Benefits of IE Protected Mode

One of the vulnerabilities addressed in MS09-019, CVE-2009-1140, involves navigating to a local file via a UNC path, ex: \\127.0.0.1\c$. This roundabout way of navigating to a file is necessary to execute local content such that it runs in the Internet Explorer Internet zone, where scripting is enabled.

As it turns out, versions of IE that are running with the Protected Mode feature turned on are protected against this attack. The reason for this is that with Protected Mode on IE runs with lower privileges and loses access to many resources. This includes the ability to access the loopback SMB shares. Since this attack requires that the user be able to access index.dat over a loopback SMB share, this means that the attack cannot be carried out. Of course it should be noted that machines with either Protected Mode IE turned off OR UAC turned off are still vulnerable to this.

Often when we look at the benefits of Protected Mode IE, we look at its impact on native code running within the browser process. In this case we can see a benefit from the Protected Mode mitigation which is often overlooked. Specifically, the restrictions on resource access in Protected Mode IE can serve to thwart script-based attacks.

Protected Mode can be configured in Internet Explorer's Internet Options dialog. To configure Protected Mode, click the Security tab, select a Web content zone, and then change the "Enable Protected Mode" check box. By default, Protected Mode is enabled for the Internet, Intranet, and Restricted Sites zones. To verify that Internet Explorer is running in Protected mode, look for the words "Protected Mode: On" next to the Web content zone displayed in Internet Explorer's status bar.

To enable Protected Mode, you also need to ensure that Vista UAC is enabled, as described here: http://support.microsoft.com/kb/969417. By default, UAC is enabled.

More information on Protected Mode IE is available here: http://msdn.microsoft.com/en-us/library/bb250462.aspx

Additional Network Protocol Lockdown Workaround

We have identified an additional workaround leveraging Internet Explorer Network Protocol Lockdown. Internet Explorer can be configured to lock down HTML content from particular network protocols. This feature allows an administrator to extend the same restrictions of the Local Machine Zone Lockdown (http://technet.microsoft.com/en-us/library/cc782928.aspx) to be applied to any content on any arbitrary protocol in any security zone.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To lockdown the “file” protocol, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
"file"="file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
"file"="file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
"file"="file"

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

Impact of workaround: HTML content from UNC paths in the Internet / Local Intranet / Restricted zones will no longer automatically run script or ActiveX controls.

How to undo the workaround: To reverse this workaround, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000000
"iexplore.exe"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.

- David Ross, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*