back to article Researchers bypass Internet Explorer Protected Mode

Researchers say they have devised a way to carry out stealthy drive-by exploits even when victims are using recent versions of Internet Explorer with a feature known as Protected Mode. The attack, described in a paper released by Verizon Business, requires the attacker to have an exploit for a vulnerability that's not …

COMMENTS

This topic is closed for new posts.
  1. James Woods

    Browsers should be browsers

    Web browsers should go back to being web browsers. If you want an application to access your computer it should be a separate application.

    Due to the greed in corporate america we've seen this fraud hit us really with nobody noticing as everything has been dumped right into the web browser.

    Thanks for them it's possible to click a web banner and find your computer destroyed or a zombie.

    Thanks for giving me firefox that uses 250MB of ram to view a few websites.

    Im using nearly 200MB now with only this article and another reg article open.

    Wonder what else firefox is doing........

    And i'll take this a step further.

    If Microsoft and the other software computers didn't outsource everything and produce everything as cheap as possible and sell it for as much as possible I think we'd of seen various successful versions of windows from Windows 95 and also we would have a booming software market.

    Perhaps im wrong, but I know I won't buy any software today. It's all made overseas and I have purchased used systems to avoid paying for a $300 windows license all because I lost my cd.

    1. Anonymous Coward
      Heart

      Something wrong

      You say that Firefox is using 200 MB of RAM for two websites? My Firefox has 11 tabs open with a Youtube video playing, and it is only using 140 MB of RAM. 3.6.12.

    2. Ole Juul

      You make your choices - others don't

      First of all, if you don't want to deal with the problems of Windows (including the price), perhaps you should use something else. If you have the option of buying used computers, then you probably have the option to make other choices as well. The problem detailed in this article does not need to effect you - nor a lot of people. It effects people who don't have a choice, whether the browser is work mandated, or they just don't know what's going on.

      Second, while I agree that low resource systems are the way to go, 250MB is not a lot for a program to use, and the browser is also pretty much the de facto OS these days.

      As to only having one window open, with Firefox specifically, you will find that the usage does not go up hugely. I'm using FF right now and it has 48 windows open (not tabs) and the usage is only twice yours. That's actually pretty good. However, I also use a number of other browsers (there's lots of choices you know) and I can vouch for the fact that there are several which "are just browsers". Epiphany is currently using 46MB and Konqueror a mere 5MB. You can also install an older version of Firefox. I suggest you start looking around.

    3. SilverWave
      Go

      500 (3 tabs huge tables) FF4.0b8pre & 207 (28tab) FF3.6.14pre but with 8GB of RAM who cares?

      I would have a look at one of the Linux's if I was you...

      Ubuntu 10.04 is nice.

      But you may be better off with a more modern PC to start with... unless you are short of cash, or you are a masochist :-)

      RAM is cheap!

    4. Test Man
      WTF?

      Clueless

      You don't know what you're talking about. Somehow I don't think Microsoft and other software companies are actually outsourcing everything. Seeing as Microsoft and other software companies have a big campus each with programmers, they clearly aren't outsourcing everything. And 200MB for a browser? Oh WOW, that's so much, isn't it? This is 2010, not 1990, get up to date.

      If you don't want the latest, that's your lookout. Progress won't stop for the likes of you.

  2. Arctic fox
    Headmaster

    Pardon?

    "This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”

    "Persisted on the client"? I realise that the development of terminology often involves giving words a meaning that they did not have before, but that is downright UGLY. Far be it from me to bang on about the language of Milton and Shakespeare but there are all the same limits to how much abuse our mother tongue can take!

    1. Brezin Bardout

      Quite right.

      That word needs to be unpersisted immediately.

  3. This post has been deleted by its author

    1. Peter 39

      sure they knew the rules

      your point with Pvt. Manning (allegations at present, but I'll assume they're correct for the moment) is well taken. There ARE "need to know" rules that apply.

