Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Internet Explorer 9 is out, includes new security features.

Published: 2011-03-15
Last Updated: 2011-03-15 14:02:52 UTC
by Lenny Zeltser (Version: 3)
5 comment(s)

Microsoft released version 9 of its Internet Explorer web browser. You can download IE 9 from windows.microsoft.com.

Microsoft also set up a domain dedicated to the new browser: www.beautyoftheweb.com. Unfortunately, that site isn't hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren't around yet.

Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature that helps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements "secure launch" capabilities to safeguard users' sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities. The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.

Updates:

Have you had a chance to experiment with Internet Explorer 9? Let us know what you think of its security capabilities.

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.

Keywords:
5 comment(s)

How to uninstall Internet Explorer 9 if you need to revert to IE 8.

Published: 2011-03-15
Last Updated: 2011-03-15 14:01:33 UTC
by Lenny Zeltser (Version: 1)
4 comment(s)

Performance and security enhancements of Internet Explorer 9 make the browser upgrade worth one's consideration. If you need to rollback to the installation of IE 9 for whatever reason, you shouldn't have any issues. I tested the IE 9 uninstall process to revert a Windows 7 system to when it had Internet Explorer 8 installed.

You can uninstall Internet Explorer 9 by using the "Uninstall a program" applet in Control Panel. Then, select "View installed updates".

Then, select "Windows Internet Explorer 9" from the list and click "Uninstall." After the removal process, Windows will probably prompt you to reboot.

After the reboot, you should have Internet Explorer 8 back in its full glory.

 

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.

 

Keywords:
4 comment(s)

Limiting Exploit Capabilities by Using Windows Integrity Levels

Published: 2011-03-15
Last Updated: 2011-03-15 03:41:47 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Windows Vista, 7 and Server 2008 includes a feature called integrity levels, which is arguably the most under-appreciated security mechanism built into the operating system. Yet, it provides powerful ways for mitigating the risks of computer attacks and malware infections. For instance, integrity levels can shield processes from keyloggers; they can also protect files from being accessed by malware running on an infected system.

Another potent benefit of integrity levels is the ability to limit the capabilities of an exploit that manages to compromise an application. This is what I'd like to discuss in the note below.

What Are Windows Integrity Levels?

Microsoft designed Windows integrity levels as a mechanism for enforcing mandatory access controls, which apply even when access would be granted according to the traditional discretionary controls that we're accustomed to. According to Microsoft:

"The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs)."

This means that integrity levels can restrict one process from interacting with another process even if both processes are running under the same user account and even if the user has administrative privileges. 

Protecting Higher Integrity Objects from Malware

A process running under the Low integrity level will be prevented by the OS from modifying the process running under the Medium integrity process or from modifying a file assigned the Medium integrity level. (By default, Windows assigns the Medium label to objects.)

This is why it's advantageous to run the processes that are likely to be targeted by exploits under the Low integrity level. For instance, if a browser running under the Low integrity level gets exploited, the attacker's payload will have a hard time injecting itself into the majority of other processes or modifying critical files.

Didier Stevens illustrated the effectiveness of integrity levels for mitigating DLL injection risks by showing how the OS blocked the injection attempt from a Low integrity level process to a Medium one. He concluded that integrity levels may be a "good security feature to sandbox vulnerable, Internet facing applications."

Applications Designed to Run Under the Low Integrity Level

Though it may be possible to force an application to run under the Low integrity level if it wasn't designed for it, this will likely cause issues, such as the application not being able to load its configuration settings. Fortunately, some end-user applications are designed with Low integrity level in mind when they run on Windows Vista, 7 or Server 2008:

Internet Explorer's parent process runs under the Medium integrity level, while the process that represents each tab runs under the Low integrity level, thanks to the browser's Protected Mode feature:

Similarly, Google Chrome runs its tabs under the Low integrity level on Windows as part of its sandboxing capabilities:

Acrobat Reader 9 and lower runs under the Medium integrity level, like most processes in Windows:

Fortunately, most of the code of Acrobat Reader X runs under the Low integrity level. This is one of the security features built into this version of Acrobat to limit the capabilities of exploits delivered to the application's users through malicious PDF files:

 

Running a process under the Low integrity level helps minimize the damage it can do when exploited by malicious code. Hopefully, more programs will be build to take advantage of this feature of Microsoft Windows (ahem.. Firefox?).

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.

Keywords: exploit windows
0 comment(s)
Diary Archives