[Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode

[haroon at sensepost.com (Haroon Meer)]

Hi Larry..

Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE.

Assuming a compromised IE session is relatively harmless is pretty
dangerous.While low privileged browsing is a welcome idea it is
unfortunately (mostly) a solution to yesterdays problem.

In the past we used to worry about zillions of machines being
compromised and becoming zombies.
Today, we are realizing more and more that its all about the data.

ex:
I run as mh on my machine. Everything of value on my machine is
accessible to me. My music, my videos, my documents, my email, etc.
Getting root/system on my machine gets you bragging rights, but if you
were serious about hurting me, then mh is the only account you really
need to compromise.

By default, IE uses a NoWriteUp policy. Meaning that a low IL mh shell
still gets to read everything of mh's by default (Check out Mark
Minasi's chml to convert this to a more secure NoReadUp :
http://www.minasi.com/vista/chml.htm)

A low integrity shell (as a result of an IE compromise) may not be able
to write files to most locations on my machine, and so prevents my
machine from being "owned" in the traditional sense, but wont stop me
from losing all of my data.

/mh

-- 
Haroon Meer, SensePost Information Security
PGP: http://www.sensepost.com/pgp/haroon.txt
Tel: +27 83786 6637



 ** CRM114 Whitelisted by: From haroon at sensepost.com **