Security researchers at Verizon found a way to carry out stealthy drive-by exploits even when victims are using recent versions of Internet Explorer in Protected Mode.
In a white paper published by Verizon, the attack requires the intruder to have an exploit for a zero-day vulnerability that’s not patched. The attack works only against machines that have the Local Intranet Zone enabled, as is the default for domain-joined workstations.
Protected Mode, which was introduced in version 7 of IE helps to protect users from attack by running the Internet Explorer process with greatly restricted privileges. With reference to Microsoft website, Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user’s machine or to install malicious code.
However, the Verizon researchers are able to bypass the measure that requires no interaction on the part of the victim. “The attack combines the facts that sockets are not subject to Mandatory Integrity Control and that sites in the Local Intranet Zone are rendered with Protected Mode disabled,” the paper states.
“The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”
Download Verizon white paper here.