UW Computer Security Research and Course Blog

The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before.

Essentially, Protected Mode is based on the principle of least privilege, and uses various features new to Vista to limit the browser tot he minimum possible capabilities for full usefulness. The features are:

• User Access Control (UAC): Causes even programs started by members of the Administrators group to run with limited permissions by default, but allows easy mechanisms for the user to start a program with greater permissions.
• Mandatory Integrity Control (MIC): An extension to ACLs and process access tokens, MIC allows data (files and registry entries) to be restricted based on the ‘integrity’ of the program trying to access them, rather than the permissions the process was started with. There are 4 MIC levels, ranging from Low to System, and higher-integrity data is restricted for lower-integrity processes.
• User Interface Privilege Isolation (UIPI): prevents lower-integrity programs from communicating with or hooking into higher-integrity programs. This helps prevent shatter attacks, where one process elevates its privileges by sending a message to another process owned by the same user but executing with more privileges.

In protected mode, IE7 runs with Low integrity, and reads & writes to low-integrity space (browser cache, temp folder, cookies, and browser history). UIPI prevents IE7 from executing a shatter attack against higher-integrity processes (which have more access). Code executed from within IE7, such as ActiveX controls, must operate within the same restrictions. Tasks which require higher integrity, such as saving files and installing browser plugins, use special helper programs that prompt the user to confirm that the intention is expected, then execute with the integrity level necessary for the task.

Assets and goals: These goals are fairly general for home and workplace computers, such as are likely to be running IE7.

• The data stored on the computer (documents, emails, photos, and so forth), This data could be confidential or otherwise sensitive, and should be protected.
• The computer’s CPU, RAM, storage space, and network connection. It is important to prevent storing unauthorized data on the computer, or running unauthorized programs. For example, it should not be possible to use another person’s computer for sending spam email or denial of service attacks without that person’s permission.
• The privacy of the user’s interactions with the computer. Spyware can be used to illegally acquire passwords, banking or credit card information, and potentially even spy on users via webcams, microphones, etc. Interaction between users and their personal computers should be private unless the user decides otherwise.

Adversaries and threats: Attackers often attempt to compromise a system via its web browser.

• Operators of botnets (collections of computers secretly under unauthorized control) often try to use security vulnerabilities to install software that adds computers to their botnet.
• Identity thieves often use spyware the monitors everything users do with their web browsers, since this often includes entering financial information and potentially valuable passwords.
• Other security threats, from computer viruses to espionage efforts, may attempt to attack via the web browser. In other words, anything that doesn’t require physical access can, generally, be accomplished by compromising software such as web browsers.

Weaknesses: By necessity, web browsers connect to untrusted machines, download a wide variety of data, and then process that data using very complicated parsing, rendering, and scripting engines.

• ActiveX controls, while they allow very powerful and righ web pages, also potentially can cause great damage to the system. Although ActiveX controls can no longer install silently without the user intentionally modifying the system for vastly reduced security, it is still not possible for a user to know what a given control will do before it runs. A great number of IE exploits are carried out via ActiveX.
• Web browser engines are very complicated and are generally written in very low-level code. Buffer overflow and string format vulnerabilities may exist within IE’s Trident engine, potentially giving an attacker complete control of the browser. These problems are especially common in the JavaScript and VBScript engines used by IE, since scripting engines require the ability to execute code specified by the remote machine.

Defense:
By restricting the permissions of the IE7 process and all of its child processes (such as ActiveX), protected mode limits the damage that a malicious browser plug-in can do to the system; it cannot modify files, change system settings, install software, set a program to run at startup, execute shatter attacks against other programs, or start other processes with higher permissions unless it asks the user for permission first. Additionally, should an attacker manage to gain control of the IE7 process itself (such as by using a buffer overflow), they will be subject to the same restrictions. Finally, protected mode makes it easier to monitor browser behavior, such as when a page requests certain plug-ins, which helps the user monitor for potentially undesirable behavior.

Risk: Internet Explorer is very widely used (most common web browser in the world), and historically ran with high permissions despite relatively poor security. This made it a popular target for exploits. Attacks directly against the browser still appear from time to time, including zero-day exploits, which constitute a major risk. Even running without full Administrator permissions (remember that UAC causes most programs to run with limited permissions) and taking into account the other security features of the OS, compromising the browser allows an attacker to do a great deal of damage (including install software to user-controlled storage, access or modify user data, and spy on user activities).

However, many attacks today have shifted focus from the browser itself to the various plug-ins, mostly consisting of proprietary software developed by third parties, commonly found in web browsers generally and IE in particular. These include Flash Player, Acrobat Reader, RealPlayer, QuickTime, and Windows Media Player, among others. There is no practical way for a single party to assure the security of all such plug-ins, and history has shown that the risk of attacks through them is high.

Finally, people often simply underestimate the potential danger of plug-ins such as browser toolbars, video codecs, and ‘helpful’ ActiveX controls. Preying on the ignorance of computer users is a simple form of social engineering often used to install malware or gain other forms of unauthorized access. Although such attacks cannot be prevented entirely, they can be mitigated. Until users become better educated about the dangers of such things, they are a considerable risk.

Conclusions: IE7’s protected mode is a major step forward in securing the browser. It helps protect against several of the most common forms of attack, including social engineering to a limited degree, and because it is implemented using OS-imposed limitations, it works even if the browser is completely compromised. Although a certain amount of backward compatibility with legitimate programs is lost, the loss is fairly minor. Restoring the capabilities usually requires asking the user to authorize a certain action, a quick and easy process that also allows the user to permanently allow such actions in the future. To put it rather bluntly, in the default configurations IE7 on Vista is probably more secure than Firefox on XP.