December 03, 2010
Verizon White Paper: Escaping from Microsoft’s Protected Mode Internet Explorer
"In Internet Explorer 7 and Windows Vista, Microsoft introduced a new browser security feature called “Protected Mode”. According to Microsoft, this mechanism “significantly reduces the ability of an attack [against Internet Explorer] to write, alter or destroy data on the user’s machine”.1,2 A clearer description is that the feature attempts to protect the integrity of the client machine in the event the browser is compromised in an attack and prevent malware from being persisted on the targeted machine. This paper will describe why this is not currently the case in Internet Explorer 7 or 8 for remote code execution vulnerabilities, discuss the limitations of the feature by design, identify generic attacks patterns that can be used to bypass the feature (without user intervention) and discuss some inconsistencies in the underlying access control implemented in Microsoft® Windows®."