Windows Phone 7 browser exploit demoed

Alex Plaskett from MWR Labs have demoed a browser exploit in the pre-Mango Internet explorer which in combination with vulnerable code in HTC’s drivers can result in full kernel-mode access, which can be used to install rootkits, eavesdrop on a user or of course could be used to jailbreak the device.

Interestingly the browser vulnerability itself still does not allow full access to the OS, as it runs with least privileges, hence the requirement for the second vulnerability.

The hack also had to to defeat Address Space Randomization and eXecute Never flags.

The Mango update fixes the vulnerability and makes it more difficult to find new ones, but of course no platform is ever 100% secure.  However MWR Labs lay a lot of the blame on OEM code, which they note have many more exploits that Microsoft’s native code. This problem did not go away with Mango.

Alex recently presented the hack at Microsoft’s BlueHat Redmond Security Brief and I am sure Microsoft is already hard at work making the OS more secure, as there recent job postings suggest.

Comments