A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.
The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as “Play” for a video or a Facebook “Like.” Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.
When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type “r” and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.
Security researchers have long viewed the ability to invoke powerful operating-system commands as one of a browser’s more dangerous features. While this ability provides convenience to users, it can also be exploited to force a machine to expose or delete sensitive data or, as in this case, execute code of an attacker’s choice.
“The integration between the browsing environment and the operating system to actually execute system-level commands is a pretty terrible design,” said Robert Hansen, director of product management at White Hat Security. “As a security researcher, almost every time you see something like that, you know that there’s some way to exploit it. Every time there’s these weird hooks into system-level DLLs that are used both by the operating system and by the browser, it’s almost always going to have some dangerous thing about it.”
For their part, Microsoft officials said in a statement that they don’t consider the behavior a vulnerability.
“We are aware of this industry-wide social engineering technique that requires user interaction to run a malicious application,” the statement said. “This is not a vulnerability, as someone must be convinced to visit a malicious site and take additional action, such as using a keyboard shortcut to execute the malicious application. Smart Screen will help mitigate the risk for customers running Internet Explorer. We continue to encourage customers [to] exercise caution when visiting untrusted websites.”
The attack is by no means foolproof since Windows 7 and 8 both provide protections designed to prevent the execution of malicious files. One defense, known as User Account Control, requires a user to approve the running of any file that needs high-level “administrator” privileges from the operating system. Another, known as Smart Screen, checks webpages and downloaded files for signs they’re malicious.
But Valotta said Smart Screen protections can be bypassed in some cases by using shortened URLs that link to malicious executable files. He found that about 20 percent of them will get through. Smart Screen can also be bypassed when malware is digitally signed by a genuine extended validation certificate or a “trusted” signing certificate that’s already been used to validate benign applications. Valotta said malware frequently doesn’t need an end user to approve administrator access through User Access Control. HTML content injection, keylogging and autostart, and other malicious functions can all be carried out with non-administrative privileges because they rely on so-called “userland” programming interfaces, according to Valotta.
While it’s troubling to see an attack with the potential to do so much damage with so little user interaction, it’s important to note that the defenses Microsoft puts into recent versions of Windows go a long way to making these types of exploits less reliable. The user notifications and the Smart Screen filtering will often completely shut down an attack before it’s able to succeed. These protections may also limit the damage that can be done and the amount of effort required when an attack does work. Security professionals call this layered approach “defense in depth.” Still, it’s surprising to read Microsoft’s statement saying it’s not a vulnerability when a user is one or two clicks away from an attack that has a statistically significant chance of successfully executing malicious software. This weakness may not be the highest priority for Microsoft’s security team, but I do think it’s worth an eventual fix.