New attack resurrects previously patched security bugs
Coming soon: The Windows killbit bypass manual
Researchers may have figured out how to bypass a common technique Microsoft and other software makers have used to fix hundreds of security vulnerabilities over the past decade, according to a brief video previewing a talk scheduled for later this week at the Black Hat security conference.
The video, posted here by security researcher Ryan Smith, demonstrates a proof-of-concept attack that takes full control of a Windows machine. It works by causing IE to load MPEG2TuneRequest, an ActiveX control Microsoft blacklisted earlier this month when it fixed a critical Windows vulnerability that criminals were already targeting to take full control of end-user machines.
The video previews a talk Smith and fellow researchers Mark Dowd and David Dewey plan to deliver Wednesday at Black Hat in Las Vegas. It comes a couple weeks after a separate researcher, Halvar Flake, posted this blog item reporting that the killbit Microsoft issued earlier this month to prevent IE from loading the buggy code is "clearly insufficient."
"The bug might have weaseled its way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions," Flake wrote. "If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products."
That raises the possibility that fixes for potentially hundreds of vulnerabilities in Windows and third-party applications could be bypassed using the technique. If correct, that could have major implications for the safety of Windows users everywhere.
"If someone finds a way to bypass the killbit feature, it effectively means they're subverting one of the core 'black-listing' security features in Internet Explorer," said Rafal Los, a security expert and blogger for Hewlett-Packard's application security center. "That's a potential game-changer."
Los says there are "several hundred" killbits included in IE 8 running on Vista. Killbits are generally used to prevent the browser from running code that is determined to be insecure.
Smith, Dowd, and Dewey aren't saying much about their presentation prior to Tuesday's release of the emergency patches from Microsoft. A spokeswoman from IBM, where Dowd and Dewey are employed, declined to provide details except to say that Wednesday's presentation, titled "The Language of Trust: Exploiting Trust Relationships in Active Content," is specifically related to the IE and Visual Studio vulnerabilities addressed in the out-of-band patch.
The only other details provided were the following technical conditions under which killbit protections can be defeated:
"When Internet Explorer calls CoCreateInstance with a class id of a control that has been killbitted, something that should never happen, then the ProgID of the control is logged in the killbit allow log," the video, which shows the ActiveX control being exploited to open Windows Calculator on a vulnerable machine. "If the killbit is set, it should never be allowed to load in Internet Explorer...ever...much less execute shell code that runs calc.exe."
Members of Microsoft's security team are likewise saying little ahead of Tuesday's release. But it's fair to say that the severity of a vulnerability that potentially resurrects hundreds of security bugs that were presumed to have been fixed doesn't appear to have been lost on Redmond. The company has issued only eight emergency patches since October 2003, when it implemented its practice of releasing updates on the second Tuesday of each month. ®