Microsoft Windows XML flaw exploits test desktop antimalware

By Neil Roiter, Senior Technology Editor, Information Security magazine 24 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Your confidence may be misplaced if you were counting on your desktop antimalware to protect unpatched systems against the recently discovered XML flaw in Internet Explorer, based on tests by NSS Labs Inc..

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The NSS' test results of six business-grade endpoint protection products from AVG, Kaspersky Lab, McAfee Inc., Sophos, Symantec Corp. and Trend Micro Inc. yielded generally poor results for stopping known SQL injection exploits of the flaw.

The attacks were reported in the wild on Dec 11 andMicrosoft issued a patch on Dec. 17. It was the software giant's second release outside of its normal monthly patching cycle in two months. NSS conducted its tests the week of Dec. 15, issuing its findings based on live testing through Dec. 18.

NSS tested the products ability to stop the exploits at any of three stages: first, detecting and blocking the malicious URL; second, detecting and blocking the exploit; and finally, detecting and blocking the malware when it was inserted in the test clients' memory.

"The issue here is really the exploit, rather than the malware that is delivered afterwards," said Rick Moy, NSS Labs president. "There are really only two exploits. After that, the attacker can load up a keylogger, Trojan, or anything they want. The trick is to catch it on [its] way in, before it actually exploits -- and that's what we weren't seeing [it] happen."

Microsoft security news: Microsoft warns of SQL Server zero-day: Code is publicly available targeting an unpatched flaw in SQL Server to gain access to critical files and execute malicious code.  Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites. Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched. Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.

Only Kaspersky Lab's Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.

Symantec's Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro's Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware's two components, apparently because the attack thwarted its ability to gain the necessary permissions.

Both McAfee's Total Protection for Endpoint and AVG's Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.

NSS turned on the most aggressive detection settings, where possible.

Given the results, NSS recommended that companies patch immediately, even if they do not have time to complete their full testing regime.

While NSS cautions that this was a very narrow test of the ability to block exploits of a new, critical flaw, enterprises often count on vendors' assertions that their products can thwart zero-day attacks by using heuristic and anomaly detection techniques and host intrusion prevention systems (HIPS), since traditional signature-based detection is increasingly ineffective against many Web-borne exploits.

SearchSecurity radio:

"The HIPS part surprised us," said Vik Phatak, NSS chairman and CEO. "Most of these products were not inserting themselves between Internet Explorer, which is tightly tied to the OS and the TCP stack. You'd expect that the HIPS product would catch the exploit before it actually knocks over the browser."

Microsoft responded rapidly to issue a patch, but there is always a necessary lag after the discovery of any flaw. And, most companies rely on rigorous patch testing on their system configurations before general patching. Further, patches sometimes fail, and some systems, typically those of remote users who may not log into the network frequently, remain unpatched for a while.

The test results, though narrow, tend to underscore recent testing by Secunia, which tested the exploit detection ability of a dozen different consumer endpoint protection products. Secunia turned 144 malicious files and 156 malicious Web pages against XP SP2 with missing patches and a number of vulnerable programs. Symantec was tops with only 64 hits; the other products lagged far behind.

Consumer endpoint protection products are generally regarded as more effective than business versions because vendors are justifiably cautious about breaking corporate applications.

Tags: Vulnerability Risk Assessment,  Security Patch Management,  Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary