VUPEN Researchers Say They Have Zero-Day Windows 8 Exploit

2012-11-01T15:03:33
ID THREATPOST:2D6D32C7FA3B608CFDB6C041C312C623
Type threatpost
Reporter Michael Mimoso
Modified 2013-04-17T16:31:18

Description

Controversial bug hunters and exploit sellers VUPEN claimed to have cracked the low-level security enhancements featured in Windows 8, Microsoft’s latest operating system.

VUPEN CEO and head of research Chaouki Bekrar sent out a pair of ominous Tweets yesterday claiming to have developed the first zero-day exploit for Windows 8 and Internet Explorer 10, both released Oct. 26. Bekrar hints the exploit is a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled.

“We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Bekrar wrote.

Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) were introduced in Windows Vista and, respectively, help randomize address space in order to curb memory-based attacks, and keep applications from executing data in certain specific memory locations. Return-oriented programming (ROP) techniques, meanwhile, help attackers bypass both of these protections. AntiROP tools were the focus of Microsoft’s Blue Hat Prize contest; researcher Vasillis Pappas won $200,000 for his kBouncer ROP mitigation technology which uses the Windows kernel to enforce process restrictions and prevent ROP from running.

Windows 8 features several hardware-level security updates, in addition to Secure Boot which uses UEFI rather than a traditional BIOS and loads the Early Launch Antimalware (ELAM) driver. Microsoft said the driver boots before other startup drivers, examines those drivers for infection, and enables the kernel to decide whether to initialize them. ELAM, Microsoft said, launches before third-party antimalware protection and detects malware during the boot process.

There are other root-level security features in Windows 8 that burrow deeper into the operating system than before. Some of these include updated memory managers, the Windows Heap Manager and the Windows Kernel Pool Allocator. Windows Heap Manager reduces the effectiveness of buffer overflow injection attacks by randomizing address space, while the Kernel Pool Allocator protects this resource which dynamically allocates memory to applications. All of these would cut down significantly an attacker’s ability to run code at the root level on a Windows 8 machine, Microsoft said.

Microsoft also introduced a new sandbox in Windows 8 called AppContainer. All of the new Metro applications run in AppContainers.

All of this was built on top of existing security features such as the TPM chip, self-encrypting drives (SED), ASLR and DEP.

Boot-level attacks are on the rise according to security experts. Attackers have found great success with rootkits that infect a Windows machine’s BIOS or Master Boot Record, giving them persistent and often undetected access to a machine. Boot-level attacks can also lead to further malware infections where an attacker can harvest credentials and use an infected computer as a pivot point for attacks on other machines in a network.

“One reason protecting against boot-level attacks is so important is that if your BIOS or pre-boot environment is infected, no matter what you do to clean it up, things that get that low into pre-boot can re-infect you at any time and nothing the OS level does to clean that up can protect you,” said Ari Singer, chairman of the Trusted Computing Group’s TPM Working Group. “You will be re-infected every single time. It’s a way for an attacker to get a persistent attack on machine. Typically, this is very difficult to detect.”