![]() Running IE in 64-bit mode with Enhanced Protected Mode enabled is a strongly effective countermeasure against attacks targeting IE, until an exploit code for 64-bit emerges. In this case, the attack also fails, similarly to the test results in Windows 8, etc. Note that AppContainer is not supported in Windows 7 therefore IE just runs in 64-bit mode when Enhanced Protected Mode is enabled. Therefore, if IE is running in 64-bit mode, these exploit codes fail to execute as intended by the attacker. All the exploit codes leveraging vulnerability in IE that JPCERT/CC has analyzed so far were created exclusively for 32-bit OS. The reason for IE’s unexpected shutdown in 64-bit mode is that the exploit code executed in the IE process was created exclusively for a 32-bit environment. Figure 5: Behaviour of Unauthorized Code on IE 11 (64-bit) for Windows 8.1 with Enhanced Protected Mode enabled On the other hand, in IE running in 64-bit with the Enhanced Protected Mode enabled, the Powershell fails to run, and IE shut down unexpectedly, as shown in the following figure. Figure 4: Behaviour of Unauthorized Code on IE 11 (32-bit) for Windows 8.1 with Enhanced Protected Mode enabled It shows that the attack was successfully conducted under this condition as well, and the PowerShell is running. Figure 3: Behaviour of Unauthorized Code on IE 11 (32-bit) for Windows 8.1įurthermore, Figure 4 shows the verification of IE running in 32-bit with the Enhanced Protected Mode enabled. The verification was conducted on IE 11 for Windows 8.1.Īs shown in Figure 3, the attack was successfully conducted in IE running in 32-bit with the Enhanced Protected Mode turned off the PowerShell is running. In order to validate how Enhanced Protected Mode is effective in reducing damage by malware infection through IE, we analysed using an exploit code that leverages CVE-2014-6332 (vulnerability in IE)which runs PowerShell to attempt to execute an unauthorized code. Figure 2: IE Integrity Level (confirmed with Process Explorer) In a widely known case, the Windows Store applications runs in an AppContainer environment, and an Enhanced Protected Mode designated IE also runs in an AppContainer environment. Also, Microsoft “Edge”, the all new web browser introduced with Windows 10, will run in 64-bit mode by default.ĪppContainer is a sandbox environment introduced in Windows 8, which limits process operations more strictly than does the Integrity Level (in Protected Mode). Furthermore, IE that is launched from Window Store applications in Windows 8, etc., will run in 64-bit mode. On a 64-bit Windows, IE will run in 64-bit mode by enabling the Enhanced Protected Mode, plus in case of IE 11 for Windows 8 and later, by checking the “Enable 64-bit processes for Enhanced Protected Mode” in “Internet options”. A sandbox environment called AppContainer (only on Windows 8, 8.1 and 10)Įven on a 64-bit Windows, IE will run in 32-bit mode if the Enhanced Protected Mode is turned off.64-bit mode (only in a 64-bit mode Windows). ![]() When Enhanced Protected Mode is enabled, IE will run in the following mode: Windows 7 (64-bit) *Not available on 32-bit OS.This feature is available in the following OS: Figure 1: Enhanced Protected Mode setting screen (IE 11 for Windows 8.1) To enable it, you must tick the “Enable Enhanced Protected Mode” option in the Security section of IE’s Tools > Internet Options > Advanced tab, and then restart IE. Unlike Protected Mode, Enhanced Protected Mode is turned off by default. In this article, I’d like to introduce an even stronger security function called “Enhanced Protected Mode”, which is a feature of IE 10 and 11 - its overview and preventive effects against damages caused by malware infection. My previous post discussed the mitigation effects against damages caused by malware infection by enabling Internet Explorer’s (hereafter “IE”’s) Protected Mode. Hi, it’s Shusei Tomonaga again from the Analysis Center.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |