Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Recent attacks and a false sense of security - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Recent attacks and a false sense of security

With the most recent ActiveX vulnerability (CVE-1136-2009) still very fresh and the attacks still evolving out there, reactive protection mechanisms need to update for such exploits rapidly, and as the exploit is quite easy to modify and obfuscate they have their work cut out for them.

Still some out there might get lulled into feeling safe and above all of this e.g.:

  • IPS (or IDS) users e.g. might feel their device will protect them. Let's see: will it protect you if the (hacked) website your user visits is of the https kind ? I'd not be convinced at all.
    Yet the link to a fortinet advisory sent in by Juha-Matti states: "Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability"
    Hmm. do get that killbit out there nonetheless, it'll help much more fundamentally.
  • The same goes for other IDS/IPS vendors and most likely for AV vendors as well. Let's not forget there is a metaploit module for this and most of the signature makers I've talked to consider it too hard to make a signature for all possible exploits from metaploit.
  • Then there is those of us who simply don't use windows and/or IE and hardly are surprised ActiveX once again is an attack vector cutting deep. But let's not forget other browsers have their vulnerabilities too. A popular exploit site e.g.mentions a new Firefox Firefox Memory Corruption Vulnerability. And Secunia seems to be confirming it as well (Thanks for the anonymous reports).

So what would I do in a corporate setting? 

  • Get the killbit set ASAP
  • Provide staff up front with a choice of 2 browsers, make sure they know they have a choice (and keep both up to date). This yield diversity which is a good thing. Most importantly be ready to forbid and technically block either one as you need it to keep them safe should it get out of control anyway. Such a measure can be part of your BCP/DRP.
  • Make sure nobody sees this as a reason not to have things like AV and IDS as they will catch some of it, maybe enough, but even more so because too often the AV on a desktop is the only line of defense (e.g. with encrypted traffic)

--
Swa Frantzen -- Section 66

Swa

760 Posts
That is an important point about https and IPS. The one I use has the ability to do a man-in-the-middle of HTTPS using a cert that we issue to all computers as trusted.

I have noticed most exploits now come through https for exactly this reason. A redirect from a standard http website will point to a https server that contains the actual malware. Most IPSes will fail to detect anything unless they are inspecting inside SSL.
Jason

9 Posts
How would providing two browsers to the users improve security ? Unless you have a way to force everyone to use one or another, you're just doubling the attack surface while requiring to maintain two platforms instead of one (and I'm not even mentioning all the plugins, addons and other helpers)
Jason
16 Posts
@Jason: take care with obfuscation techniques, encryption is just one of the many challenges for IDS/IPS (and AV) in things like this.

@Stephane: the key is to have that method to enforce the switch if and when you feel it is warranted/needed.
The unpredictable nature also helps in not getting caught and loosing it all. Would you rather have half of your users infected twice as often or all of them less often ?
Since it's a client (not a server) it's only exposed when used so somebody never using the other browser doesn't really double the attack surface to that user.
There are dozens of ways to block a given browser ranging from simply asking the users to enforcing it via custom signatures in AV, global policies, proxies that refuse service and many more.
Swa

760 Posts
Don't forget YOUR own man in the middle, your web proxy servers that should be inspecting/protecting this traffic as well
Swa
5 Posts
Talking of which......

Mozilla Firefox Memory Corruption Vulnerability

http://secunia.com/advisories/35798/3
Karl

14 Posts
While not perfect, we rely heavily on our IPS. They have a filter available for the vulnerabilty, but cannot or will not release it until Microsoft pushes the patches. Don't know if that's a case of ethics getting in the way of a layered defense or what.
Dean

135 Posts
So now we have zero day IE and Firefox vulnerabilities...I guess it is time to consider a 3 or 4 browser approach? :) What are the odds 4 browsers will have an upatched zero day at the same time?
Dean
2 Posts

Sign Up for Free or Log In to start participating in the conversation!