Microsoft warned of Protected Mode flaws

Security researchers have issued a warning to Microsoft that the much-vaunted Protected Mode introduced into Internet Explorer in recent releases offers little or no protection in its current form.

In a white paper released by Verizon Business this week, researchers reveal that Internet Explorer's Protected Mode - a security feature designed to prevent malicious code from gaining critical access to the underlying operating system - can be quickly bypassed, providing almost no protection against a clued-up attacker.

That, funnily enough, wasn't the original aim of the research. As the white paper points out, the original plan was for the researchers to examine "the full extent of how Protected Mode can protect users from zero-day memory corruption vulnerabilities in Internet Explorer and third-party extensions." Sadly, it turns out the answer was: it can't.

"As a result of this research," the paper's authors warn, "a bypass of the [Protected Mode] feature was discovered along with a number of generic attack patterns which must be protected against to prevent future circumvention of the feature."

The warnings in the white paper are stark: "Given the current set of potential ways to bypass Protected Mode’s protection by locally escalating from low to medium integrity, it can be concluded that the mechanism currently provides little in the way of reliable protection from remote code execution attacks" - a distinct departure from the official Microsoft line.

There are ways of mitigating the impact of the flaws in Protected Mode, including such common-sense techniques as ensuring that users don't use an administrative-level account for day-to-day use, enabling User Access Control on operating systems that support it, disabling the Local Intranet zone in Internet Explorer's security settings, and using group policies to prevent users from altering the elevation policy in Internet Explorer once locked-down.

With the white paper's findings now public, it's only a matter of time before the ne'er-do-wells start adapting their attacks to take advantage of the flaws in Protected Mode.

So far, it's not known whether Microsoft will be addressing the issues highlighted by the research in a future edition of Internet Explorer - but, given the company's official stance that the current implementation of Protected Mode does not represent a 'security boundary' by design, it's unlikely to be resolved any time soon.

The full white paper can be downloaded from Verizon Business' site.