Attackers Exploit Un-Patched Flaw in IE 8

MicrosoftAttackers rushes exploit to un fix-patched browser flaw after Pwn2Own 2015: The year every web attacks;in IE 8 no fix for XP users browser went down LiamEvery Tung major (CSO web Online) browser on showed 06 May, up, 2013 every 11:04 web browser got hacked BY JIM FINKLE BOSTONOneBy ofSteven at | Sunleast J. VaughanApr nine 27, hacked- Nichols2014 legitimate5:55pm for Networking EDT sites | Marchhosting 23, the 2015 IE – 811:53 zero GMTday exploit(04:53 PDT) was | theTopic: Security Department of Labor’s “Site Exposure Matrices” website, according to security firm “It’sAlienVault Howa campaign well, onedid of theof targeted the hackers first attacks to do? report They seemingly the won attacks. every against prize U.S. for-based a cool firm, $557,500. currently That tried didn’t to include defensethe valueand financial of the laptops sectors,” winners FireEye got spokesman to keep (HP Vitor gamingDe SouzaOmen saidNotebooks via email.), Zero “It’s Day unclearTheInitiative DOL what site the (ZDI ismotives a points repository of, and this otherof attack information prizes group given are, about toat thiswinningtoxic point. substances researchers. It appears present to be at broad US - spectrumDepartment intel ofgathering.” Energy facilities and supports compensation claims, suggesting the intended targets were from the nuclear energy sector. He declined to elaborate, though he said one way to protect against them would be to switch to another browser.

TIME magazine “The Internet is a battlefield, the prize is your information, and bugs are the weapons” Lev Grossman, TIME magazine

http://time.com/2972317/world-war-zero-how-hackers-fight-to- steal-your-secrets/ 定向攻击大规模攻击

Spear phishing attacks Watering hole attacks Coerce a user into browsing to User browses to a legit (but a malicious site compromised) site

4 Criminals have honed the Exploit-as-a-Service (EaaS) business model

2  Purchase “traffic” (via malvertizing or compromised sites) 0  Rent an exploit kit with bullet-proof hosting 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 # of Microsoft & Adobe browser-based CVEs exploited in targeted zero day attacks by patch year  Purchase a payload to monetize infections (ransomware, etc.)

Well-funded and capable adversaries with specific goals No technical expertise required for EK users – just criminal ambition! 研究人员和攻击者越来越有效地发现 Web 浏览器漏洞

250 Browser Office Windows Other 100% 4 9 13 17 14 14 16 20 23 90% 22 24 200 23 19 59 80% 50 25 32 70% 46 54 20 18 47 28 150 60%

226 50% 100 86 48 61 31 226 186 40% 32 37 55 30% 116 186 116 50 20% 34 33 10% 17 22 28 36 36 34 33 22 17 22 22 28 0 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 # of Microsoft web browser Remote Code Execution (RCE) CVEs addressed by patch year # of Microsoft Remote Code Execution (RCE) CVEs addressed by product area and patch year

We experienced a 3.5x y/y increase in 2013 and Web browser vulnerabilities have accounted for ~2x y/y in 2014 more than 50% of Microsoft’s RCEs each year since 2013

Microsoft Edge 微软发布的最具抵抗性的浏览器! Attack Cost/Complexity Attack

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Code heap-spraying era Arbitrary read/write era

Objective 在浏览的时候确保客户安全

Strategy 使得攻击者找到和利用漏洞的代价更加高昂和困难

Tactics 消除漏洞在攻击者发现之前

切断攻击者使用的攻击技术

包容发生的攻击

防止导航到已知的危险站点

Microsoft Edge is the most secure browser Microsoft has ever shipped Microsoft Edge 使用多个 AppContainers 来提供强沙盒与隔离改进

Isolation improvements with MS Edge + MS Edge Multi-AC Isolation Model AppContainer

Addresses all previous limitations of Internet Edge Elevation Explorer sandbox Manager IPC Broker Process (MediumIL)

(AppContainer) Trust Boundary Trust Significant attack surface reduction Trust Boundary Trust Boundary Flash running out-of-content process IPC (starting in Windows 10 Anniversary Update)

Edge Flash Tab IPC Content The Microsoft Edge isolation model addresses all (AppContainer) Process previously known “by-design” sandbox attacks Heap spraying is a standard technique used by nearly every browser exploit

var memory = new Array(); function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { var index; var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }

var retSlide = unescape("%u" + heapSprayAddr_hi + "%u" + heapSprayAddr_lo); while (retSlide.length < heapBlockSize) { retSlide += retSlide; } retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);

var heapBlockCnt = (heapSprayAddr - heapBlockSize) / heapBlockSize; for (index = 0; index < heapBlockCnt; index++) { memory[index] = retSlide + shellcode; } }

32-bit address space is small and easy to spray 64-bit address space with High Entropy ASLR makes traditional heap spraying impractical

90% of Windows 10 devices use a 64-bit version of Windows (& MS Edge) Attackers must have an additional information disclosure

