Feeds

New attack resurrects previously patched security bugs

Coming soon: The Windows killbit bypass manual

Choosing a cloud hosting partner with confidence

Researchers may have figured out how to bypass a common technique Microsoft and other software makers have used to fix hundreds of security vulnerabilities over the past decade, according to a brief video previewing a talk scheduled for later this week at the Black Hat security conference.

The video, posted here by security researcher Ryan Smith, demonstrates a proof-of-concept attack that takes full control of a Windows machine. It works by causing IE to load MPEG2TuneRequest, an ActiveX control Microsoft blacklisted earlier this month when it fixed a critical Windows vulnerability that criminals were already targeting to take full control of end-user machines.

The video previews a talk Smith and fellow researchers Mark Dowd and David Dewey plan to deliver Wednesday at Black Hat in Las Vegas. It comes a couple weeks after a separate researcher, Halvar Flake, posted this blog item reporting that the killbit Microsoft issued earlier this month to prevent IE from loading the buggy code is "clearly insufficient."

"The bug might have weaseled its way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions," Flake wrote. "If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products."

That raises the possibility that fixes for potentially hundreds of vulnerabilities in Windows and third-party applications could be bypassed using the technique. If correct, that could have major implications for the safety of Windows users everywhere.

"If someone finds a way to bypass the killbit feature, it effectively means they're subverting one of the core 'black-listing' security features in Internet Explorer," said Rafal Los, a security expert and blogger for Hewlett-Packard's application security center. "That's a potential game-changer."

Los says there are "several hundred" killbits included in IE 8 running on Vista. Killbits are generally used to prevent the browser from running code that is determined to be insecure.

Smith, Dowd, and Dewey aren't saying much about their presentation prior to Tuesday's release of the emergency patches from Microsoft. A spokeswoman from IBM, where Dowd and Dewey are employed, declined to provide details except to say that Wednesday's presentation, titled "The Language of Trust: Exploiting Trust Relationships in Active Content," is specifically related to the IE and Visual Studio vulnerabilities addressed in the out-of-band patch.

The only other details provided were the following technical conditions under which killbit protections can be defeated:

"When Internet Explorer calls CoCreateInstance with a class id of a control that has been killbitted, something that should never happen, then the ProgID of the control is logged in the killbit allow log," the video, which shows the ActiveX control being exploited to open Windows Calculator on a vulnerable machine. "If the killbit is set, it should never be allowed to load in Internet Explorer...ever...much less execute shell code that runs calc.exe."

Members of Microsoft's security team are likewise saying little ahead of Tuesday's release. But it's fair to say that the severity of a vulnerability that potentially resurrects hundreds of security bugs that were presumed to have been fixed doesn't appear to have been lost on Redmond. The company has issued only eight emergency patches since October 2003, when it implemented its practice of releasing updates on the second Tuesday of each month. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.