Internet Explorer “Protected Mode” Can Be Bypassed
The Protected Mode in the later versions of Internet Explorer has been proven to be not so “Protected” as previously thought. While it is a security hole, it can also be avoided as much as possible by limiting the trusted Intranet Zone.
Researchers from Verizon Business have now described a way of bypassing Protected Mode in IE 7 and 8 in order to gain access to user accounts. The technique requires a vulnerability that allows the execution of malicious code in the browser or in a browser extension. Although the malware will initially only run in the browser’s Low Integrity Mode, it can start a web server on the computer that will respond to requests on any port of the loopback interface. By calling the IELaunchURL() function, an attacker can instruct IE to load a URL from this web server, for instance “http://localhost/exploit.html”. Localhost is generally part of IE’s Local Intranet Zone and, by default, Protected Mode is disabled for content from this zone.