Researchers Bypass Internet Explorer Protected Mode | threatpost

Researchers Bypass Internet Explorer Protected Mode | threatpost.

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key points and recommended actions are well summarized in Verizon’s own blog post, Evaluating Protected Mode in Internet Explorer:

Since it is not an official security boundary, Microsoft does not guarantee that it will issue patches for bypasses within the monthly patch-cycle.

It can be recommended that domain administrators consider following the steps below to improve the security of Protected Mode Internet Explorer in the enterprise:

  • Ensure that User Access Control (UAC) is enabled, as disabling it will also disable Protected Mode.
  • Ensure that workstation users cannot run as administrators.
  • Enable Protected Mode for all zones where possible.
  • Disable the Local Intranet Zone, or limit the members of the zone as far as possible.
  • Ensure that third-party software vendors create software which does not incorrectly configure Internet Explorer’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode.

Verizon Incident Classification and Reporting

Verizon Incident Classification and Reporting.

In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.

In return for adding anonymized incident information,

…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.

Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?

The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.

There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.