Four years later, a key IE defense against drive-by attacks is still easy to bypass.

There's a trivial way for drive-by exploit developers to bypass the security sandbox in almost all versions of Internet Explorer, and Microsoft says it has no immediate plans to fix it, according to researchers from Hewlett-Packard.

The exploit technique, laid out in a blog post published Thursday, significantly lowers the bar for attacks that surreptitiously install malware on end-user computers. Sandboxes like those included in IE and Google Chrome effectively require attackers to devise two exploits, one that pierces the sandbox and the other that targets a flaw in some other part of the browser. Having a reliable way to clear the first hurdle drastically lessens the burden of developing sophisticated attacks.

The bypass technique "does give the attacker a significant advantage by giving them higher-level access than a typical exploit might in Internet Explorer, by allowing them to escape the sandbox," Robert "Rsnake" Hansen, a vice president at security firm WhiteHat Labs, wrote in an e-mail to Ars. "In practical terms this is a very important finding, because it can be tied into existing exploits that might otherwise not be able to escape the IE sandbox."

A Balkanized state for attack code

Known as Protect Mode, Microsoft's sandbox works by funneling most Web content into a "low integrity" level that has limited access to other applications or sensitive parts of the operating system. Attacks that remain confined to this Balkanized state still may be suitable for denial-of-service attacks or installing scripts that automate the sending of spam, but they generally have a much harder time surviving a reboot and gaining more access to a targeted system. The HP researchers found a trivial way to funnel attack code into "medium integrity" processes that are allocated to normal Windows users. The technique was first documented by researchers from Verizon in 2010, when IE 7 was in vogue. The HP researchers' contribution was to show that it remains viable even against most newer versions.

The technique involves setting up a fake Web server that executes a reliable working exploit against the computer's localhost address used for communicating with services on the same local system. With that, the attack code runs with medium integrity privileges with no constraint from the sandbox. The technique works by default against all versions of IE except IE 11 running on Windows 8.1. By default, that configuration implements enhanced protection mode (EPM), which is immune to the bypass. EPM is also enabled by default in IE 10 and 11 when running in metro mode. It needs to be enabled in desktop mode.

In a four-sentence statement, Microsoft officials downplayed the severity of the bypass. It said:

We do not consider this to be a security vulnerability within Protected Mode. Protected Mode is a defense-in-depth feature introduced by Internet Explorer 7 in 2006 and improved by Enhanced Protected Mode in 2012. Enhanced Protected Mode enabled in Internet Explorer 11 and running on Windows 8.1, blocks this technique. This technique cannot be used, on its own, to compromise a customer’s security.

Some outside researchers remain unconvinced.

"It is important to highlight the fact that launching medium integrity processes is a problem in four major versions of Internet Explorer since the Verizon paper," HP researcher Matt Molinyawe wrote. "You don’t need the required protected mode API or have to interface with the broker at all. Simply redirect with any means possible, whether it be with JavaScript, page reload, etc. Our identification that redirection to medium integrity can occur with what can be considered normal operation demonstrates that this can potentially be used in a covert manner without triggering anomalous behavior."

HD Moore, chief research officer at Rapid7, agreed the bypass is serious.

"In my opinion, network administrators should respond by switching users over to a more secure browser, such as Chrome, and looking into an additional layer of sandboxing for anyone who must use Internet Explorer," he said. Third-party sandboxing from Sandboxie and Invincea are good candidates, he said, as are Amazon desktop images with no content, temporary virtual machines, and Microsoft's Enhanced Mitigation Experience Toolkit.