Saturday, March 29, 2008

Internet Explorer 7 Protected-mode vs Firefox

I'm sure you all have herd that Vista and Windows 2008 come with a different type of Internet explorer, called Protected-Mode (PE). It's available only for those 2 operating-systems not because Microsft wants to force you to upgrade from XP (well, they probably do) but it's simply impossible to run PE IE7 without the integrity mechanisms we talked about earlier.
Windows no longer sees IE just like an ordinary application. It is an untrusted application; and there's some sound logic behind that, considering the fact that you generally download the malware installer and also, several exploits target IE7. So, instead of running IE with the integrity the user is assigned, it runs with LOW integrity, meaning it cannot modify any objects that are Medium or above. That restriction gives it only a few places it can write to:

%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

And that's it! IE cannot write anywhere else without your approval. That also means that any extension you might load with IE (Browser helper object, Toolbar etc) can only write to those areas, unless you allow it to write elsewhere.
So the basic concept sounds like this : if a hacker exploits an undocumented vulnerability in IE7 PE, his code will only inherit LOW integrity, thus limiting his access to the entire system. In theory, it all sounds really great, but we have already seen discussion about privilege escalation attacks.

At the last ITboard meeting I was asked by a fellow MVP, Razvan Socol, if Firefox could benefit from the new integrity mechanism. I said then that Firefox, could benefit from the integrity mechanism only if the developpers will adapt their code and declare firefox.exe and the places it needs to write to as LOW. While that is true, I didn't imagine at the time, that you can take advantage of a new privilege called SERelabelPrivilege, that allows a username to modify an objects integrity level.

When it comes to modifying the integrity level of an object, there are 2 rules to take into account:
1. Only TrustedInstaller (%windir%\servicing\TrustedInstaller.exe) can raise the integrity level of an object.
2. Any process can define for its object (or for objects with equal integrity level) a lower integrity level. Due to rule no.1 lowering the integrity level is irreversible.

Those rules apply, of course, on a default installation. If you want to mess with integrity levels, you can allow yourself the SeRelabelPrivilege (that by default, noone has except for the system) ingpedit.msc > User Rights Assignment > "Modify an object label", like I did in the screen below to the username "Victor". Make sure you log off then back on for your security token to be recreated with the SeRelabelPrivilege.

Ok, once we got that figured out you might say : "Hey, this stuff is cool, I would like to have the benefits of IE7 but run Firefox! Can I do that?" The answer is yes, but it takes an extra 10 minutes and it's not entirely compatible.
There are 2 tools we can use to modify an object's integrity level : icacls (built-in utility that replaces the cacls.exe utility in XP/2003) or chml (a tool designed by Mark Minasi which you can download here). I'm going to use both and you can decide on whicone to use.

After we have downloaded firefox, we install it with the default values. If you run it before doing the steps below, the folders that Firefox needs are going to be created. If not, you are going to have to create them yourself. Let's use chml and set the firefox.exe file to LOW integrity. We have to open up an elevated command prompt (Run as Administrator) and run from within the Firefox folder the command : chml firefox.exe -i:l like I did in the screenshot below :

Now, we have modified the integrity label of the firefox.exe object to LOW. Like we said when we talked about integrity, the system is going to choose the lowest integrity level between the iuser's integrity level (the default integrity level, MEDIUM) and the object's integrity level, in this case, LOW.
Once we have done this we have limited the areas where firefox.exe can write to/modify. However, firefox does use 3 folders in which he stores data :


We need to set this to integrity LOW aswel, because LOW integrity processes can only write to LOW integrity objects. Using the same eleveted command prompt, we can run icacls to set them to low integrity : icacls FolderName /setintegritylevel (oi)(ci)low
The "(oi)(ci)" will make chil objects inherit the low integrity.

And now, when launching Firefox you should get see that it is running low integrity. You can use Process Explorer from Sysinternals to see the Integrity level (you need to add the "Integrity" column). It should look something like this:

You now have a secure Firefox browser that can take advantage of the new security features in Vista. Take note that you will also need to create a downloads folder that also has LOW integrity.
This, of course, is only a workaround, and I can forsee that some extensions could have problems with Firefox running with LOW integrity. I personally, didn't experience any, but then again, I haven't tried all the extensions :)
In the end, I need to mention that this should be one layer of your security system. It is specially efficient against exploits and vulnerabilities that haven't been traced and also against scripts that try to run without your knowledge on the computer.
Mozilla developers should work with the integrity mechanisms within Vista and offer in future versions that will launch directly as Low integrity.