      What we have here is yet another command failure - classified access is subject to audit but it seems that no-one did. I can imagine that he could browse through most of the stuff about Iraq and even Afghanistan without raising much concern. But his C.O. should have questioned him after, say, the first ten State Dep't cables showed up.

      And in yet another instance of cluelessness, the general scenario of all this was known months ago. Yet State waited until after the document-dump to change procedures. Why wait? Did they believe that it didn't really happen? Or maybe they were just too busy with other things.

      When I hear of a Court Martial being scheduled for his C.O. - only then will I believe that DoD is serious about fixing this. It's not hard, and doesn't take Big-Brother technology. Just start reminding the chain of command they they are responsible for classified information in their care. A few lengthy prison terms will clear this up quicker than any technology (and we know how well that stuff goes)

      1. Anonymous Coward
        Flame

        Person To Be Fired: Susan Swart

        from: http://www.state.gov/r/pa/ei/biog/100237.htm

        "Susan Swart

        Chief Information Officer

        Information Resource Management

        Term of Appointment: 02/07/2008 to present

        Susan H. Swart, a member of the Senior Foreign Service with the rank of Minister Counselor, was appointed as the Chief Information Officer for the Department of State in February 2008. As CIO, she is responsible for the Department’s information resources and technology initiatives and provides core information, knowledge management, and technology (IT) services to the Department of State and its 260 overseas missions. She is directly responsible for the Information Resource Management (IRM) Bureau's budget of $310 million, and oversees State’s total IT/ knowledge management budget of approximately one billion dollars."

        Different from my label of being "pointy-haired", she seems to have retained some hair. What she did on the "National War College" I can't fathom. Probably she learnt about all the tricks required at cocktail parties. Certainly nothing about I.T.

        Then Foreign Secretary CLINTON should get a Very Public Slapping by Mr Commander In Chief himself. But I am sure not even the CIO will get the boot. Private Manning has been identified as the witch to be burned at stake. They already destroy his mind by Isolated Incarceration.

  4. mechBgon

    I guess it's a good thing...

    ...that I configure Protected Mode to be enabled for all the Zones, including the Local Intranet Zone.

  5. JoeTheAnnoying
    Gates Horns

    This is why I won't install Windows any more...

    "It works only against machines that have the Local Intranet Zone enabled, as is the default for domain-joined workstations."

    I do IT as a hobby, not a job, so I only support 9 machines and roughly a dozen users, but the constant mantra of, "This is what Windows does by default. It compromises your security," has made me start installing Ubuntu or Kubuntu on any machine where someone expects my help. To my utter amazement, requests for my help have gone down. (Linux is great once you've configured it. But every time you want something new, you pretty much have to know your way around the command line). Either a fully-configured Linux box is more stable than Windows, or all my users have decided I'm a jerk and are going elsewhere for help. Either way, my life is easier!

    I always give people the following comparison:

    "Windows tries to do everything for you, usually does it wrong, and makes it hard to change the default settings."

    "MacOS tries to do everything for you, usually does it right, but makes it near-impossible to change the default settings."

    "Linux will do everything for you, and do it correctly, as long as you're willing to spend the 6-8 hours on the command line it takes to get the configuration settings and startup code done correctly."

    Joe

    1. Chemist

      "6-8 hours on the command line it takes"

      Well I support 7 Linux systems and whilst I agree that they are stable, reliable and require little attention I can't agree with the difficulty of configuration. Using SUSE 11.2 I NEVER use the command line to install/configure and the last machine took 20 mins from start to finish (+ updates )

    2. ArmanX
      WTF?

      Actually, I've found that Linux uses LESS time...

      I've recently built four systems from scratch; one each of Windows 7, Windows XP, Ubuntu 10.04, and KUbuntu 10.04, so I was able to do a quick compare of the different systems...

