Hack contest sponsor confirms IE8 bug in final code
Final bits block the exploit on Vista SP1 and Windows 7, but XP still open to attack
Computerworld - The final version of Microsoft Corp.'s Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed today.
But the exploit used by the computer science student to break the release candidate of IE8 -- and walk away with a Sony laptop and $5,000 in cash -- won't work on the final version of IE8 as long as it's running in Windows Vista Service Pack 1 or Windows 7, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint unit.
Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because Nils, the German student who gave only his first name, hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later.
Today, Forslof put the chatter to rest by confirming that IE8's RTW, or "release to Web" portions, were immune from Nils' hack. "His exploit did, in fact, employ the technique found by Sotirov and Dowd," said Forslof, referring to work by Alex Sotirov and Mark Dowd, two researchers who announced last summer that they were able to bypass two of Vista's biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention).
Microsoft made changes to IE8 between RC1 and the final code that blocked Dowd's and Sotirov's circumvention technique, thereby making Nils' exploit moot -- but only in some situations, said Forslof today.
"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly known techniques."
Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.
Forslof declined to confirm whether the bug also exists in older versions of IE, such as IE7. "We're not going to comment on that because we're still confirming the vulnerability on the previous versions ourselves," she said. "So we'll let Microsoft handle that [announcement]."
But Forslof suspects that IE7 is vulnerable. "My guess would be yes," she said. "A lot of times, researchers look at the current software, in this case IE7, find a bug, then they test on the beta of the next. If they find it there [in IE8], they wait and see whether it's fixed in the final."
Microsoft has said little about the IE8 vulnerability, although during an online Q&A on Wednesday, the browser team noted that Nils' exploit wouldn't work on the RTW edition. "We can say that the attack as demonstrated in Pwn2Own at CanSecWest will not succeed on the RTW build released on March 19 because of changes that can block the ASLR+DEP .Net bypass demonstrated by Dowd and Sotirov," said Kymberlee Price, a program manager for IE8 security.
Mozilla Corp., whose Firefox browser was also hacked by Nils last week, plans to patch that flaw, as well as another that just went public, next week. However, Microsoft has not spelled out a timetable for an IE fix.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!