Internet Explorer is the world’s most popular browser, but that doesn’t mean it’s impregnable–security experts have recently drawn attention to how attackers could exploit it to spy on users. Last month, a vulnerability in Internet Explorer was implicated in Chinese hackers’ attacks on Google. Microsoft quickly patched the flaw with a special security update, but not much later, Jorge Luis Alvarez Medina, a security consultant for Boston-based CORE Security Technologies, revealed a scheme that could let an attacker read any file on a user’s computer through Internet Explorer.
In a talk last week at Black Hat DC, a computer-security conference in Washington, DC, Medina outlined how he built a series of seemingly minor flaws into a much more serious attack. Usually, files stored on a user’s computer are treated differently from those intended to be accessible through the Internet. Medina’s attack blurs the line between the two types of files, allowing an attacker to access personal files over the Internet. During his talk, Medina demonstrated code that allowed him to upload files from a user’s computer.
To make the attack work, the Internet Explorer user has to click a link to a malicious Web page. Once the user navigates there, the attacker uses a variety of holes and features in Internet Explorer to gather information about the user’s computer. At the same time, the attacker sneaks some malicious code into the browser (websites are allowed to write some code into the browser, for example in the form of tracking files called “cookies”). The attacker uses what he’s learned to direct the browser to open that malicious code as if it originated from the user’s computer. If he can convince the browser to run the code, then the attacker will have crossed the divide between the Internet and the user’s local machine.
Medina has been investigating this type of attack for some time–CORE Security issued an advisory on his first version of this attack in 2008. However, he says, Microsoft has responded by releasing patches that focus only on preventing the browser from actually running the malicious code–the fixes don’t stop the attacker from learning about the user’s computer, which could, potentially, lead to other attacks. Medina believes the attack could be stopped more effectively by closing down flaws at all points of the chain. “It makes no sense to think about this vector if none of the [string of exploits] are possible,” Medina says.
When he spoke with Microsoft about his attack, Medina says, the company told him that it could not patch some of the flaws he exploited. In some cases, this was because the flaws were closely related to intended features of the browser. In other cases, the company worried that any fix would in turn open up additional security holes.
Medina says his attack currently works for all versions of Internet Explorer.
However, “customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue, as they benefit from Internet Explorer Protected Mode, which protects from this issue,” said Jerry Bryant, senior security communications manager lead at Microsoft, in a statement. He added that Microsoft has provided a set of instructions that XP users can implement to protect their computers. He notes, however, that Microsoft has not seen Medina’s attack in use in the wild.
Independent security researcher Dino Dai Zovi notes that many Internet Explorer users may not realize that they’re surfing the Internet without Protected Mode in place. Dai Zovi explains that users often disable Vista’s user account control, a built-in security feature that aims to make users aware of the privileges that applications are exercising, because they find its prompts annoying. What they often don’t realize, however, is that doing this also disables Protected Mode Internet Explorer, since it relies on the same underlying mechanism. “Most users would probably want the added security protection that Protected Mode Internet Explorer provides,” Dai Zovi says.
Medina acknowledges that his attack doesn’t currently work in Protected Mode, but says this mode once again only protects against a single aspect of the threat. He’s been working recently to see if he can bypass Protected Mode: “If not me, someone else will do it.”