      Windows is only faster to work with if you buy the computer with the OS already installed, complete with drivers, programs, and anything else you want to use. Sure, the install takes less time than Ubuntu - but that's before you install your drivers and software. It took about 35 minutes for Ubuntu to install, and 25 for Windows - then it took two hours of babysitting the Windows computers to install all the software and drivers - and that's not counting updates, which took at least four hours (though as I didn't have that data cached locally, I didn't compare it against Ubuntu). In Ubuntu/KUbuntu, I selected all the software I wanted, hit install, and came back in half an hour when they were all done (note: I do have a local cache of the repositories, which cuts down on download time). Security updates, newest software, everything - installed for me. No looking around on driver websites trying to find a driver, no surfing to OpenOffice, Firefox, or any other sites to download the software I want. Better yet, if I had only wanted the default browser, instant messenger, email client, etc., I wouldn't have needed to touch the Ubuntu boxes at all, apart from setting them to use the proprietary nVidia drivers. The Windows boxes came up with *nothing* - the network card didn't even work in the XP box until I'd installed drivers for it. Windows 7 at least looked ok, but there was no software apart from IE.

      Through all of that, I touched the command line for about five minutes, and only because it's a bit faster on the command line than point-and-click.

      Windows isn't faster than Linux - it's just that most Windows users know all the tricks to keep things working, and those tricks don't work in Ubuntu, so they give up. Or refuse to give up and do things wrong... either way.

      Now, granted, some things do take longer in Linux - it took a long time for me to set up multi-seat, for one. Then again, it's not actually possible to set up multi-seat with full graphical acceleration in Windows without spending quite a bit of money, so that comparison isn't really valid...

  6. Deadly_NZ
    FAIL

    Linux???

    @joe the annoying

    Who has 8 to 9 hours to try to setup a operating system that hides everything ?? I installed Ubuntu 10.04 spent 2 days trying to change the screen resolutioon from the fucking useless 1024x768 to something that would render properly on my widescreen laptop, like 1200x800 but it was so well hidden that out came a Win 7 disk and off Ubuntu went to the great blackhole in the sky, and within 1.5 hours I had a fully working easily configurable OS and none of the Bullshit that Ubuntu/Linux puts you thru..

    I also have better things to do with my time than to fight a fucking OS for hours to get it going.. So Ubuntu getrs a HUGE fail from me until they make it easier to configure and that will never happen cos the linux fanbois have no life so will happily waste all day to get an os working , me i'll take my missus to the beach

    Now I await the Flaming i'll read it when i get back from the beach

    1. Anonymous Coward
      Go

      @Deadly_NZ: Go To An Expert ??

      If something is seriously broken with your car you certainly go to an expert garage and have a Auto-Meister fix it.

      The same is with Ubuntu: Find an expert, agree on a price and let him fix your problem. Yeah, it costs money, as all high-quality work of a professional does. On the long run, this is much cheaper than the "Windows Experience".

      1. Ragarath

        Really?

        You are really suggesting that someone "goes to an expert" (usually this means paying) just to change the screen resolution?

        1. James Butler

          @Ragarath

          If not asking for help, what would you suggest if it were a Windows user who couldn't figure out how to change their resolution?

          Under both operating systems it's exceedingly easy for someone with (a) more than a couple of days' experience with any modern UI menu metaphor and (b) a serious interest in accomplishing the task to execute it.

          However occasionally some little problem like this turns up, and sometimes the person who runs into the issue has no idea how to search Google for "<os_here> change screen resolution".

          For the record, here's how to do it in either OS:

          Windows: Start -> Control Panel -> Display -> Settings -> Screen Resolution

          Ubuntu: System -> Preferences -> Monitors -> Resolution

          (Note that there is also a right-click alternative in Windows, but it would take a lot more to explain clicking on an 'empty' area on the Desktop than these simple instructions did, and rarely are two sets of instructions for accomplishing the same task useful to someone who couldn't figure it out on their own.)

          As you can see, it is FAR more simple and intuitive to accomplish this task in Windows*, but sometimes a suggestion to find someone who knows how to do it already can keep a person with little patience and limited experience (like the op) from going completely insane.

