LAS VEGAS -- Three security researchers Wednesday described a new group of vulnerabilities related to the way software transmits data between two different components within an operating system. The flaws could be exploited to gain system access.
The interoperability weaknesses, a series of widespread and complex problems that affect Web browser controls and plug-ins developed by multiple vendors, are at the heart of the Microsoft Active Template Library (ATL) patches released this week. The updates were an attempt to block a method that bypasses a kill-bit feature commonly deployed by Microsoft to block attackers from exploiting complex vulnerabilities without addressing the underlying flaw.
The researchers found ways to bypass dozens of kill-bits deployed by Microsoft during the last five years, exploiting more than 100 ActiveX errors. The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method.
"Our thesis was that this interoperability created a new and large attack surface that has previously been largely unexplored," said Dowd, who works with Dewey on the IBM Internet Security Systems' X-Force team. "There's been very little attention today for communicating the data across these boundaries."
The researchers presented a new class of interoperability vulnerabilities that could leave applications vulnerable to ActiveX attacks. Object-retention errors -- when an object within a browser is released too early or not released at all -- could lead to memory freezing and memory leaks, conditions used by hackers to run malicious code. The object-retention errors open up the browser to ActiveX flaws and could potentially be used by an attacker in drive-by attacks.
Browser trust issues also arise after a browser authorizes a plug-in that relies on other plug-ins. The browser automatically trusts the entire chain of authorization, which could allow an attacker to bypass certain security mechanisms. This kind of trust issue allowed the researchers to bypass the kill-bits deployed by Microsoft.
The researchers stressed that Microsoft repaired the vulnerabilities presented with the release of an update to its Active Template Library affecting Visual Studio. They also published a guest blog entry on the Microsoft BlueHat Blog, explaining the kill-bit bypass method.
"Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community-based defense -- broad collaboration and action from Microsoft, the security community and industry," Christopher Budd, a security program manager in the Microsoft Security Response Center, wrote on the MSRC blog.
Budd wrote that Microsoft is posting information on how developers can identify if their control or component is exploitable. In addition, Microsoft is working with the Industry Consortium for Advancement of Security on the Internet (ICASI) to offer free scanning of developer controls using Verizon Business and to determine ways to modify the control.