Break exploitation techniques Microsoft Edge on Windows 10 July, 2015 (Windows 10 RTM) The vast majority of remaining use after free issues were in our DOM engine, due to dangling pointers on the heap

// 1. Allocate object // 3. Garbage collection phase frees all p = new COptionElement(); objects with no references (stack, // 4. Use “freed” object registers, heap) p->Foo();

// 2. Zero object, but don’t free ZeroMemory(p, sizeof(T));

Attacker cannot replace the object “Dangling” object is in a guaranteed zeroed state which state because the object has never will lead to a safe NULL dereference or make it been freed otherwise non-exploitable

Eliminate vulnerabilities Microsoft Edge on Windows 10; IE11 on Windows 7+ (as of 10/2015) July, 2015 (Windows 10 RTM) Microsoft Edge, 大幅度缩减 Web 的攻击面

legacy document modes

大量的代码被移除!

Eliminate vulnerabilities Microsoft Edge on Windows 10 July, 2015 (Windows 10 RTM) Content processes enable code integrity and image load restrictions to prevent malicious DLLs from being loaded

properly signed images

Malware and Grayware

An additional benefit: these restrictions help prevent unwanted DLLs from being injected into Edge content processes

Break exploitation techniques Edge on Windows 10 November, 2015 (Windows 10 1511 update) CFG helps mitigate the standard way that web browser exploits initially hijack control of code execution

Compile time Runtime

void Foo(...) { // SomeFunc is address-taken Image Update valid call target data // and may be called indirectly with metadata from PE image Object->FuncPtr = SomeFunc; Load }

Metadata is automatically added to the image which identifies functions that may be called indirectly Process Map valid call target data void Bar(...) { Start // Compiler-inserted check to // verify call target is valid _guard_check_icall(Object- >FuncPtr); Perform O(1) validity check With CFG in place, ROP gadgets and other invalid functions Object->FuncPtr(xyz); Indirect cannot be called indirectly } Terminate process if invalid Call target A lightweight check is inserted prior to indirect calls which will verify that the call target is valid at runtime

Break exploitation techniques Microsoft Edge on Windows 10 and IE11 on Windows 8.1+ November, 2014 (Windows 8.1 Update 3) Microsoft Edge:

Kernel Exploits have increased 300% since 2014

Often used by attackers to escape browser sandboxes

Microsoft Edge now enforces a allow list for kernel calls from Flash and the content process System Call Allow list

Microsoft Edge makes kernel attacks more difficult by reducing the kernel components exposed to the browser

Flash player has its own app container, and has been hardened to resist memory corruption SmartScreen 使用机器学习和混合分析来拦截基于浏览器的攻击

SmartScreen provides full-spectrum protection against URL and file-borne attacks in the Microsoft Edge and IE browsers

To generate blocks SmartScreen combines: machine learning, dynamic/static analysis, Anti-malware telemetry, Bing search-graph, and Microsoft cloud sources

Telemetry Sources

Anti-malware endpoints 300M MSRT 1.2B Bing 2.5T URL Index SmartScreen 600M URL reports AppRep 50M File look-ups Hotmail/O365/Exchange OS Telemetry Azure/Skype/Microsoft Account Microsoft Edge 从头构建，以减轻当前和未来的漏洞攻击。

每次的 Microsoft Edge 迭代都引入了新的和创建的安全特性，保持对攻击的阻断状态。

计划 & 测试& 部署& 考察评估整改管理

. Evaluate key benefits . Review budget and . 1st party & 3rd party . Configure browser and upgrade drivers resourcing with BDMs web app testing management . Review with BDMs, . Evaluate hardware & . Client testing . Train users, if needed ITDMs, and key infrastructure needs . Remediation for . Prepare support stakeholders to . Conduct web app issues (backward teams for help desk evaluate impact inventory, identify compatibility, issues that may arise . Map out key owners software upgrades, . Deployment (SCCM, risks and . Assess ISV support virtualized GP, MDM) dependencies agreements, software environments) . Ongoing upgrades needed management 计划 & 测试& 部署& 考察评估整改管理 OS Windows Windows XP Windows 7 Windows 8 Windows 8.1 Windows 10 Vista Browser Internet Explorer 6  Internet Explorer 7   Internet Explorer 8    Internet Explorer 9   Internet Explorer 10   Internet Explorer 11     OS Windows Windows XP Windows 7 Windows 8 Windows 8.1 Windows 10 Vista Browser Internet Explorer 6  Internet Explorer 7   Internet Explorer 8    Internet Explorer 9   Internet Explorer 10   Internet Explorer 11     Microsoft Edge 是 Windows 10 提供的更安全、更快速、更有生产力的 Web 浏览器，对于遗留的 Web 应用可以自动回落到 Internet Explorer 11。

https://aka.ms/edgeinfographic 1.3.2.UseSwitchSwitch Microsoft back automatically to EdgeMicrosoft as ato Provides support for web apps safer,EdgeInternet automaticallyfaster, Explorer more 11for for all designed for Internet Explorer productiveotherapproved sites default sites on browser the Enterprise Mode Site List Supported on Windows 7, Windows 8.1, Windows 10

