The Protected Mode in the later versions of Internet Explorer has been proven to be not so “Protected” as previously thought. While it is a security hole, it can also be avoided as much as possible by limiting the trusted Intranet Zone.
Researchers from Verizon Business have now described a way of bypassing Protected Mode in IE 7 and 8 in order to gain access to user accounts. The technique requires a vulnerability that allows the execution of malicious code in the browser or in a browser extension. Although the malware will initially only run in the browser’s Low Integrity Mode, it can start a web server on the computer that will respond to requests on any port of the loopback interface. By calling the IELaunchURL() function, an attacker can instruct IE to load a URL from this web server, for instance “http://localhost/exploit.html”. Localhost is generally part of IE’s Local Intranet Zone and, by default, Protected Mode is disabled for content from this zone.