Microsoft kill-bits, browser plug-ins pose big risks, say Black Hat researchers

By Robert Westervelt, News Editor 29 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

LAS VEGAS -- Three security researchers Wednesday described a new group of vulnerabilities related to the way software transmits data between two different components within an operating system. The flaws could be exploited to gain system access.

The interoperability weaknesses, a series of widespread and complex problems that affect Web browser controls and plug-ins developed by multiple vendors, are at the heart of the Microsoft Active Template Library (ATL) patches released this week. The updates were an attempt to block a method that bypasses a kill-bit feature commonly deployed by Microsoft to block attackers from exploiting complex vulnerabilities without addressing the underlying flaw.

Black Hat 2009 SearchSecurity.com has all the news and newsmakers at the annual hacker conference. Visit our Black Hat 2009 news page.

Ryan Smith, Mark Dowd and David Dewey presented their research and demonstrated successful attacks Wednesday at the Black Hat USA 2009 conference and briefings. They also released a white paper detailing the issues and how they could lead to ways to bypass the kill-bit mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls.

The researchers found ways to bypass dozens of kill-bits deployed by Microsoft during the last five years, exploiting more than 100 ActiveX errors. The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method.

"Our thesis was that this interoperability created a new and large attack surface that has previously been largely unexplored," said Dowd, who works with Dewey on the IBM Internet Security Systems' X-Force team. "There's been very little attention today for communicating the data across these boundaries."

The researchers presented a new class of interoperability vulnerabilities that could leave applications vulnerable to ActiveX attacks. Object-retention errors -- when an object within a browser is released too early or not released at all -- could lead to memory freezing and memory leaks, conditions used by hackers to run malicious code. The object-retention errors open up the browser to ActiveX flaws and could potentially be used by an attacker in drive-by attacks.

For more information Read more about the basics of a Web browser exploit. Protect Web browsers and servers from advertising exploits. Read more.

They also discussed type-confusion errors -- when one data type is mistaken for another. This error blocks wildcards used by developers in a compiler, such as Microsoft's Visual Studio. When the wildcards are blocked, developers don't receive a warning when coding errors are detected. Type-confusion errors feed into the ActiveX problem and other exploitable conditions when objects are not properly initializing, said Smith, a vulnerability researcher with VeriSign Inc.'s iDefense unit.

Browser trust issues also arise after a browser authorizes a plug-in that relies on other plug-ins. The browser automatically trusts the entire chain of authorization, which could allow an attacker to bypass certain security mechanisms. This kind of trust issue allowed the researchers to bypass the kill-bits deployed by Microsoft.

The researchers stressed that Microsoft repaired the vulnerabilities presented with the release of an update to its Active Template Library affecting Visual Studio. They also published a guest blog entry on the Microsoft BlueHat Blog, explaining the kill-bit bypass method.

"Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community-based defense -- broad collaboration and action from Microsoft, the security community and industry," Christopher Budd, a security program manager in the Microsoft Security Response Center, wrote on the MSRC blog.

Budd wrote that Microsoft is posting information on how developers can identify if their control or component is exploitable. In addition, Microsoft is working with the Industry Consortium for Advancement of Security on the Internet (ICASI) to offer free scanning of developer controls using Verizon Business and to determine ways to modify the control.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft repairs Excel flaws, warns of new IE vulnerability Microsoft to address eight security vulnerabilities in Windows, Office Microsoft patching issue tied to Alureon rootkit Windows blue screen may be result of rootkit infection Microsoft blue screen affecting few corporate PCs Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary