Have you used Internet Explorer to visit a malicious website recently? Have you used Internet Explorer to visit any website lately? How do you know for sure that you are not infected? On September 17, 2012 a zero-day vulnerability for Internet Explorer versions 6-9 was reported affecting everything from Windows XP to Windows 7 and Windows Servers. Zero-day vulnerabilities are a common fact of life, but the same old approaches to protection continue to be insufficient. Let’s discuss this vulnerability and how privilege management can mitigate the impact.
In the case of this zero-day vulnerability, a malicious website can be crafted then unsuspecting victims can visit it with Internet Explorer only to be exploited. Once exploited, security software can be disabled, files are downloaded or malicious software is installed so that system can be reused as a zombie or SPAM relay.
Traditional endpoint security technologies often struggle with zero-day vulnerabilities as there is no signature for a virus that is not known, the heuristics for malicious behavior may not be known preventing intrusion prevention from blocking the behavior, and firewalls won’t block a process that is initiated by the end user as is the case with browser vulnerabilities. Now in the case of this Internet Explorer vulnerability, heuristic signatures were created by the end of the day (September 17, 2012) that the vulnerability was publicly disclosed, but many media sources have discussed exploits in the wild. Who knows how long such vulnerability has been available to the hacker underground, but it has been known to be used since September 14, 2012.
Privilege management is simply running users and applications with least privileges necessary to compute. Historically, all Windows users have run with administrator accounts which leaves the door wide open for malware to do maximum damage against those systems. A simple mitigating factor is running with a standard user account or reducing the privileges of commonly exploited applications so that damages are minimized. Running as a standard user is easy to accomplish although many applications need privilege elevation to function via a solution such as Arellia Application Control Solution. Likewise, the ability to reduce an application’s running privileges cannot be accomplished with Windows alone.
In the case of this zero-day vulnerability, we ran tests using Rapid 7’s Metasploit to see what would happen in different privilege states. Using Metasploit, we created a malicious URL using the module for this vulnerability and accessed it from Internet Explorer. In a real world, this link might be a link to the latest headline in an e-mail, a malicious ad served through a legitimate website via an ad network, or any other social engineering to get someone to click on the URL.
Most of the world is running with Windows administrator accounts and in this case it was game over. Using Metasploit, I targeted Windows XP with Internet Explorer 8 and it was easily exploited allowing me to download files, upload applications, run a VNC session, and crack passwords. There was more that could have been done, but I stopped there. In the case of the Metasploit toolkit, a process called notepad.exe was created running as the same administrator account which accessed the malicious webpage. This process gave me the ability to do all the bad things.
Limited or Standard User Account
There are many protections for Windows by simply running as a standard user. When accessing the malicious URL as a limited user, the same notepad.exe process was spawned, but in this case it was running as the standard user that accessed the malicious web page. Using Metasploit, files could still be downloaded, but nothing could be uploaded to the file system. I was still able to run a VNC session. This falls in line with the rights of a standard user. The system was still vulnerable to data loss, but deeper infection or system modification was difficult to achieve.
Reducing Internet Explorer Privileges Using Arellia Application Control Solution
Taking things a step further, we applied a policy using Arellia Application Control Solution to reduce the privileges of Internet Explorer when logged in as an administrator. In this case, the malicious notepad.exe process was not able to spawn; thus, no data loss or further intrusion. Of course, one might ask what limitations there are with a browser running with reduced privileges. I was able to browse any website without issues. I was not able to install Adobe Flash Player from the browser when I need to access a video, but when running as a an administrator, I downloaded the Flash Player installer, ran it as an administrator and it installed perfectly allowing me to go back to Youtube and watch videos. The same limitation occurred with Silverlight and Java both of which could be installed by downloading the installer and running with administrative rights. ActiveX controls could not be installed, but this could be enabled using an additional Arellia Application Control Solution policy.
So the end effect is my browser was better protected with reduced rights using Arellia Application Control Solution and the only impact was I couldn’t install plugins from the browser (although we could create policies to make this possible). This is a reasonable tradeoff for protection against zero-day vulnerabilities.
So what does this all mean to the average enterprise? Most organizations have their users running with administrator accounts. There were at least 3 days between known exploitation of this vulnerability and the release of Intrusion Prevention signatures for major endpoint security suites to identify malicious behavior. What could happen in 3 days? Disable security software, steal data, and insert additional malicious software into the system to further access the organization. 3 days is enough to do a lot of damage.
Running as a standard user was a big improvement although it still opens the system up to data loss. Running Internet Explorer with reduced privileges limited malicious process from being launched allowing further evil from occurring. My browsing experience was exactly the same with some small differences when it came to installing plugins. And most importantly, I did this with an administrator account so I didn’t have to do anything else.
This is just an example using Internet Explorer, but zero day vulnerabilities for Adobe Reader, Adobe Flash, Microsoft Office, and other browsers will result in the same problems.
So, why are you still running with administrator rights?