Thursday, September 20, 2012

That IE O-day? Yeah, you're covered (kinda).

          On Monday, news of yet another 0-day exploit swept security circles. Leadership scrambled to throw together reports about their company's exposure level for presentation to their management chain. 

          The idea behind this particular 0-day, like many others, is to exploit the browser so that user interaction is not be required to download and execute a secondary payload. The primary payload is the script that orchestrates this activity. The secondary payload, in this case, is an executable (.exe) Trojan. Here is a visual attack chain for this exploit:

(thanks to for their analysis.)

          Your mitigation strategy? Software Restriction Policies (SRP) - it's a free tool provided by Microsoft that can be configured to prevent execution of code in unprotected, user writable directories. Following the attack chain above, everything is going as planned for the attacker until the command to execute 111.exe occurs. The executable file is located in the Internet Temporary Files which is a user writable directory; therefore, SRP prevents 111.exe from executing and the attack is thwarted. Furthermore, the attacker only has user-level privileges, post exploitation. Anywhere that is writable to the attacker is protected by SRP execution prevention policies.

          Now, keep in mind that exploitation still occurs above - SRP is not a catch all. The secondary payload is still delivered. However, the secondary payload is unable to execute because SRP is configured to prevent it. Because of SRP, this particular attack chain, alongside many other 0-day exploit attack chains released this year, is mitigated. 

Stay tuned for more about Microsoft's SRP.

No comments:

Post a Comment