Three security researchers described a new group of vulnerabilities in the way software transmits data between two different components within an operating system – a widespread and complex problem that affects Web browser controls and plug-ins developed by multiple vendors.
The interoperability weaknesses are at the heart of the
Ryan Smith, Mark Dowd and David Dewey presented their research and demonstrated successful attacks Wednesday at the 2009 Black Hat Briefings in Las Vegas. They also released a white paper detailing the issues and how they could lead to ways to bypass the kill-bit mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls.
The researchers found ways to bypass dozens of kill-bits deployed by Microsoft over the last five years to exploit over 100 ActiveX errors. The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method.
"Our thesis was that this interoperability created a new and large attack surface that has previously been largely unexplored," said Dowd, who works with Dewey on IBM Internet Security Systems' X-Force team. "There's been very little attention today for communicating the data across these boundaries."
The researchers presented a new class of interoperability vulnerabilities that could leave applications vulnerable to ActiveX attacks. Object retention errors – when an object within a browser is released too early or not released at all – could lead to memory freezing and memory leaks, conditions used by hackers to run malicious code. The object retention errors open up the browser to ActiveX flaws and could potentially be used by an attacker in drive-by attacks.
Type confusion errors – when one data type is mistaken for another. This error blocks wildcards used by developers in a compilers, such as Microsoft's Visual Studio. When the wildcards are blocked, developers don't receive a warning when coding errors are detected. Type confusion errors feed into the ActiveX problem and other exploitable conditions when objects are not properly initializing, said Smith, a vulnerability researcher at VeriSign iDefense..
Browser trust issues also arise after a browser authorizes a plug-in that relies on other plug-ins. The browser automatically trusts the entire chain of authorization, which could allow an attacker to bypass certain security mechanisms. This kind of trust issue allowed the researchers to bypass the kill-bits deployed by Microsoft.
The researchers stressed that Microsoft repaired the vulnerabilities presented with the release of an update to its Active Template Library affecting Visual Studio. They also published a guest blog entry explaining the kill-bit bypass method.
"Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community based defense – broad collaboration and action from Microsoft, the security community and industry," wrote Christopher Budd, a security program manager in the Microsoft Security Response Center blog.
Budd wrote that Microsoft is posting information on how developers can identify if their control or component is exploitable. In addition Microsoft is working with ICASI to offer free scanning of developer controls using Verizon Business and determine ways to modify the control.