Upgrading web apps to modern standards is the best long-term solution, but you can use Internet Explorer 11 for backward compatibility and upgrade web apps on your own schedule Internet Explorer 5 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 (1999) (2006) (2009) (2011) (2012) (2013)

IE5 Doc Mode IE7 Doc Mode IE8 Doc Mode IE9 Doc Mode IE10 Doc Mode IE11 Doc Mode IE5 Doc Mode IE7 Doc Mode IE8 Doc Mode IE9 Doc Mode IE10 Doc Mode IE5 Doc Mode IE7 Doc Mode IE8 Doc Mode IE9 Doc Mode IE5 Doc Mode IE7 Doc Mode IE8 Doc Mode IE5 Doc Mode IE7 Doc Mode IE5 Doc Mode Internet Explorer 5 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 (1999) (2006) (2009) (2011) (2012) (2013)

IE8 Enterprise Mode IE7 Enterprise Mode Planning & Testing & Deployment & Consideration Evaluation Remediation Management 评估工具

• Shows doc mode F12 • Requires someIT user training Developer Tools • Manual collection • Little configuration needed

• Shows how web apps are Enterprise used in current environment Site • Requires no user training Discovery • Automatic collection • Configuration needed

• Based on Enterprise Site Discovery Upgrade • Requires no user training Analytics • Automatic filtered collection • Configuration needed F12 Developer Tools Enterprise Site Discovery

Site A Data Data-Driven User Browses Site B Site C Collection Picture of Web the Web (WMI/XML) Environment

Site C Site Scoping Site

• Supported by IE8, IE9, IE10, IE11 • Disabled by default • Site scoping by Domain & Zone for privacy • XML or WMI Output • Group Policy Management Enterprise Site Discovery Data

Data point IE11 IE10 IE9 IE8 Description IE Version X X X X URL X X X X URL of the browsed site, including any parameters included in the URL.

Domain X X X X Top-level domain of the browsed site.

ActiveX GUID X X X X The GUID of the ActiveX controls loaded by the site. Document mode used by Internet Explorer for a site, based on page Document mode X X X X characteristics. Document mode X X Additional information about why a document mode was set by Internet Explorer. reason Browser state Additional information about why the browser is in its current state. Also called, X X reason browser mode. Hang count X X X X Number of visits to the URL when the browser hung. Crash count X X X X Number of visits to the URL when the browser crashed. Most recent Description of the most recent navigation failure (like, a 404 bad request or 500 navigation failure X X X X internal server error) and the number of times it happened. (and count) Number of visits X X X X The number of times a site has been visited.

Zone X X X X Zone used by Internet Explorer to browse sites, based on browser settings. Upgrade Analytics Planning & Testing & Deployment & Consideration Evaluation Remediation Management

Mode Site List EMIESiteListManager 10.0.11060.1008 09/28/2016 15:02:41 IE8Enterprise IE11 Improved v2 schema uses , , IE8Enterprise IE11 Group Policy Registry Key Notes Internet Explorer 11 {Computer|User} Administrative Templates \ {HKLM|HKCU} Software \ Policies \ Microsoft \ • This regkey must exist to use “Enterprise” Windows Components \ Internet Explorer \ Internet Explorer \ Main \ EnterpriseMode \ in F12 developer tools Let users turn on and use Enterprise Mode Enable • Formerly used for logging Enterprise from the Tools menu Mode, now ESD recommended instead

{Computer|User} Administrative Templates \ {HKLM|HKCU} Software \ Policies \ Microsoft \ • Best practice: Use URLs, not file names Windows Components \ Internet Explorer \ Internet Explorer \ Main \ EnterpriseMode \ • To check, use “about:compat” or HKCU \ Use the Enterprise Mode IE website list SiteList Software \ Microsoft \ Internet Explorer \ Main \ EnterpriseMode \ CurrentVersion {Computer|User} Administrative Templates \ • Restricts IE usage to approved sites on the Windows Components \ Internet Explorer \ Enterprise Mode Site List Send all sites not included in the Enterprise Mode Site List to Microsoft Edge Microsoft Edge {Computer|User} Administrative Templates \ {HKLM|HKCU} Software \ Policies \ Microsoft \ • Best practice: Use the same URL for Windows Components \ Microsoft Edge \ MicrosoftEdge \ Main \ EnterpriseMode \ Microsoft Edge and IE11 Configure the Enterprise Mode Site List SiteList • To check, use “about:compat” or HKCU \ Software \ Microsoft \ MicrosoftEdge \ Main \ EnterpriseMode \ CurrentVersion 计划 & 测试 & 部署 & 考察评估整改管理 Tip: Don’t disable the Edge engine. EdgeHTML is used to render HTML/JavaScript in Universal Windows Apps. Advantages • Creates error-free XML • Simple n+1 versioning • Catches URL redirects

Disadvantages • Designed for single user • Not scalable • No approval process 指导