HomeBlogsDave Keays's blog

Aurora and DEP in Windows

Wed, 01/20/2010 - 02:51 — Dave Keays

In January there was a big attack against Google that apparently used a flaw in Internet Explorer which got the name "aurora".

This has supposedly prompted Google to pull out of China so there are international business and political issues involved. I won't go into those details and will only focus on the technical aspects that will be seen by most people.

As of yet, the attackers have only targeted IE6 on XP in big corporations so some say that there is less of a threat if you are using IE7+ on Vista or later. There are two problems with that logic.

First of all, the exploit is in Megasploit (a clearing house for 0 day exploits) and it will soon be used against the mainstream. According to McAfee: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

Second of all the security researcher Dino Dai Zovi has written an Aurora exploit that works on IE 6 and IE 7 on XP and Vista. His exploit works in IE browsers that don't have DEP enabled. Even if that isn't enough; according to Microsoft's own security advisory (see below), the flaw includes IE7 and IE8 in everything up to Windows7. The flawed code that was exploited in IE6 exists in all browsers and all Microsoft OS's beyond 5.01 service pack 4. It was interesting to read Microsoft say that IE8 is vulnerable but IE5 isn't.

They will soon be issuing an "out of band patch" which they rarely do. Usually they wait until the third Tuesday of the month (patch Tuesday), but now they will be issuing an emergency update ASAP.

Microsoft has a list of what we can do to reduce the damage the exploit can do while they craft the patch.

  • Turn on DEP (Data Execution Protection) in IE7
    While DEP is turned on by default in IE8 on in XP service pack 3, Vista sp 1, and Windows7.
    In IE7
    tools -> internet options -> advanced -> check "enable memory protection"
  • avoid browsing as an administrator
    The way the exploit works it allows for scripts to run with your rights. If you are a limited user then the damage you can make to your computer is limited. This is a subject I've written about in other blogs so I wont go into it here.
  • set the internet security to high
    These are the default security settings that that all web sites fall into if they aren't already in the Trusted or Restricted zone.
    tools -> internet options -> security
    click on the "internet" tab -> move the slide bar until 'high' is displayed
  • be sure protected mode is on in IE7
    tools -> internet options -> security -> check "enable protected mode"

Data Execution Protection is a way to keep parts of a program from executing as a program. That way the program can signal the OS that a certain area will only contain data that can't be executed and the CPU will error-out if some tries to execute there.

One of the tricks of the hacker trade is to get a small program into this area by pretending it is "non-executable" data, like input values, and causing it to run like a regular program. The program will also have the rights of the program that was supposed to be running. So if you were running a program with administrative rights, the little malicious "program" would have those rights too. That is why I keep harping on the idea that you should run as a regular user.

DEP is a vital part of improved security in XP service pack 2 and beyond. Understand that it has three parts-- hardware, the Operating System, and the program itself. Today's Intel and AMD based computers already have the hardware requirements down. Windows has been covered since XP service pack 2. But in the common settings, the programs has to be assigned to do let it work for that program. So depending on the OS settings, just enabling DEP in Vista doesn't do anything if the program doesn't opt-in.

I do have problems with two of the four settings in Windows DEP. I haven't tested them yet so I can't say for sure, but my first thought is to avoid those settings like the plague. I'm listing all four settings, the first two being the ones to avoid.

  1. Always off
    It's kind of obvious what the problem is with this one.
  2. Opt-In
    Here you choose the programs that will be protected and the rest go unprotected.
    Basically it is a black list of bad programs. The black list approach is the scorn of security-land. But, of course, it is the default in Windows. I would recommend that you switch to one of the two below.
  3. Always On
    This seems to be the best bet although I would guess there are some programs out there that would stop working. Those programs were probably written without thought to security or the details but if the computer can do the job the user needs it to do then what good is it? So this setting would be best but maybe too much for most users.
  4. Opt Out
    Like the opt-in setting, in this setting the program decides if it must abide by the rules DEP sets down. Unlike the opt-in setting, you choose which programs will be allowed to run free and the rest will have to play by the rules.

Microsoft's security advisory about the auora exploit:
http://www.microsoft.com/technet/security/advisory/979352.mspx

DEP in Windows XP:
http://support.microsoft.com/kb/875352

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options