Cloud Security Authors: Elizabeth White, John Katrick, Pat Romanski, Rostyslav Demush, Yeshim Deniz

Related Topics: Cloud Security

News Feed Item

Core Security Technologies Discovers Vulnerability in Microsoft’s Internet Explorer

Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for proactive enterprise security testing, today issued an advisory disclosing a vulnerability that could affect millions of individuals and businesses using Microsoft’s Internet Explorer web browsing software.

A vulnerability researcher working in CoreLabs, the research arm of Core Security Technologies, discovered that in some cases when affected versions of Internet Explorer are used to access an external website, the browser does not apply the appropriate security permissions, thus allowing unknown sites or applications to be treated as trusted URLs. This could potentially lead to malicious or infected URLs remotely executing scripts on systems running the affected versions of IE, via either drive-by or downloaded attacks, without the end user’s knowledge or permission to do so.

“This is a tangible threat to millions of individuals and organizations that use Internet Explorer to browse the web and the discovery of this vulnerability in IE highlights the reality that no vendor is immune to the perils of client application security,” said Ivan Arce, CTO of Core Security Technologies. “This issue also illustrates the fact that a group of seemingly unrelated weaknesses can be combined to construct attacks that are effective beyond the narrow scope of exploiting just a single bug. Likewise, the available workarounds show that, beyond simply deploying patches, a combination of security defenses and mitigation strategies can effectively prevent attacks.”

Vulnerability Specifics

CoreLabs initially discovered the vulnerability in Internet Explorer as part of its ongoing research efforts. The flaw specifically affects IE versions 5, 6 and 7 under Windows 2000/2003/XP and Vista. Although it is present, the vulnerability cannot be exploited when a vulnerable version of IE is used in a security-enhanced mode called “Protected Mode.” Protected Mode is enabled by default in IE 7 for Vista. At the time of the original report, Internet Explorer 8, then in the pre-release Beta phase, was also found to be vulnerable. However, the problem was fixed in the commercially released version of IE 8 and this version is therefore no longer vulnerable.

Internet Explorer utilizes a feature known as “URL Security Zones,” which defines a set of privileges for websites and applications depending on their apparent level of trustworthiness. IE zone settings include Internet Zone, Local Intranet Zone, Trusted Sites Zone (for URLs that are considered to be more reputable or trustworthy), Restricted Sites Zone (for websites that contain content that can cause or have previously caused problems) and Local Machine Zone (an unrestricted special zone that is used only by internal components of the operating system).

Internet Explorer users can assign specific websites or domains to any of the available zones except for the Local Machine Zone. The ability for a given website to perform security-sensitive operations on the web browser is determined by the Security Level of the zone to which the site was assigned. Each zone can be set to one Security Level out of three available pre-sets (Medium, Medium-High or High) or one customized by the user or system administrator.

By default, all websites that are determined not to be on the Intranet Zone and are not explicitly listed in the Restricted Sites or Trusted Sites Zones are assigned to the Internet Zone, which has a default Security Level setting of Medium-High. Thus, for most IE users the security-sensitive actions that a browser can perform while connected to a site on the Internet are those allowed by the security policy settings of the Internet Zone at the Medium-High Security Level.

A vulnerability that allows a website to perform security-sensitive actions that are disallowed by the Security Level of a given Security Zone is known as a Security Zone bypass or Security Zone elevation vulnerability and may lead to breach of other security policies, for example circumventing same domain policy restrictions.

Based on CoreLabs research, in some cases a malicious website may leverage a vulnerability and a combination of security weaknesses in the affected versions of Internet Explorer to bypass Security Zone restrictions by first serving HTML content that IE will cache in known locations in the user’s computer, and then redirecting the browser to load it from the local file system and render it as HTML. In this manner, arbitrary content provided by a potentially malicious site would able to run scripting code or ActiveX controls on vulnerable browsers and gain read access to any file stored in the user’s computer.

Exploitation of the vulnerability allows an attacker to retrieve security and privacy-sensitive data such as authentication credentials, HTTP cookies and other details of HTTP session state, as well as the contents of any local file. To successfully execute an attack, the attacker must either obtain or guess the username of the user visiting the website that delivers the exploit in order to predict the exact pathname to the cached content. In that context, lack of egress filtering for SMB connections, username leakage flaws or simple brute forcing of known usernames can facilitate attacks.

Active exploitation can be prevented by using several workarounds, which include setting the Security Level for the Internet Zone (and if necessary the Intranet Zone) to High; disabling ActiveX controls and scripting for the Internet Zone; using IE’s Protocol Lockdown feature control to restrict use of the “file:” protocol; or running IE in Protected Mode when available. These workarounds may limit or disrupt functionality of certain web applications that rely on security-sensitive actions to run properly.

The vulnerability is a variation of a similar issue catalogued by Microsoft as an Outlook Express/Windows Mail problem that involved serving HTML in the contents of HTTP cookies and remotely forcing IE to render it, which Core Security Technologies reported to the vendor in January 2008 and published, in coordination with the release of the corresponding patch by Microsoft, in August 2008 as CORE-2008-0103 Security Advisory.

Microsoft has received and acknowledged the report of this vulnerability in October 2008, fixed it for the release (RC and RTM) versions of Internet Explorer 8, and issued a security patch for the other vulnerable versions of IE.

Information on this patch and a related security bulletin published by the vendor can be found at: http://go.microsoft.com/fwlink/?LinkID=150860.

For more information on this vulnerability and the systems affected, please visit: http://www.coresecurity.com/content/ie-security-zone-bypass.

This vulnerability was discovered and researched by Jorge Luis Alvarez Medina from the Security Consulting Services team at Core Security Technologies.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@ThingsExpo Stories
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.