Another day, and another unmanaged-code remote command execution in IE. What is relevant in the ISS alert (see end of this post) is that IE 7 beta 2 is also vulnerable, which leads me to this post's questions:
1) Will IE 7.0 be more secure than IE 6.0 (i.e. will after 2 years it being released the number of exploits and attacks be smaller than today? and will it be a trustworthy browser?) 2) Given that Firefox is also build on unmanaged code, isn't Firefox as insecure as IE and as dangerous 3) Since my assets as a user exist in user land, isn't the risk profile of malicious unmanaged code (deployed via IE/Firefox) roughly the same if I am running as a 'low privileged' user or as administrator? (at the end of the day, in both cases the malicious code will still be able to: access my files, access all websites that I have stored credentials in my browser (cookies or username / passwords pairs), access my VPNs, attack other computers on the local network, install key loggers, establish two way communication with a Internet based boot net, etc ... (basically everything except rooting the boot, disabling AVs and installing persistent hooks (unless of course this malicious code executes a successful escalation of privilege attack))) 4) Finally, isn't the solution for the creation of secure and trustworthy Internet Browsing environments the development of browsers written in 100% managed and verifiable code, which execute on a secure and very restricted Partially Trusted Environments? (under .Net, Mono or Java). This way, the risk of buffer overflows will be very limited, and when logic or authorization vulnerabilities are discovered in this 'Partially Trusted IE' the 'Secure Partially Trusted environment' will limit what the malicious code (i.e. the exploit) can do. This last question/idea is based on something that I have been defending for quite a while now (couple years) which is: "Since it is impossible to create bug/vulnerability free code, our best solution to create securer and safer computing environments (compared to the ones we have today), is to execute those applications in sandboxed environments". Basically we need to be able to safely handle malicious code, executed in our user's session, in a web server, in a database engine, etc... Our current security model is based on the concept of preventing malicious code from being executed (something which is becoming more and more impossible to do) versus the model of 'malicious payload containment' (i.e. Sandboxing). And in my view, creating sandboxes for unmanaged code is very hard or even impossible (at least in the current Windows Architecture), so the only solution that I am seeing at the moment is to create sandboxes for managed and verifiable code. Fortunately, both .Net and Java have architectures that allow the creation of these 'secure' environments (CAS and Security Manager). Unfortunately, today there is NO BUSINESS case to do this. The paying customers are not demanding products that don't have the ability to 'own' their data center, software companies don't want to invest in the development of such applications, nobody is liable for anything, malicious attackers have not exploited this insecure software development and deployment environment (they have still too much to money to harvest via Spyware/Spam) and the Framework developers (Microsoft, Sun, Novell, IBM, etc...) don't want to rock the boat and explain their to their clients that they should be demanding (and only paying for) applications that can be safely executed in their corporate environment (i.e. ones where malicious activities are easily detectable, preventable and contained (something which I believe we only have a chance of doing with managed and verifiable code)). I find ironic the fact that Microsoft now looks at Oracle and says 'We are so much better than them on Security', when the reason why Oracle has not cared (so far) about security is the same why Microsoft doesn't make any serious efforts to promote and develop Partially Trusted .Net applications: There is no business case for both. Btw, if Microsoft publicly admitted that the current application development practices of ONLY creating Full Trust code IS A MASSIVE PROBLEM, and if Microsoft spent considerable resources and focus in turning that boat around, the resulting 'partially trusted application' environment (which could then be enforced by default to all locally executed code) would have more impact in creating a secure and trustworthy computing environment that all LUAs and UACs put together :) Finally, you might have noticed that whenever I talked about 'managed code', I mentioned 'managed and verifiable code', the reason for this distinction, is that I discovered recently that .Net code executed under Full Trust can not be (or should not be) called 'managed code', since the .Net Framework will not verify that code (because it is executed under Full Trust). This means that I can write MSIL code which breaks type safety and execute it without errors in a Full Trust .Net environment. ...in the hope that somebody is listening .... Best regards Dinis Cruz Owasp .Net Project www.owasp.net -------- Original Message -------- Subject: ISS ProIStection Brief: Microsoft IE createTextRange() Remote Command Execution Date: Fri, 24 Mar 2006 14:55:42 -0500 (EST) From: X-Force <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Internet Security Systems Protection Alert March 24, 2006 Microsoft IE createTextRange() Remote Command Execution Version: 1.0 Summary: A vulnerability was reported in the way Microsoft Internet Explorer handles unexpected method calls. Exploitation of this vulnerability could lead to remote code execution under the security context of the user viewing a malicious web page. Description: Internet Explorer does not properly handle the createTextRange() method when invoked on a checkbox object. Because of this, a call is made to a predictable location in memory. An attacker can easily fill this predictable location in memory with malicious code to be executed. Business Impact: Compromise of the operating system can lead to exposure of confidential information, loss of productivity, and further network compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to one.s networks and machines. Affected Products: . Microsoft Corporation: Microsoft Internet Explorer 6.0 . Microsoft Corporation: Microsoft Internet Explorer 6.0 SP1 . Microsoft Corporation: Microsoft Internet Explorer 7 Beta 2 . Microsoft Corporation: Windows 95 . Microsoft Corporation: Windows 98 . Microsoft Corporation: Windows 98 Second Edition . Microsoft Corporation: Windows Me . Microsoft Corporation: Windows XP . Microsoft Corporation: Windows 2000 Any version . Microsoft Corporation: Windows 2003 Any version . Microsoft Corporation: Windows NT 4.0 ______________________________________________________________________ About Internet Security Systems, Inc. Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world.s leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, ISS. integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-ForceĀ® research and development team . the unequivocal world authority in vulnerability and threat research. ISS. product line is also complemented by comprehensive Managed Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362. Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email [EMAIL PROTECTED] for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. [EMAIL PROTECTED] of Internet Security Systems, Inc. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php