Microsoft Windows XML flaw exploits test desktop antimalware

By Neil Roiter, Senior Technology Editor, Information Security magazine 24 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Your confidence may be misplaced if you were counting on your desktop antimalware to protect unpatched systems against the recently discovered XML flaw in Internet Explorer, based on tests by NSS Labs Inc..

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The NSS' test results of six business-grade endpoint protection products from AVG, Kaspersky Lab, McAfee Inc., Sophos, Symantec Corp. and Trend Micro Inc. yielded generally poor results for stopping known SQL injection exploits of the flaw.

The attacks were reported in the wild on Dec 11 andMicrosoft issued a patch on Dec. 17. It was the software giant's second release outside of its normal monthly patching cycle in two months. NSS conducted its tests the week of Dec. 15, issuing its findings based on live testing through Dec. 18.

NSS tested the products ability to stop the exploits at any of three stages: first, detecting and blocking the malicious URL; second, detecting and blocking the exploit; and finally, detecting and blocking the malware when it was inserted in the test clients' memory.

"The issue here is really the exploit, rather than the malware that is delivered afterwards," said Rick Moy, NSS Labs president. "There are really only two exploits. After that, the attacker can load up a keylogger, Trojan, or anything they want. The trick is to catch it on [its] way in, before it actually exploits -- and that's what we weren't seeing [it] happen."

Microsoft security news: Microsoft warns of SQL Server zero-day: Code is publicly available targeting an unpatched flaw in SQL Server to gain access to critical files and execute malicious code.  Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites. Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched. Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.

Only Kaspersky Lab's Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.

Symantec's Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro's Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware's two components, apparently because the attack thwarted its ability to gain the necessary permissions.

Both McAfee's Total Protection for Endpoint and AVG's Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.

NSS turned on the most aggressive detection settings, where possible.

Given the results, NSS recommended that companies patch immediately, even if they do not have time to complete their full testing regime.

While NSS cautions that this was a very narrow test of the ability to block exploits of a new, critical flaw, enterprises often count on vendors' assertions that their products can thwart zero-day attacks by using heuristic and anomaly detection techniques and host intrusion prevention systems (HIPS), since traditional signature-based detection is increasingly ineffective against many Web-borne exploits.

SearchSecurity radio:

"The HIPS part surprised us," said Vik Phatak, NSS chairman and CEO. "Most of these products were not inserting themselves between Internet Explorer, which is tightly tied to the OS and the TCP stack. You'd expect that the HIPS product would catch the exploit before it actually knocks over the browser."

Microsoft responded rapidly to issue a patch, but there is always a necessary lag after the discovery of any flaw. And, most companies rely on rigorous patch testing on their system configurations before general patching. Further, patches sometimes fail, and some systems, typically those of remote users who may not log into the network frequently, remain unpatched for a while.

The test results, though narrow, tend to underscore recent testing by Secunia, which tested the exploit detection ability of a dozen different consumer endpoint protection products. Secunia turned 144 malicious files and 156 malicious Web pages against XP SP2 with missing patches and a number of vulnerable programs. Symantec was tops with only 64 hits; the other products lagged far behind.

Consumer endpoint protection products are generally regarded as more effective than business versions because vendors are justifiably cautious about breaking corporate applications.

Tags: Vulnerability Risk Assessment,  Security Patch Management,  Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Product Review: Shavlik's NetChk Compliance Vulnerability Risk Assessment Research Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Malware, Viruses, Trojans and Spyware How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary