Feeds

New attack resurrects previously patched security bugs

Coming soon: The Windows killbit bypass manual

Beginner's guide to SSL certificates

Researchers may have figured out how to bypass a common technique Microsoft and other software makers have used to fix hundreds of security vulnerabilities over the past decade, according to a brief video previewing a talk scheduled for later this week at the Black Hat security conference.

The video, posted here by security researcher Ryan Smith, demonstrates a proof-of-concept attack that takes full control of a Windows machine. It works by causing IE to load MPEG2TuneRequest, an ActiveX control Microsoft blacklisted earlier this month when it fixed a critical Windows vulnerability that criminals were already targeting to take full control of end-user machines.

The video previews a talk Smith and fellow researchers Mark Dowd and David Dewey plan to deliver Wednesday at Black Hat in Las Vegas. It comes a couple weeks after a separate researcher, Halvar Flake, posted this blog item reporting that the killbit Microsoft issued earlier this month to prevent IE from loading the buggy code is "clearly insufficient."

"The bug might have weaseled its way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions," Flake wrote. "If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products."

That raises the possibility that fixes for potentially hundreds of vulnerabilities in Windows and third-party applications could be bypassed using the technique. If correct, that could have major implications for the safety of Windows users everywhere.

"If someone finds a way to bypass the killbit feature, it effectively means they're subverting one of the core 'black-listing' security features in Internet Explorer," said Rafal Los, a security expert and blogger for Hewlett-Packard's application security center. "That's a potential game-changer."

Los says there are "several hundred" killbits included in IE 8 running on Vista. Killbits are generally used to prevent the browser from running code that is determined to be insecure.

Smith, Dowd, and Dewey aren't saying much about their presentation prior to Tuesday's release of the emergency patches from Microsoft. A spokeswoman from IBM, where Dowd and Dewey are employed, declined to provide details except to say that Wednesday's presentation, titled "The Language of Trust: Exploiting Trust Relationships in Active Content," is specifically related to the IE and Visual Studio vulnerabilities addressed in the out-of-band patch.

The only other details provided were the following technical conditions under which killbit protections can be defeated:

"When Internet Explorer calls CoCreateInstance with a class id of a control that has been killbitted, something that should never happen, then the ProgID of the control is logged in the killbit allow log," the video, which shows the ActiveX control being exploited to open Windows Calculator on a vulnerable machine. "If the killbit is set, it should never be allowed to load in Internet Explorer...ever...much less execute shell code that runs calc.exe."

Members of Microsoft's security team are likewise saying little ahead of Tuesday's release. But it's fair to say that the severity of a vulnerability that potentially resurrects hundreds of security bugs that were presumed to have been fixed doesn't appear to have been lost on Redmond. The company has issued only eight emergency patches since October 2003, when it implemented its practice of releasing updates on the second Tuesday of each month. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.