Microsoft rushes to fix IE kill-bit bypass attack

At Black Hat this week researchers will show a way to bypass kill-bits; Microsoft is releasing a patch for the bug on Tuesday

Microsoft has been forced to issue emergency patches for its Windows operating system after researchers discovered a way to bypass a critical security mechanism in the Internet Explorer browser.

During a Wednesday talk at this week's Black Hat conference in Las Vegas, researchers Mark Dowd, Ryan Smith and David Dewey will show a way of bypassing the 'kill-bit' mechanism used to disable buggy ActiveX controls. A video demonstration posted by Smith shows how the researchers were able to bypass the mechanism, which checks for ActiveX controls that are not allowed to run on Windows. They were able to then exploit a buggy ActiveX control in order to run an unauthorized program on a victim's computer.

Although the researchers have not revealed the technical details behind their work, this bug could be a big deal, giving hackers a way of exploiting ActiveX problems that were previously thought to have been mitigated via kill-bits.

"It's huge because then you can execute controls on the box that weren't intended to be executed," said Eric Schultze, chief technology officer with Shavlik Technologies. "So by visiting an evil Web site [criminals] can do anything they want even though I've applied the patch. "

Microsoft commonly issues these kill-bit instructions as a quick way of securing Internet Explorer from attacks that exploit buggy ActiveX software. The Windows Registry assigns ActiveX controls unique numbers, called GUIDs (globally unique identifiers). The kill-bit mechanism blacklists certain GUIDs in the Windows registry so that the components cannot be run.

According to sources familiar with the matter, Microsoft is taking the unusual step of releasing an emergency patch for the bug on Tuesday. Microsoft typically only releases these "out-of-cycle" patches when hackers are exploiting the flaw in real-world attacks. But in this case the details of the flaw are still secret and Microsoft said that the attack is not being used in attacks.

"This must have really scared Microsoft," said Schultze said, speculating on why Microsoft might have issued the out-of-cycle patches.

It may also reflect an awkward public relations problem for Microsoft, which has been working more closely with security researchers in recent years. If Microsoft had asked the researchers to hold off on their talk until the company's next set of regularly scheduled patches -- due August 11 -- the company might have faced backlash for having suppressed the Black Hat research.

Microsoft itself has provided few details on the emergency patches, which are set to be released on Tuesday at 10:00 a.m. West coast time.

Late last Friday, the company said it planned to release a critical fix for Internet Explorer as well as a related Visual Studio patch rated "moderate."

However, the problem that lets the researchers bypass the kill-bit mechanism may lie in a widely used Windows component called the Active Template Library (ATL). According to security researcher Halvar Flake, this flaw is also to blame for an ActiveX bug that Microsoft identified earlier this month. Microsoft issued a kill-bit patch for the problem on July 14, but after looking into the bug, Flake determined that the patch didn't fix the underlying vulnerability.

One of the researchers presenting at Black Hat, Ryan Smith, reported this flaw to Microsoft more than a year ago and this flaw will be discussed during the Black Hat talk, sources confirmed Monday.

A Microsoft spokesman declined to say how many ActiveX controls are secured via the kill-bit mechanism explaining that the company "doesn't have additional information to share about this issue," until the patches are released. But Schutze said that there are enough that the Tuesday patch should be applied as soon as possible. "If you don't apply this, it's like you've uninstalled 30 earlier patches," he said.

Smith declined to comment for this story, saying he was not allowed to discuss the matter ahead of his Black Hat talk. The other two researchers involved in the presentation work for IBM. And while IBM declined to make them available for comment Monday, company spokeswoman Jennifer Knecht confirmed that the Wednesday Black Hat talk is related to Microsoft's Tuesday patches.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Microsoftactivexblack hatWindowsInternet Explorer

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?