We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Internet Explorer 'protected mode' weakness exposed

Warning for Adobe Reader X and Google Chrome

Researchers have found a chink in Internet Explorer’s ‘protected mode’ security armour that hints at trouble for other Windows apps built around the technology, including Google’s Chrome and Adobe’s new Reader X.

The principle behind Protected Mode is to limit the privileges of an application process, which first eppared with the advent of Explorer 7 on Vista. These are set by the OS for IE according to six Mandatory Integrity Control (MIC) levels, the lowest of which is applied to all apps running from untrusted zones such as the internet.

In a new paper, however, Verizon Business researchers document ways that an attacker could elevate the privileges of a process to zones where Protected Mode would not apply, such as the local intranet network (which uses UNC paths) or by spoofing the trusted sites list.

This leads to the possibility of a relatively simple attack in which malware executes as a low priority process which creates a virtual web server tied to a local software ‘loopback’ port. Although this process will also be shut out by protected mode, it would be able to point IE to a web address which appears to be in the Local Internet Zone.

By this point, the web page will be able to render at medium integrity, a potentially dangerous privilege escalation.

“By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode,” the authors note.

As the authors admit, the degree of protection offered by IE protected mode has always been ambiguous. Microsoft has made few direct claims for it, but has not downplayed its abilities either.

The weakness found by Verizon doesn’t directly affect other applications that use protected mode security, such as Adobe Reader X or Google Chrome, but it does show how such protection mechanisms will remain open to attack based on the fact that some elements of a system have to be trusted.

Adobe’s Reader X 'sandbox' was launched recently to overcome persistent and successful attacks using crafted PDF files opened with prior versions.

In reality, the need to attack IE and Reader X using clever and stealthy attacks is low given that so many users persist in using older versions of the software.



IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

2015 visual trends: 20 leading designers & artists reveal what should be inspiring us in 2015

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do