When Mark Dowd and Alex Sotirov demonstrated a technique for bypassing Vista’s memory protections at Black Hat last year, the security community was stunned. Microsoft officials said at the time they were working on ways to defeat the pair’s attack and now that protection has arrived, in the form of Internet Explorer 8.
Dowd (above, right), who works for IBM ISS in Australia, says in a blog post that the improvements that Microsoft has made in the security of IE 8 have the effect of preventing the memory-bypass attacks from working.
“Basically, the fix is simple: Loading .NET controls has been associated with a special privilege that users can enable or disable – and in the default configuration for the “Internet Zone” (the Medium-High setting), .NET controls have been disabled,” Dowd writes.
The attack that Dowd and Sotirov (above, left) showed off at Black Hat was complex, but the basic premise is that they were able to load a .Net control onto a Web page into a location of their choosing, and with whatever permissions they chose. This allowed them to get around two of the main memory protections in Windows Vista, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These two technologies are a major part of the security upgrades that Microsoft added to Vista, and Dowd and Sotirov’s attack was seen as a breakthrough.
But now, with the addition of the new permission to IE 8, Microsoft has put a stop to that particular attack. As Jonathan Ness of the Microsoft Security Response Center writes in his blog on IE 8 security, “The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone.”
This is a nice advance for Microsoft and for its customers. IE for years has been seen as by far the least secure of the major browsers, but that perception may be shifting now. At last week’s CanSecWest conference, the hackers in the Pwn2Own contest went right after Safari, believing that IE 8 on Vista was too tough to crack. It eventually went down, surprising many of the researchers in attendance.
This is all to the good, as Dowd writes.
“So, the net effect (no pun intended) of this change is that by default, our technique will no longer work in its current form against IE8 browsers in their default configuration. There are also a number of other security enhancements in IE8,” he writes. “Most notably, the browser now runs in ‘Protected Mode.’ Essentially, this means that the browsing process runs in a sandbox of sorts with a restricted set of privileges. (Internally, this is implemented by utilizing Vista’s ‘Low Integrity’ mode and communicating to a broker process via an out of process COM server. But, that is the topic of another post.) Furthermore, DEP has been enabled in IE8, which is a big change from IE7. This means that IE8 now fully reaps the benefits of the Vista memory protections. Hacking it is going to be hard! .. Probably!”