Black Hat: Microsoft’s Killbit Under the Microscope

Black hat

LAS VEGAS — Microsoft has long dealt with insecure ActiveX controls through what’s known as a killbit, a means in its Internet Explorer browser of limiting the danger by locking out specific ActiveX controls.

Until this week, getting visibility into the killbit itself was not an easy task. Thanks to a new tool called Killbit Visualizer, released Wednesday here at the Black Hat security conference, that’s no longer the case — providing some insight into how Microsoft relies on killbits to tackle complex security issues, and where some of their shortcomings might be.

IBM ISS researchers Mark Dowd and David Dewy, along with Ryan Smith from iDefense, explained in vivid detail how certain coding practices lead to vulnerabilities and how resorting to killbits can, in some ways, paper over flaws that haven’t been fully addressed.

“Microsoft has chosen to fix a lot of the ActiveX vulnerabilities with killbits,” Dewey said. “We have enumerated slightly over 100 ActiveX controls that were not completely fixed and were simply ‘killbitted.'”

That’s going to be an issue if — as the trio demonstrated — killbits can also be bypassed.

Early word of the researchers’ plans to present their findings at Black Hat proved enough to drive Microsoft to respond on Tuesday by issuing a rare out-of-band security update. That patch sought to close a flaw in an Active Template Library (ATL) that Microsoft had killbitted after becoming aware of it 18 months ago.

While their presentation on killbits and how they might be bypassed might have caused some trouble for the software giant, it resulted in a long-lasting flaw being corrected, the researchers pointed out.

To prove their point, Smith demoed the team’s killbit analyzer to the accompaniment of the Rolling Stones’ “You Can’t Always Get What You Want”.

“The take-home is that you can’t always get what you want, but to Microsoft’s dismay, sometimes you get what you need,” Smith said.

Though the researchers took aim at Microsoft, they also gave the company credit for how it dealt with the ATL vulnerability. That flaw affected many aspects of development, making other means of tackling it problematic, they said.

“Hopefully, you’ve seen through the entire presentation here … why there may be a technical reason why it takes 18 months to co-ordinate a patch release,” Dewy said. “It affects thousand of vulnerabilities across the Microsoft install base and innumerable binaries. Microsoft had the unenviable task of coordinating a vendor disclosure that actually affected thousand of third-party vendors — anyone that has compiled an ActiveX control with Visual studio may have been at risk.”

Microsoft’s view

The researchers had been in contact with Microsoft prior to the release of the research at Black Hat and Microsoft staff were in attendance during their presentation.

Mike Reavey, director of the Microsoft Security Response Center, told that the killbit is still a very important security function when you’re dealing with ActiveX controls — though it’s not the ultimate solution.

“The right way to fix software problems is in the code itself, so the same practices we have around secure development will help to mitigate threats beyond just using the killbit,” Reavey said. “The other thing is you can’t eliminate all possible vulnerabilities in all possible parts of software. You can work to mitigate them.”

Reavey noted that when Microsoft first became aware of the issue, it realized it was serious and moved to address the issue.

“With the updates we released Tuesday, one of them is for IE — though the vulnerability is not within IE, but it does help to mitigate the ability to bypass a killbit,” he said. “So even if you have a vulnerable control on your system that would allow you to bypass the killbit, with what we’ve released in IE, it blocks that.”

It’s an assessment that Dewy, who had been planning to demonstrate killbit bypassing, agrees with.

“I haven’t had a lot of time to validate how good the IE fix is,” Dewy said. “But my IE was auto-updated and it broke my demo.”

News Around the Web