Article

Microsoft kill-bits, browser plug-ins pose big risks, say Black Hat researchers

Robert Westervelt, News Editor

LAS VEGAS -- Three security researchers Wednesday described a new group of vulnerabilities related to the way software transmits data between two different components within an operating system. The flaws could be exploited to gain system access.

The interoperability weaknesses, a series of widespread and complex problems that affect Web browser controls and plug-ins developed by multiple vendors, are at the heart of the

Requires Free Membership to View

Microsoft Active Template Library (ATL) patches released this week. The updates were an attempt to block a method that bypasses a kill-bit feature commonly deployed by Microsoft to block attackers from exploiting complex vulnerabilities without addressing the underlying flaw.

Ryan Smith, Mark Dowd and David Dewey presented their research and demonstrated successful attacks Wednesday at the Black Hat USA 2009 conference and briefings. They also released a white paper detailing the issues and how they could lead to ways to bypass the kill-bit mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls.

The researchers found ways to bypass dozens of kill-bits deployed by Microsoft during the last five years, exploiting more than 100 ActiveX errors. The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method.

"Our thesis was that this interoperability created a new and large attack surface that has previously been largely unexplored," said Dowd, who works with Dewey on the IBM Internet Security Systems' X-Force team. "There's been very little attention today for communicating the data across these boundaries."

The researchers presented a new class of interoperability vulnerabilities that could leave applications vulnerable to ActiveX attacks. Object-retention errors -- when an object within a browser is released too early or not released at all -- could lead to memory freezing and memory leaks, conditions used by hackers to run malicious code. The object-retention errors open up the browser to ActiveX flaws and could potentially be used by an attacker in drive-by attacks.

They also discussed type-confusion errors -- when one data type is mistaken for another. This error blocks wildcards used by developers in a compiler, such as Microsoft's Visual Studio. When the wildcards are blocked, developers don't receive a warning when coding errors are detected. Type-confusion errors feed into the ActiveX problem and other exploitable conditions when objects are not properly initializing, said Smith, a vulnerability researcher with VeriSign Inc.'s iDefense unit.

Browser trust issues also arise after a browser authorizes a plug-in that relies on other plug-ins. The browser automatically trusts the entire chain of authorization, which could allow an attacker to bypass certain security mechanisms. This kind of trust issue allowed the researchers to bypass the kill-bits deployed by Microsoft.

The researchers stressed that Microsoft repaired the vulnerabilities presented with the release of an update to its Active Template Library affecting Visual Studio. They also published a guest blog entry on the Microsoft BlueHat Blog, explaining the kill-bit bypass method.

"Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community-based defense -- broad collaboration and action from Microsoft, the security community and industry," Christopher Budd, a security program manager in the Microsoft Security Response Center, wrote on the MSRC blog.

Budd wrote that Microsoft is posting information on how developers can identify if their control or component is exploitable. In addition, Microsoft is working with the Industry Consortium for Advancement of Security on the Internet (ICASI) to offer free scanning of developer controls using Verizon Business and to determine ways to modify the control.