Your confidence may be misplaced if you were counting on your desktop antimalware to protect unpatched systems against the recently discovered XML flaw in Internet Explorer, based on tests by NSS Labs Inc..
The NSS' test results of six business-grade endpoint protection products from AVG, Kaspersky Lab, McAfee Inc., Sophos, Symantec Corp. and Trend Micro Inc. yielded generally poor results for stopping known SQL injection exploits of the flaw.
The attacks were reported in the wild on Dec 11 andMicrosoft issued a patch on Dec. 17. It was the software giant's second release outside of its normal monthly patching cycle in two months. NSS conducted its tests the week of Dec. 15, issuing its findings based on live testing through Dec. 18.
NSS tested the products ability to stop the exploits at any of three stages: first, detecting and blocking the malicious URL; second, detecting and blocking the exploit; and finally, detecting and blocking the malware when it was inserted in the test clients' memory.
"The issue here is really the exploit, rather than the malware that is delivered afterwards," said Rick Moy, NSS Labs president. "There are really only two exploits. After that, the attacker can load up a keylogger, Trojan, or anything they want. The trick is to catch it on [its] way in, before it actually exploits -- and that's what we weren't seeing [it] happen."
Microsoft security news:
Microsoft warns of SQL Server zero-day: Code is publicly available targeting an unpatched flaw in SQL Server to gain access to critical files and execute malicious code.
Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites.
Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched.
Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.
Only Kaspersky Lab's Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.
Symantec's Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro's Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware's two components, apparently because the attack thwarted its ability to gain the necessary permissions.
Both McAfee's Total Protection for Endpoint and AVG's Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.
NSS turned on the most aggressive detection settings, where possible.
Given the results, NSS recommended that companies patch immediately, even if they do not have time to complete their full testing regime.
While NSS cautions that this was a very narrow test of the ability to block exploits of a new, critical flaw, enterprises often count on vendors' assertions that their products can thwart zero-day attacks by using heuristic and anomaly detection techniques and host intrusion prevention systems (HIPS), since traditional signature-based detection is increasingly ineffective against many Web-borne exploits.
"The HIPS part surprised us," said Vik Phatak, NSS chairman and CEO. "Most of these products were not inserting themselves between Internet Explorer, which is tightly tied to the OS and the TCP stack. You'd expect that the HIPS product would catch the exploit before it actually knocks over the browser."
Microsoft responded rapidly to issue a patch, but there is always a necessary lag after the discovery of any flaw. And, most companies rely on rigorous patch testing on their system configurations before general patching. Further, patches sometimes fail, and some systems, typically those of remote users who may not log into the network frequently, remain unpatched for a while.
The test results, though narrow, tend to underscore recent testing by Secunia, which tested the exploit detection ability of a dozen different consumer endpoint protection products. Secunia turned 144 malicious files and 156 malicious Web pages against XP SP2 with missing patches and a number of vulnerable programs. Symantec was tops with only 64 hits; the other products lagged far behind.
Consumer endpoint protection products are generally regarded as more effective than business versions because vendors are justifiably cautious about breaking corporate applications.