Getting Out of Jail: Escaping Internet Explorer Protected Mode
Linked by Thom Holwerda on Tue 13th Nov 2007 16:22 UTC, submitted by netpython
Internet Explorer "With the introduction of Windows Vista, Microsoft has added a new form of mandatory access control to the core operating system. Internally known as 'integrity levels', this new addition to the security manager allows security controls to be placed on a per-process basis. This is different from the traditional model of per-user security controls used in all prior versions of Windows NT. In this manner, integrity levels are essentially a bolt-on to the existing Windows NT security architecture. While the idea is theoretically sound, there does exist a great possibility for implementation errors with respect to how integrity levels work in practice. Integrity levels are the core of Internet Explorer Protected Mode, a new 'low-rights' mode where Internet Explorer runs without permission to modify most files or registry keys. This places both Internet Explorer and integrity levels as a whole at the forefront of the computer security battle with respect to Windows Vista."
E-mail Print r 0   13 Comment(s) http://osne.ws/elf
Order by: Score:
Add Comment Post a Comment
o/
by makc on Tue 13th Nov 2007 16:59 UTC
makc
Member since:
2006-01-11

Serious approach to the issue and well written.
Please more quality (like this) and less pointless bashing ;)

Reply Score: 5

Good ... just hope it works
by shaniadollinger on Tue 13th Nov 2007 17:41 UTC
shaniadollinger
Member since:
2007-07-04

I think this is good for a lot of Windows users that are theoretically more secure. Anyway, and taking a look at Microsoft history, it may be just one more buggy piece of software that could break more things than it tries to fix.

Reply Score: 2

RE: Good ... just hope it works
by dude on Tue 13th Nov 2007 17:49 UTC in reply to "Good ... just hope it works"
dude Member since:
2007-09-27

the summary is deceiving, this is an article about an exploit based on this feature.

Reply Score: 4

interesting
by dude on Tue 13th Nov 2007 17:45 UTC
dude
Member since:
2007-09-27

That was a good read. From what i gathered, the real problem is that this bug can give full access if you are running as an administrator with at least one program running with full authenticated privileges. This is because it gives you full access to the processes of your user. It seems that this could have been less scary of a bug if when you authenticated a program for privilege escalation, it was run as a different user, like how authenticating on OS X/Unix runs the program as root, not the user that started the process.

Reply Score: 2

A step in the right direction
by google_ninja on Tue 13th Nov 2007 20:07 UTC
google_ninja
Member since:
2006-02-05

Kind of an odd article. It could be summed up as "if you exploit UAC, you can do bad things". Granted, this kind of exploit is not a good thing, especially when people are being told that IE is locked down now, but still. The author even says that it will be fixed in SP1, so its not like this is an issue MS is ignoring.

My only real problem with UAC is that there is no reason to go the MAC direction for desktop operating systems. The advantages to that kind of model are finely grained access control over specific processes, the disadvantages are far more complexity. Why would you go for the more complex system when you are aiming this at non technical users?

IMHO, Fedora's approach is the best. They have the ridiculesly complex SELinux installed by default, however their policy targets only system processes, for userland it lets people stick with the easy to understand DAC model.

Edited 2007-11-13 20:13 UTC

Reply Score: 2

RE: A step in the right direction
by superman on Tue 13th Nov 2007 20:13 UTC in reply to "A step in the right direction"
superman Member since:
2006-08-01

> for userland it lets people stick with the easy to understand DAC model.

This will change. But just for things really important. Like ~/.gnupg .

Reply Score: 1

RE: A step in the right direction
by gilboa on Wed 14th Nov 2007 15:14 UTC in reply to "A step in the right direction"
gilboa Member since:
2005-07-06

"IMHO, Fedora's approach is the best. They have the ridiculesly complex SELinux installed by default, however their policy targets only system processes, for userland it lets people stick with the easy to understand DAC model."

selinux-policy-targeted is slowly getting more and more profiles.
In the long run it will include user applications such as firefox and konq/nautilus/etc.

- Gilboa

Reply Score: 2

netpython Member since:
2005-07-06

In the long run it will include user applications such as firefox and konq/nautilus/etc.

The targeted profile allready covered firefox,thunderbird etc in FC7. Have a look at the SELinux booleans :-)

Reply Score: 2

gilboa Member since:
2005-07-06

My mistake.
mozilla_exec_t does exist.

I wonder how sandboxed the firefox profile is.

- Gilboa

Reply Score: 2

Hmm
by judgen on Tue 13th Nov 2007 22:58 UTC
judgen
Member since:
2006-07-12

If Windows 7 is to Vista, what XP was to ME im sure it will be great, so i will definitly not buy vista. Holding out to switch untill 2009 does not seem too long either. As said before, no matter how pretty the flower is that grows in a piece of dung, it still is a piece of dung.
IE8 might be in Win7 and might also be the break from crappyness that IE7 started out to be. But i sincearly hope they make a browser with a engine chooser. If i want to use gecko, opera och an other engine inside IE and they would allow it, that would be amazing. And for browser testing purposes it would be awsome. BTW never gotten a spyware with malware with lynx. =)

Reply Score: 1

RE: Hmm
by gonzo on Wed 14th Nov 2007 00:59 UTC in reply to "Hmm"
gonzo Member since:
2005-11-10

But i sincearly hope they make a browser with a engine chooser. If i want to use gecko, opera och an other engine inside IE and they would allow it, that would be amazing.

How is this a big issue? I mean, why can't you just install Firefox?

Reply Score: 1

RE[2]: Hmm
by pixel8r on Wed 14th Nov 2007 02:38 UTC in reply to "RE: Hmm"
pixel8r Member since:
2007-08-11

But i sincearly hope they make a browser with a engine chooser. If i want to use gecko, opera och an other engine inside IE and they would allow it, that would be amazing.

How is this a big issue? I mean, why can't you just install Firefox?


haha very true - if you take away the engine from IE - what do you have left?

is there some attractiveness to the window border and menus of IE that i've been missing all this time? If anything I'd want to keep firefox and use a different rendering engine - at least firefox has cool features like plugins. ;)

Reply Score: 1

RE[3]: Hmm
by raver31 on Wed 14th Nov 2007 19:39 UTC in reply to "RE[2]: Hmm"
raver31 Member since:
2005-07-06

hang on for a bit, some KDE4 will make the leap from Linuxland to Windowsville, and Windows users will at long last be able to sample the browsing goodness of the mighty Konqueror.

Reply Score: 2

Add Comment Post a Comment