two exploits - Nils and Julien Tinnes but unfortunately his efforts fell outside the contest criteria and therefore could not be rewarded), Safari (three exploits, Charlie Miller, Nils and Julien Tinnes)»dvlabs.tippingpoint.com/ ··· own-2009

Having been involved with security issues in Windows for well over ten years (even before they had MSRC (Microsoft Security Response Center), or at least an official MSRC ), Microsoft has always impressed me with how willing they are to work with 'researchers' and yes even acknowledge security issues and deal with them, rather then depending on reality distortion fields like Apple for example.

Now one comment that Charlie Miller had was interesting is that he doesn't just give his exploits away to Apple, as his thinking is Apple has people they pay to do security testing and he expects Apple to pay him for security testing (or at least the exploits he finds). I must admit having spoken recently to a number of security researchers this is becoming more of a common concern/thinking, and while I know it takes $$$ to take the time and do the research, its a fine line to walk and while I have seen it work, I've also seen an ugly side of this as well.

Blake

Lagz
Premium Member
join:2000-09-03
The Rock

Lagz to SUMware2

Premium Member

to SUMware2
I didn't figure it would be long before something like this!!

therube
join:2004-11-11
Randallstown, MD

therube to SUMware2

Member

to SUMware2
And Softpedia also reported this so I assume they are differing vulnerabilities?
quote:
IE8 RTW Bulletproofed Against .NET, DEP and ASLR Bypass Reveals Microsoft


The gold version of Internet Explorer 8 was bulletproofed against techniques designed to attack Internet Explorer 7 by leveraging inconsistencies in Windows Vista's memory protection mechanisms. Vista brought to the table a number of mitigations, additional security layers including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), designed to make it extremely hard for exploits to work against the operating system.
Still, because of the actual design and implementation, the extra mitigations could in fact be defeated, as security researchers Alexander Sotirov and Mark Dowd demonstrated at BlackHat Vegas, in 2009.

Sotirov and Dowd managed to circumvent DEP and ASLR via .NET framework DLL’s that were used for memory page allocation in relation to predictable locations within the iexplore.exe process. Jonathan Ness, from MSRC Engineering, explained that the bypass was no longer valid with the copy of Internet Explorer 8 released to web on March 19, 2009.

“The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone,” Ness stated.

Microsoft is committed to keeping its ears to the street, and has gathered feedback from the recent CanSecWest and SOURCE conferences, emphasizing that security researchers have categorized the process of producing exploits for Vista as “very, very hard.” “IE8 is pretty cool technology. We have been using it internally now for a while. One of the great things about it is the layering of defenses on top of defenses. No browser is 100% secure but we are hoping if we keep adding defenses they will be harder and harder to exploit,” Ness added.

19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to SUMware2

Member

to SUMware2
quote:
Some of us were stubborn enough not to to be running IE8. Therefore, no 0-Day problem.
Yes.... IE8 is crap (IE7 is not much better)

IE6 is the best
SUMware2
Premium Member
join:2002-05-21

1 edit

SUMware2 to therube

Premium Member

to therube
said by therube:

I assume they are differing vulnerabilities?
Correct. The Sotirov/Dowd demo occurred at BlackHat in 2008. Softpedia had the year wrong.

Researchers use browser to elude Vista memory protections

Here's their paper: Bypassing Browser Memory Protections [pdf]
said by Sotirov/Dowd :
Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

In this paper we will discuss the limitations of all aforementioned protection mechanisms and will describe the cases in which they fail. We aim to show that the protection mechanisms in Windows Vista are particularly ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers. This will be demonstrated with a variety of exploitation techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances.

therube
join:2004-11-11
Randallstown, MD

therube

Member

Thanks.

Mem
join:2002-01-03
Nashville, TN
·Google Fiber
·AT&T FTTP

Mem to SUMware2

Member

to SUMware2
It appears that Nils exploit is based on the Sotirov/Dowd exploit. DVLabs states the vulnerability is still in IE8 but these two techniques are not able to work with IE8 on Vista SP1 - mitigates both attacks (with a few caveats such as not in the Intranet zone or XP as the OS).

»dvlabs.tippingpoint.com/ ··· y-secure
SUMware2
Premium Member
join:2002-05-21

2 edits

SUMware2

Premium Member

Sponsor confirms IE8 bug & IE7 Possibly Vulnerable

From NetworkWorld
03/27/2009 -
quote:
Hack contest sponsor confirms IE8 bug in final code

The final version of Microsoft's Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed Friday.

But the exploit used by the computer science student to break the release candidate of IE8 -- and walk away with a Sony laptop and $5,000 in cash -- won't work on the final version of IE8 as long as it's running in Windows Vista SP1 or Windows 7, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint.

Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because Nils, the German student who gave only his first name, hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later.

Forslof put the chatter to rest by confirming that IE8's RTW, or "release to Web" bits, were immune from Nils' hack. "His exploit did, in fact, employ the technique found by Sotirov and Dowd," said Forslof, referring to work by Mark Dowd and Alex Sotirov, two researchers who announced last summer that they were able to bypass two of Vista's biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention).

Microsoft made changes to IE8 between RC1 and the final code that blocked Dowd's and Sotirov's circumvention technique, thereby making Nils' exploit moot -- but only in some situations, said Forslof Friday.

"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly-known techniques."

Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.


Forslof declined to confirm whether the bug also exists in older versions of IE, such as IE7. "We're not going to comment on that," she said, "because we're still confirming the vulnerability on the previous versions ourselves. So we'll let Microsoft handle that [announcement]."

But she suspects that IE7 is vulnerable. "My guess would be yes," she said. "A lot of times, researchers look at the current software, in this case IE7, find a bug, then they test on the beta of the next. If they find it there [in IE8], they wait and see whether it's fixed in the final."

Microsoft has said little about the IE8 vulnerability, although during an online Q&A Wednesday, the browser team noted that Nils' exploit wouldn't work on the RTW edition. "We can say that the attack as demonstrated in Pwn2Own at CanSecWest will not succeed on the RTW build released on March 19 due to changes that can block the ASLR+DEP .NET bypass demonstrated by Dowd and Sotirov," said Kymberlee Price, a program manager for IE8 security.

Mozilla, whose Firefox browser was also hacked by Nils last week, plans to patch has already patched that flaw, as well as another that just went public, next week.

Microsoft, however, has not spelled out a timetable for an IE fix.

[some emphasis added]

EdG
@eastlink.ca

EdG to SUMware2

Anon

to SUMware2

Re: Microsoft Confirms Critical 0-Day IE8 Vulnerability

Has this been patched yet? Or are MS waiting for a Tuesday?

therube
join:2004-11-11
Randallstown, MD

therube

Member

quote:
Has this been patched yet? Or are MS waiting for a Tuesday?
Tuesday.
This should now be fixed with the current (June) Tuesday patches.

EdG
@eastlink.ca

1 recommendation

EdG

Anon

March to June - that's a speed record for that dinosaur...

jeno
@bellsouth.net

jeno to therube

Anon

to therube
Cite?