There's a trivial way for drive-by exploit developers to bypass the security sandbox in almost all versions of Internet Explorer, and Microsoft says it has no immediate plans to fix it, according to researchers from Hewlett-Packard.
The exploit technique, laid out in a blog post published Thursday, significantly lowers the bar for attacks that surreptitiously install malware on end-user computers. Sandboxes like those included in IE and Google Chrome effectively require attackers to devise two exploits, one that pierces the sandbox and the other that targets a flaw in some other part of the browser. Having a reliable way to clear the first hurdle drastically lessens the burden of developing sophisticated attacks.
The bypass technique "does give the attacker a significant advantage by giving them higher-level access than a typical exploit might in Internet Explorer, by allowing them to escape the sandbox," Robert "Rsnake" Hansen, a vice president at security firm WhiteHat Labs, wrote in an e-mail to Ars. "In practical terms this is a very important finding, because it can be tied into existing exploits that might otherwise not be able to escape the IE sandbox."
Microsoft plans to fix a vulnerability in version 8 of its Internet Explorer browser that allows attackers to remotely hijack computers that do nothing more than visit a booby-trapped website.
Details of the critical "use after free" security bug were published Wednesday by Zero Day Initiative (ZDI), the Hewlett-Packard owned group that sponsors the regularly occurring Pwn2Own hacking contest. The group, which buys vulnerabilities so it can protect customers from attacks that exploit them, has a policy of keeping bug details confidential until a patch is released or until 180 days after purchase, whichever happens first. ZDI notified Microsoft of the bug in October after acquiring it from whitehat researcher Peter "corelanc0d3r" Van Eeckhoutte of Corelan.
In a statement issued to media outlets, Microsoft said some patches take longer to develop than others and that "we must test every one against a huge number of programs, applications and different configurations," according to IDG News. "We continue working to address this issue and will release a security update when ready in order to help protect customers."