|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
Microsoft on IE8 Exploit: 'There Is No Patch'
And there never will be.
ARLINGTON, VIRGINIA (Rixstep) -- Jorge Luis Alvarez Medina's Black Hat presentation 'Internet Explorer turns your personal computer into a public file server' revealed an unpatchable flaw in all versions of Internet Explorer. Microsoft have admitted the flaw cannot be patched in any version.
No other web browser on the Windows platform is affected.
Microsoft Security Advisory 980088
Microsoft's security advisory 3 February 2010 revealed their investigation of a 'reported vulnerability' in IE affecting 'customers running Windows XP or who have disabled Internet Explorer Protected Mode'. They advise they can partially mitigate the threat by isolating IE.
In Windows Vista, Internet Explorer 7 runs in Protected Mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code. While most Internet Explorer 7 security features will be available in Internet Explorer 7 for Windows XP Service Pack 2, Protected Mode is only available on Windows Vista because it is based on security features new to Windows Vista.
But older versions of Windows can't provide that protection.
Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4; Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows Server 2003 Service Pack 2. Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.
Bit by Bit, Word by Word
It's important to take that advisory again, bit by bit, word by word.
√ 'the ability of an attack to write, alter or destroy data on the user's machine'. That is what 'Protected Mode' is supposed to do - stop malware from getting to disk and destroying things for you. Flipping the coin over, there was no way to stop that before 'Protected Mode' came along. 'Protected Mode' doesn't protect the system - it isolates the browser.
Put another way: you really didn't have any defences. You had to rely completely on all your web applications being 100% flawless - which of course no software ever is. Now at least you have a fighting chance. For now at any rate. But what were Microsoft doing for the past fifteen years they've offered you Windows online? You had nothing in the system to defend you?
Seems that way.
√ 'an attacker may be able to access files with an already known filename'. You can remove the word 'may'. If it's 'may' then it's a certainty. Just because they haven't attacked yet doesn't mean they never will. All it means is they're busy running their other attacks for the moment.
Where's the Perimeter?
Compared to security features found in real operating systems, Microsoft's new 'Protected Mode' may be as primitive and rudimentary as it gets, but it's still a welcome improvement - it makes people more secure (as long as they're running later versions of the 'operating system').
The more far-reaching question is where the security perimeter lies. And this is important for all users of Windows. The security perimeter is not around the operating system itself but around a single web interface. The operating system itself is not secure. All Microsoft have done is isolate a web interface. The system is still wide open to exploit.
The very fact that resident malware can still 'destroy data on the user's machine' means you as a Windows user have no protection at all. As soon as the black hats uncover another hole in the web periphery, the story will repeat itself.
The very fact Microsoft are attempting to 'isolate' their web interface is a tacit admission the system itself is defenceless. Take a deep breath now while you can. The next attack is right around the corner.
And you have to abandon IE, no matter the version or the version of your 'OS'. There is no patch.
The Technological: Protecting Your Windows File System
Black Hat ® Technical Security Conference: DC 2010 Briefings
Network World: Researcher reveals how IE flaw can turn your PC into a public file server
Microsoft Security Advisory (980088) Vulnerability in Internet Explorer Could Allow Information Disclosure