IE, Chrome Browser Attack Exploits Windows PCs

Jun 28, 2013 (06:06 AM EDT)

Read the Original Article at

Warning: Browser security notification mechanisms can be abused by attackers to hide downloads, dismiss notifications and disguise malicious code execution.

Details of those vulnerabilities were recently presented by independent security researcher Rosario Valotta in a presentation titled "Abusing Browser User Interfaces for Fun and Profit" at last week's Nuit du Hack conference at Disneyland Paris, as well as other recent conferences in Amsterdam and Moscow.

Using the detailed vulnerabilities to create a related exploit is "ridiculously simple," and can be initiated "without any notification or user confirmation," Valotta said in a blog post. "All you need is to type one key on Internet Explorer or make one click on Google Chrome" for the exploit to succeed.

The detailed vulnerabilities begin with modern browsers using modeless notifications to alert users to such events as file downloads, plug-in installations or authorizing HTML5 privileged APIs. "These notifications bars are non-invasive, they are designed ... to inform users without interrupting navigation, but they suffer from some serious design problems," Valotta said.

[ Want to know which security practices give the best bang for your buck? Read Security ROI: 5 Practices Analyzed. ]

Notably, such notifications appear only in the related window or tab that generated them. "So if you are able to 'hide' the navigation window, you can hide also the notification, this means you can [as an example] download a file on your computer and have no notification at all from your browser," he said. In addition, even though these windows might be hidden, the notification is active, meaning that the screen will accept a keyboard shortcut -- for example to save a file or run a file.

Here's Valotta's attack scenario: A user visits a malicious website, which opens a pop-under window and begins downloading a malicious file. Pop-under windows -- they appear behind the active window -- can be created using JavaScript, for example via the cross-browser tool js-popunder, which is available for free from GitHub.

Getting that malicious file to execute, however, requires a bit of trickery, which is also known as social engineering. With Internet Explorer, for example, a user would have to be tricked into typing a required key -- "r" on English-language systems, to make a downloaded file run, or "e" on Italian systems, and so on -- which would in fact be transmitting the keystroke to the hidden, but active, pop-under window.

How might this be accomplished? "Well, there are plenty of ways: a game, a typing lesson," said Valotta. "But my favorite one is a Captcha. Just take a fake Captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users."

While a letter must be typed to complete the exploit via IE, for Chrome browsers the requirement -- after the file has been downloaded -- is different. "You need to trick the victim into clicking on some link/button on the foreground window," said Valotta. "The attacker, using some [JavaScript], is able to track mouse pointer coordinates so -- as soon the mouse is hovering on the button -- the attacker can close the foreground window." Obviously, attackers would need to get their timing right.

Might Microsoft issue a patch to lock down the Windows user interface and block these types of attacks? In fact, Microsoft has issued a statement saying that it doesn't see the related Windows behavior as constituting a vulnerability. It also said that browser security tools, such as the Smart Screen filter first introduced with IE8, will help block related exploits.

"We are aware of this industry-wide social engineering technique that requires user interaction to run a malicious application," according to Microsoft's statement. "This is not a vulnerability, as someone must be convinced to visit a malicious site and take additional action, such as using a keyboard shortcut to execute the malicious application. Smart Screen will help mitigate the risk for customers running Internet Explorer. We continue to encourage customers [to] exercise caution when visiting untrusted websites."

But Valotta said Microsoft's Smart Screen technology isn't infallible. "There are a lot of ways to circumvent Smart Screen," he said. One technique would be to use a stolen extended validation signing certificate to give the malware a good reputation. Another technique is to use extweets -- shortened URLs made to link to malicious executables -- of which Valotta said about 20% don't appear to be on Microsoft's list of bad code, or classified as malware by Virus Total.

Microsoft Windows User Access Control (UAC) settings can also help block attacks that target the notification-mechanism vulnerabilities, for example by flashing a warning -- above all other windows -- whenever an application requests administrator privileges. But Valotta said that admin-level access isn't required to do damage, and cites malware such as Carberp that's able to inject JavaScript and HTML into the client browser to make it appear to be a legitimate site.

How might Microsoft or Google lock down Windows or their respective browsers to block these types of attacks? Valotta offered several recommendations, including altering browsers so that any notifications tied to background windows be brought to the front after a preset period of delay, as well as disabling use of the tab key in notification windows and ensuring that all important notifications -- for example, file-download alerts -- are displayed in a static browser frame that can't be hidden in a pop-under window.