          *Snark? You decide.

    2. JoeTheAnnoying

      That's kind of the point...

      Unfortunately, every time you post on the relative merits of various OSes, it turns into a flame war instead of a discussion.

      Yes, Windows installs much faster, is much easier to configure, and is better for end users, virtually all of whom are used to at least some flavor of Windows.

      But just yesterday afternoon, I had to spend two hours not at the beach, but uninstalling over a dozen toolbars, search tools, and desktop applications that were choking off my user's machine, all because he can't figure out that nowadays every updater (Adobe, Java, etc.) installs extra software to make a quick buck, and he can't be bothered to uncheck those little checkboxes.

      Is it Microsoft's fault? No; it's the fault of the third-party vendors who are willing to throw their users to the wolves for an extra buck. Is it my end user's fault? Absolutely. But trying to change end user behavior has been proven to be a fool's errand, which is why we all love reading BoFH.

      Does it cost me extra support time? Absolutely. The one guy who's still on Windows costs me more time than all 8 Linux machines combined. The 2-3 questions a month I get from Linux users can usually be answered with a quick 2-minute e-mail: "You need this package. Here are the instructions on how to install it." The Windows user always has to bring his machine to me, because his description of the problem is so nebulous I have to see it for myself to know what's going on.

      So my original point was that, in my personal experience, Linux takes a lot longer to set up and configure, but if you're supporting someone else's machine, it'll save you support time in the long run.

      And in relation to the original article, I should have known better than to flame bait, but I, like many readers of El Reg, get really tired of reading, "Security hole in Windows caused by unnecessarily lax default setting." All I'd like to see is Microsoft lock down its OS a bit better.

      Joe

    3. Anonymous Coward
      FAIL

      RE: linux???

      umm that post made me die a little inside

      "cos the linux fanbois have no life so will happily waste all day to get an os working , me i'll take my missus to the beach"

      woo look at you your so cool lol

      and just for your reference : system>preferences>monitors (first thing i changed when i installed ubuntu was resolution... took about 10-20 seconds to find)

    4. Mr Atoz
      Go

      @ Deadly_NZ and @JoeTheAnnoying

      If you would have invested a few minutes in searching for your solution on the net you could have saved yourself a lot of time and aggravation. Everything is doable with linux once you know how. Of course there is a learning curve but once you get past that linux is rock solid and very usable as an all purpose OS. Knowing what I know now, I can have a fresh Ubuntu desk top system up, running and configured in well under an hour and most of that time is spent waiting on formating and software loading.

      Myself, I've been windows free at home for over five years but unfortunately still have to use windows for work.

      For the record, I agree with Joe on most of what he said except his 6 - 8 hours statement and that you have to do everything form the command line.....that is just not true. Ubuntu Synaptic usually does everything, you just point and click.

    5. Paul 129
      FAIL

      Ask or Pay someone who knows.

      Cause you, sure as hell don't. Two days to setup a screen resolution, ROFL

      Oh sorry thats right, your an IT Pro, not someone who knows how the stuff works.

    6. Cameron Colley

      I can't get any easier.

      Linux is as easy to install and set up as Windows nowadays, with very few exceptions*. The fact that most people know how to use Windows makes it seem easier.

      If you don't like Linux then fair enough, but please don't spout FUD because you can't be bothered spending a little time learning another way than the Microsoft way of doing things.

      *these occur the other way around too due to things like unsupported hardware.

    7. mittfh

      Linux != Hard

      I don't know about Ubuntu, but to configure almost anything on my Mandriva box (including screen resolution) just requires a trip to Mandriva Control Center.

      Usually, the only time I need to dive to a command prompt on a semi-regular basis for configuration purposes is if the screen's blank when I resume from standby (Ctrl+Alt+F1, login, "ps -A | grep compiz", "sudo kill 1234", Ctrl+Alt+F4, Alt+F3, select first item in history [/usr/bin/compiz] and OK).

