Black Hat: Attack Can Turn IE Into a Public File Server

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It's a familiar tune that we've all heard before: A security researcher making a presentation at the Black Hat security conference with a report on insecurity in Microsoft's Internet Explorer browser. This time, the venue is Washington D.C., and the researcher is Core Security's Jorge Luis Alvarez Medina -- and as it turns out the issues he's detailing are in part, re-treads of items his firm has already disclosed.

Medina's talk, "Internet Explorer turns your personal computer into a public file server," discusses new attack vectors for risks that Core Security has raised in previous years, but which still represent a potential risk.

One positive finding, however, is that not all Windows users necessarily need to be concerned, as Windows 7 and Vista users don't face the same risks.

"An attacker can manage to exploit and take advantage of a series of features that Internet Explorer has because of the way it was designed and programmed," Medina told InternetNews.com. "By abusing those features, an attacker can read every file on the local disk of the victim."

The specific features that Medina believes to be at risk are related to IE's Security Zones. In June 2008 and later in August, Core Security issued a pair of advisories related to Security Zone bypass issues, which were quickly patched by Microsoft.

While the specific attack vectors outlined by Medina in 2008 have been fixed, he still sees reason for concern. Security Zones are an IE feature that provide Web applications with privileges to a user's PC depending on the application. Medina noted that exploiting IE to read a user's desktop takes advantage of this as well as the fact that IE and Windows Explorer (the Windows desktop browser) are similar.

He added the way that IE stores cookies and cached files is a particular concern.

Medina explained that the way the attack works is that a user clicks on a malicious link, which then triggers some JavaScript or VBscript. The malicious script then takes advantage of the IE internals to enable an attacker to read any file on a user's PC.

While Medina's attack sounds ominous, there are a number of ways users can protect themselves.

"In both of the attacks that we have previously published, we provided some workarounds for users and that would also work with the new attack I'm now talking about," Medina said. "It's the same type of attack but exploited in a different way, so the mitigation is the same."

Among the workarounds provided by Medina and Core Security is for IE users to change the IE Security Level setting for the Internet and Intranet Zones to "High," which will help to restrict unwanted scripts from running.

Another key way to mitigate risk for IE users is to upgrade their version of Windows. Both the new and the earlier security issues raised by Medina and Core Security are limited to Windows XP and prior versions of Windows.

"Newer operating systems like Windows Vista and Windows 7 have what is called 'Protected Mode,'" Medina said. "When that mode is enabled, the attack will not work as one of the features that Protected Mode has is blocking access to local resources."

As to how Medina discovered the new attack vector in IE, he noted that it's just a variant of his prior work.

"Whether I disclose technical details about how to disclose how to exploit IE's security zones in a new manner or not, it would be trivial for an attacker to find out how I can do it again," Medina said. "It's very similar to the previous advisories, just with some minor modifications in how to implement one of the steps, but it's pretty straightforward I think."

Microsoft recently provided an out-of-band update for IE, related to attacks that victimized Google in China. Those updates are unrelated to the attack vectors that Core Security is now disclosing, according to Medina.

For its part, Microsoft said that it was looking into Medina's reports of new vulnerabilities in IE.

"Microsoft is investigating a responsibly disclosed vulnerability in Internet Explorer," Dave Forstrom, group manager for Microsoft Trustworthy Computing, said in an e-mail to InternetNews.com. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact, and believe customers are at reduced risk due to responsible disclosure."

"Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves," Forstrom said.

As to what Microsoft should do to remove the risk from future variants of Medina's IE security zone bypass attacks, the security researcher doesn't think that Microsoft has many options for Windows XP users, other than patching each new attack vector as they emerge.

"One of the main issues that allows this attack to be performed is a design problem," Medina said. "So some of the features can perhaps be modified to not allow this specific attack to occur, but it cannot be removed completely due to backward compatibility. Some of the features are not possible to fix as they are design problems and changing them could perhaps impact existing applications in a negative way."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.