Feeds

New attack resurrects previously patched security bugs

Coming soon: The Windows killbit bypass manual

The Power of One eBook: Top reasons to choose HP BladeSystem

Researchers may have figured out how to bypass a common technique Microsoft and other software makers have used to fix hundreds of security vulnerabilities over the past decade, according to a brief video previewing a talk scheduled for later this week at the Black Hat security conference.

The video, posted here by security researcher Ryan Smith, demonstrates a proof-of-concept attack that takes full control of a Windows machine. It works by causing IE to load MPEG2TuneRequest, an ActiveX control Microsoft blacklisted earlier this month when it fixed a critical Windows vulnerability that criminals were already targeting to take full control of end-user machines.

The video previews a talk Smith and fellow researchers Mark Dowd and David Dewey plan to deliver Wednesday at Black Hat in Las Vegas. It comes a couple weeks after a separate researcher, Halvar Flake, posted this blog item reporting that the killbit Microsoft issued earlier this month to prevent IE from loading the buggy code is "clearly insufficient."

"The bug might have weaseled its way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions," Flake wrote. "If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products."

That raises the possibility that fixes for potentially hundreds of vulnerabilities in Windows and third-party applications could be bypassed using the technique. If correct, that could have major implications for the safety of Windows users everywhere.

"If someone finds a way to bypass the killbit feature, it effectively means they're subverting one of the core 'black-listing' security features in Internet Explorer," said Rafal Los, a security expert and blogger for Hewlett-Packard's application security center. "That's a potential game-changer."

Los says there are "several hundred" killbits included in IE 8 running on Vista. Killbits are generally used to prevent the browser from running code that is determined to be insecure.

Smith, Dowd, and Dewey aren't saying much about their presentation prior to Tuesday's release of the emergency patches from Microsoft. A spokeswoman from IBM, where Dowd and Dewey are employed, declined to provide details except to say that Wednesday's presentation, titled "The Language of Trust: Exploiting Trust Relationships in Active Content," is specifically related to the IE and Visual Studio vulnerabilities addressed in the out-of-band patch.

The only other details provided were the following technical conditions under which killbit protections can be defeated:

"When Internet Explorer calls CoCreateInstance with a class id of a control that has been killbitted, something that should never happen, then the ProgID of the control is logged in the killbit allow log," the video, which shows the ActiveX control being exploited to open Windows Calculator on a vulnerable machine. "If the killbit is set, it should never be allowed to load in Internet Explorer...ever...much less execute shell code that runs calc.exe."

Members of Microsoft's security team are likewise saying little ahead of Tuesday's release. But it's fair to say that the severity of a vulnerability that potentially resurrects hundreds of security bugs that were presumed to have been fixed doesn't appear to have been lost on Redmond. The company has issued only eight emergency patches since October 2003, when it implemented its practice of releasing updates on the second Tuesday of each month. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.