Hack contest sponsor confirms IE8 bug in final code
Final bits block the exploit on Vista SP1 and Windows 7, but XP still open to attack
Computerworld - The final version of Microsoft Corp.'s Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed today.
But the exploit used by the computer science student to break the release candidate of IE8 -- and walk away with a Sony laptop and $5,000 in cash -- won't work on the final version of IE8 as long as it's running in Windows Vista Service Pack 1 or Windows 7, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint unit.
Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because Nils, the German student who gave only his first name, hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later.
Today, Forslof put the chatter to rest by confirming that IE8's RTW, or "release to Web" portions, were immune from Nils' hack. "His exploit did, in fact, employ the technique found by Sotirov and Dowd," said Forslof, referring to work by Alex Sotirov and Mark Dowd, two researchers who announced last summer that they were able to bypass two of Vista's biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention).
Microsoft made changes to IE8 between RC1 and the final code that blocked Dowd's and Sotirov's circumvention technique, thereby making Nils' exploit moot -- but only in some situations, said Forslof today.
"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly known techniques."
Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.
Forslof declined to confirm whether the bug also exists in older versions of IE, such as IE7. "We're not going to comment on that because we're still confirming the vulnerability on the previous versions ourselves," she said. "So we'll let Microsoft handle that [announcement]."
But Forslof suspects that IE7 is vulnerable. "My guess would be yes," she said. "A lot of times, researchers look at the current software, in this case IE7, find a bug, then they test on the beta of the next. If they find it there [in IE8], they wait and see whether it's fixed in the final."
Microsoft has said little about the IE8 vulnerability, although during an online Q&A on Wednesday, the browser team noted that Nils' exploit wouldn't work on the RTW edition. "We can say that the attack as demonstrated in Pwn2Own at CanSecWest will not succeed on the RTW build released on March 19 because of changes that can block the ASLR+DEP .Net bypass demonstrated by Dowd and Sotirov," said Kymberlee Price, a program manager for IE8 security.
Mozilla Corp., whose Firefox browser was also hacked by Nils last week, plans to patch that flaw, as well as another that just went public, next week. However, Microsoft has not spelled out a timetable for an IE fix.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!