      Sure, Linux takes a little getting used to, and isn't ideal for complete novices, but I'd say almost anyone who isn't scared of occasionally mucking about in a CLI would do fine with it. Never mind the fact that not only is the software itself completely free (and in the case of Mandriva, with a one line hack you can even use the updater to auto-install the latest version on release), but you've got a library of thousands of software items ready and waiting for use, numerous internet forums where you can ask for help (not to mention LUG mailing lists), it's far more secure and stable than Windoze (being built from the ground up with support for networking and multi-users, rather than the features being bolted on)...

      ...oh, and when you install stuff (either manually, through the repositories, or through the updater) it doesn't require you to reboot your machine. The most you'll ever get is something along the lines of "Please restart your computer for glibc". And OS upgrades only require one reboot to complete installation.

      And if there's a Windoze app that you simply have to use that doesn't work well under Wine, either dual boot or (if your system's up to it), ask your local geek to set it up virtualised.

    8. adnim

      I am amazed

      that it took you 2 days to click System>>Preferences>>Monitors. Normally this procedure takes around five seconds.

      Me a Linux fanboy? No. I use both Windows and Ubuntu. I would say however that I am more Linux fan, than Microsoft's bitch.

    9. RoyalHeart
      Linux

      'Tis why I don't use Ubuntu

      It makes it hard to change some of the usual settings a normal user would be expected to change.

      I personally use openSUSE, and have for the past 4 years. I did my research on which distribution was the easiest to use *AND* the easiest to configure.

      Command line? I use it, *BY CHOICE*, not because I *HAVE* to use it. Some operations are faster and/or easier to do from the command line.

      [An aside on that: My wife wanted a printout of all the places in her novel where the word "picture" occurred. (I didn't ask why.) Since each chapter was a separate file in a subdirectory, and since the search term was scattered through the text, opening/searching each chapter then copying/pasting to a new text file would have been tedious, but doable. I took the eaiser path:

      grep -C 5 -d recurse -i "picture" '/home/<her-home-dir>/<novel-dir>/*'' | lp

      The command line is only as hard as you make it: the more you are willing to learn, the easier it is. BTW, my wife *WANTS* to learn more about using the command line, because she *WANTS TO*, not because she *HAS* to.]

      "I also have better things to do with my time than to fight a fucking OS for hours to get it going.. "

      I say the same about Windows. Windows 95, 98, and XP. I'm fighting XP at the moment, setting it up in a virtual machine on the wife's laptop. (She needs Windows XP solely for Quickbooks and one other accounting application for bookkeeping business.) Explain to me why Windows *REQUIRES* her user name to be different from the machine name, when openSUSE, has *ZERO* problems distinguishing the two from each other?

      In short, you chose the wrong distribution for your needs. Never used Ubuntu nor any of its derivatives (Xubuntu and KUbuntu), but based on the hundreds of forum posts I've read on ease of use of various Linux distributions, Ubuntu and kin are not particularly suited for those users who prefer to do more than turn it on, read and write emails, play music, and surf the Web.

      To me Windows and Ubuntu are too restricted. I like getting under the hood, exploring the system, see what makes it tick. In the process I discover more reasons to explain why I switched from Windows to openSUSE Linux: a lot of the tasks I use my computer for are simply easier to do in openSUSE then Windows.

      Eight to nine hours trying to set up an OS is ridiculous, for sure, regardless of which OS it is. I will say I have spent around three hours just prior to openSUSE installing itself and my chosen software. Why? The shear amount of software in the on-line repositories. I picked through the choices to decide what additional software I wanted openSUSE to install during the installation of openSUSE itself.

      The software management and applications in the on-line repos alone will keep me from switching back to Windows.

      BTW: Linux is the *OS*. OpenSUSE, Redhat, Ubuntu, Debian, Slackware, etc. are *DISTRIBUTIONS*. Each one takes the Linux OS and builds upon it. Ubuntu, unfortunately, locks the doors to the tool shed then hides the keys to it.

