Researchers have found a chink in Internet Explorer’s ‘protected mode’ security armour that hints at trouble for other Windows apps built around the technology, including Google’s Chrome and Adobe’s new Reader X. Researchers have found a chink in Internet Explorer’s ‘protected mode’ security armour that hints at trouble for other Windows apps built around the technology, including Google’s Chrome and Adobe’s new Reader X.The principle behind Protected Mode is to limit the privileges of an application process, which first eppared with the advent of Explorer 7 on Vista. These are set by the OS for IE according to six Mandatory Integrity Control (MIC) levels, the lowest of which is applied to all apps running from untrusted zones such as the Internet.In a new paper, however, Verizon Business researchers document ways that an attacker could elevate the privileges of a process to zones where Protected Mode would not apply, such as the local intranet network (which uses UNC paths) or by spoofing the trusted sites list.This leads to the possibility of a relatively simple attack in which malware executes as a low priority process which creates a virtual web server tied to a local software ‘loopback’ port. Although this process will also be shut out by protected mode, it would be able to point IE to a web address which appears to be in the Local Internet Zone. By this point, the web page will be able to render at medium integrity, a potentially dangerous privilege escalation.“By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode,” the authors note. As the authors admit, the degree of protection offered by IE protected mode has always been ambiguous. Microsoft has made few direct claims for it, but has not downplayed its abilities either.The weakness found by Verizon doesn’t directly affect other applications that use protected mode security, such as Adobe Reader X or Google Chrome, but it does show how such protection mechanisms will remain open to attack based on the fact that some elements of a system have to be trusted.Adobe’s Reader X ‘sandbox’ was launched recently to overcome persistent and successful attacks using crafted PDF files opened with prior versions.In reality, the need to attack IE and Reader X using clever and stealthy attacks is low given that so many users persist in using older versions of the software. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe