In investigating the protection offered by IE Protected Mode from zero-day memory corruption vulnerability, the Verizon researchers found a “bypass” to Protected Mode, “along with a number of generic attack patterns which must be protected against to prevent future circumvention of the feature”.
The white paper, Escaping from Microsoft’s Protected Mode Internet Explorer, describes a number of generic attack patterns to exploit the IE Protected Mode vulnerability. The first pattern involves a remote IE Zone escalation.
“In this attack, an attacker has a web page rendered in one zone, normally in the ‘Internet Zone’. From this webpage they are able to get malicious content rendered in a more permissive zone, where Protected Mode is disabled, such as the ‘Local Intranet Zone’ or the ‘Trusted Sites Zone’.”
The next pattern is the use of local exploits that target IE’s Trusted Brokers. “Trusted Brokers can be attacked in malicious command line arguments which results in either the broker performing a privileged operation on behalf of the low integrity process or the execution of arbitrary code through memory corruption vulnerabilities”, the white paper explained.
The Verizon Business researchers said they discovered that IE Protected Mode could be bypassed by escalating the browser’s privilege level from low to medium integrity.
“The attack assumes the existence of exploitable memory corruption vulnerability within Internet Explorer or an extension, which is the precise scenario that Protected Mode is supposed to mitigate. Once the initial remote exploit has been used to execute arbitrary code at low integrity on the client, the payload can create a web server listening on any port on the loopback interface, even as a limited user at low integrity”, the researchers explained.
“Given the current set of potential ways to bypass Protected Mode’s protection by locally escalating from low to medium integrity, it can be concluded that the mechanism currently provides little in the way of reliable protection from remote code execution attacks”, they concluded.
The researchers offered a number of recommendations to administrators in order to mitigate the IE Protected Mode vulnerability: ensure that the IE’s User Account Control is enabled; ensure that workstation users do not run as administrators; enable Protected Mode for all zones where possible; disable the Local Intranet Zone or limit the members of the zone as much as possible; ensure third-party software vendors create software that does not incorrectly configure IE’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode; and configure group policy to prevent users from configuring the IE elevation policy.