      Also, to everyone who has tried *ONLY* one or Linux distributions who had a bad experience with it (them): try a different one. You might be surprised at the difference. Just keep in mind you have a choice in desktop environments. There's KDE, Gnome, Enlightenment, XFCE, LXDE, and others. If you don't like one of them, try another. If you're not sure which to choose, install a few, since you *CAN* have more than one DE installed concurrently. You just pick which one you want during boot-up.

  7. Anonymous Coward
    Stop

    Unix, Linux And The Command Line And Configuration Files

    If you want to use Linux (which is a Unix flavor), you better accept that the command line and configuration files are the proper mechanism of altering a Unix system.

    All these GUI tools and the Windows Registry are crappy band-aids. Even experts are forced to simply re-install the full Windows system, if it is seriously messed up. A Unix expert is nearly always capable of finding a problem and fixing it with the command line and configuration files. Complete reinstallations are only required if the hardware is somehow broken.

    GUIs can never have the semantic power of a command line.

    An Airbus A380 will always require experts to fly. But if all you need is a Cessna, then buy one of these. Cessnas have a much easier handling than an Airbus. The same is with Windows and Unix.

  8. Big-nosed Pengie
    Linux

    Internet Exploder -

    It's its own punishment.

  9. Sceptical Bastard

    Shock! Horror!

    Internet Explorer not secure? IE vulnerable to exploits? Surely not!

    BTW, it's depressing how this comments thread has degenerated into the entirely predictable flamewar between fanbois of various OSs.

    @ Deadly_NZ: "...linux fanbois have no life ... me i'll take my missus to the beach" Well, whoopy-do, aren't you the clever one.

  10. Bigbadbod

    Ubuntu

    Well, I have to say, having dual-booted Ubuntu 10.10 on a Windows box, its not the easiest OS in the world. I still have'nt figured out how to install the wireless adaptor. The site, (getnet), even had Linux drivers, but after downloading them I have not got a clue how to install them.

    If Linux or the driver vendor had clear concise instructions on how to build and install the supplied driver I would be using it alot more. Instead the supplied instructions just mean nothing to me, hence Ubuntu was just a toy to play with for a day or 2.

    1. Anonymous Coward
      Stop

      Drivers & Linux

      For many reasons (low volume, I.P. concerns, fear of Microsoft), many hardware vendors do not properly support Linux.

      That is a general problem of the Linux economy and the only fix for it is to buy only products known for Linux support. The cheapo crap from Taiwan often doesn't qualify. For example SiS did have video drivers for Linux in the past, but the driver developer at sis was not allowed to release it on sis.com. Instead you had to do it from a dodgy download site in singapore.

      It appears (!) SiS got better, but often this is still the case. Many video cams don't even have a Linux driver. The same is for WLAN adapters.

      So before you buy a piece of hardware, as your local Linux User Group whether this HW is kosher for Linux. The cheap crap from Dell or Packard Bell or BestBuy often doesn't qualify. IBM was historically very good. Today it's probably Intel components which run Linux best. Go to your local computer shop and specifically request a full-featured Linux system, where all drivers are installed. If they can't do that, go to the next shop. Use google if you don't know Linux-capable shops.

      And yes, don't try the crappy solutions like the wrappers around win32 drivers. Also, don't go down the Wine route. Lots of hardware and all Windows applications do not run on Linux. Period. Check it before you buy it.

      Samba is an evil hack because MS does not release the full SMB specifications.

      If you simply want nice GUI apps and you hate learning LaTeX, please go away.

      If you want to play the latest games, please go away.

      If you believe in paying money for "shrink-wrapped" applications and no money for the local programmer, go away.

      If you like Notes and Exchange and hate custom PHP/Perl/Postgres programming by the guy in your town, please go away.

      If you want to save money on IT professionals and prefer the "cheap" windows people, please never look at Linux.

This topic is closed for new posts.

Other stories you might like