TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs team members gave 20 presentations throughout 2010. Abstracts and slides are available here.

Pwn2Own IE8 Exploit foiled: Is the browser finally secure?

We’ve seen a lot of questions and speculation regarding the winning pwn2own IE8 vulnerability and exploit demonstrated by the artist known only as “Nils”.


As always, we will not discuss a vulnerability before the vendor has a solution.  This is to make sure consumers aren’t inadvertently put at risk from the issue.


That said, after talking it over with folks at Microsoft, we are breaking our usual “cone of silence” a bit to talk about the EXPLOIT technique used during the pwn2own contest.  We mutually agreed that providing information about the exploit used would help educate customers about IE8’s protections as well as the configuration and platforms they are helpful on.


As a refresher, the configuration of the machine was beta pre-release version of Windows 7, and a pre-release build of IE8 as of March 18th, when the contest began.


Microsoft implemented some great exploit blocking technologies in Windows Vista- ALSR, and DEP.


While the mitigations are highly effective (when properly implemented), so was the exploitation technique that broke them- handed to the community on a sliver platter by Alexander Sotirov and Mark Dowd, during a presentation at the BlackHat Security conference in August of 2008.


If you followed the interviews closely, and read Microsoft’s Security Research and Defense blog, you may have already done the math. In case you did not, allow me to enumerate!


On March 18th, German researcher Nils won the Sony laptop and 5K by demonstrating he could gain complete control over a machine by exploiting a previously unknown “Zero Day” vulnerability in the most current Beta version of IE8. His exploit did, in fact, employ the technique found by Sotirov and Dowd.


On March 19th around 9:00AM, Microsoft made available the “official” RTW IE8 download. 


(Release to Web, or “RTW” formally moves the product out of “Beta”. From this point forward, any fixes to vulnerabilities or bugs will happen via updates or service packs.)


This released version of IE8 broke the ASLR and DEP evasion exploit technique, which is fantastic news for consumers, but sad news for tools like HD Moore’s MetaSploit-- as well as Nils exploit for IE8—with a few caveats:


First, don’t be confused by the fact that the exploit was broke- the vulnerability itself is absolutely confirmed present in the final version of IE8. 


The vulnerability is also only mitigated on the Windows Vista SP1 platform or later.  If you are running IE8 on Windows XP, it doesn’t implement ASLR and DEP, so other commonly known exploit techniques would work just fine.


Additionally, the mitigations against this exploit do not work in the intranet zone. If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista + IE8.


(Mark Dowd also has an excellent technical write up about this fix on the Frequency X Blog here)


Here today, gone tomorrow- and vice versa. It’s the nature of the ongoing battle between the software vendors to block new exploit techniques developed- and the Community working to circumvent such road blocks.  This battle is the driving force that leads to more secure products, as Microsoft has demonstrated with the changes to the RTW version of IE8 on Vista.


(If you are a conspiracy theorist, you may ask yourself why Microsoft waited for the final released version of IE8 to break the exploit technique, instead of including it in previous beta updates, as they surely didn’t do it overnight, and not for the benefit of pwn2own!)


In summary, it was a narrow miss for Nils! Had the contest started one day later, his exploit would have been foiled by the RTW of IE8. Given the severity of the vulnerability itself, we would have worked hard to come to an agreement with him to purchase the flaw, and turn it over to Microsoft anyhow—it still needs to be patched.


Don’t let all the doom and gloom about this flaw get you blue.  Because of the combined disclosure policies of ZDI, Microsoft and the researcher NDA, no one is actually at risk


Tags: cansecwest,pwn2own
Published On: 2009-03-27 07:30:35

Comments post a comment

No comments.