Friday, March 30, 2007

thoughts on IE/outlook extremely criticaly vulnerabilities...

Thinking about IE extremely critical vulnerabilities, from very bad to best
waiting for M$ patch release is a suicide mission
firewall is useless
AV weekly update is very bad
IE is very bad
IPS is nice
content filtering is the best

People look at me as if I am stupid when I say I dont believe in firewall (not that I dont believe in firewall, I think firewall just gives you a false sense of security... which is worse :(

people think I am paranoid when I say dont use IE...

I used to work in (and still work for) a security vendor (I can see the point why "security" people criticize security vendors, but I dont necessarily agree 100% with them :)

I am fortunate enough to get the chance to see wildest nightmare in action... I've seen things that opened my mind and scare shit outta of me... I've seen drive by install in action... exploits that silently install rootkit while simply browsing a suppose to be safe webpage...

You may criticize security vendors, but trust me they (we) know what they (we) are doing (besides making money of course ;)

When I say firewall just gives you a false sense of security I mean, the traditional and not so traditional firewall cannot block attacks using IE related extremely critical vulnerabilities that are unleashed in the wild, like
ANI or VML or the other VML or ActiveX Control Code Execution or CPathCtl::KeyFrame() or createTextRange() or
Windows Metafile (this one affect firefox as well!)

M$ may write any bull shit explaining ...In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability... blah blah... An attacker would have no way to force users to visit a Web site (YEAH SURE)...


Down play the severity of these vulnerabilities and buying time...
Based on strong customer feedback, all Microsoft’s security updates must pass a series of testing processes... blah blah ...Microsoft’s intelligence sources indicate that the scope of the attacks is limited... blah blah

so basically they wont release any immediate patch...

BUT the fact is quite likely that these kind of vulnerabilities are being actively exploited... much easier than you think!

It is a known facts that google top results sometimes directly point your browser to web pages that contain exploits (must read very very good paper written by Dr. Igor G. Muttik of McAfee AVERT Manipulating the Internet)

In the past cracker defaced websites, nowadays, they dont change the visual appearance of webpages, but they insert exploit that silently install rootkits, I've seen popular, suppose to be safe, forum sites that was being cracked and silently installing rootkit... not even the owner of the site was aware....
(just imagine how many forum sites are using PHP...)

In the case of the latest M$ vulnerability, highly trafficked Dolphin Stadium website has been compromised with malicious code, allowing malware being silently installed by simply visiting the site using this IE ani vulnerability ...
The SANS Institute did some investigating into that incident. They posted portions of a response they received from a system admin where it was clear that a remote attacker exploited a SQL injection vulnerability to embed the malicious script. The same script is now serving the ANI file 0-day exploit reported yesterday. Googling the referenced script yields 113,000 results.

... so much for the very limited attacks.

OK, you have an IPS, nice ! (even when some "security" people still think IPSes are useless... I dont agree!) You are pretty much protected IF you updated your IPS & configured properly, best IPS vendors usually release signature updates as soon as they are aware of IE vulnerabilities (including this time for ANI vulnerability),

...but in the case of this ANI vulnerability, outlook is also affected, and in practice you should never ever block emails containing any vulnerability using IPS SMTP signature...

Because of the nature of SMTP, if you drop packet of SMTP session related to email transfer, the MTA will try to resend it again, blocking the mails queue until it sends the suspicious mail that keep being drop by IPS... it case you simply drop SMTP packet without reseting TCP session... dont be surprise if this infinitive cycle will crash a good MTA while trying to send/receive malicious mails (SMTP/TCP resource exhaustion)... hehehe

btw, a silly AV vendor still release weekly signature update, sadly their latest weekly signature was released in 28th March, I am quite sure it does not contain signature to block this ANI exploit...
meaning it takes another 1 week after ANI exploit is disclosed to have protection from an AV vendor weekly update...

Waiting for M$ for a patch is out of the question, if I remember correctly, historically it takes more than 2 weeks for M$ to release patch for extremely critical IE vulnerabilities... basically a suicide mission

Personally I think the best protection against this IE and outlook attacks is to have a good content filtering... content filtering can block attacks against IE and outlook vulnerability... as soon as your security vendor release the signature, within minutes you can be automagically protected without manual intervention... not configuration/patch tests needed... simple, quick, effective, painless... I like that.

PS: standard disclaimer applies... any views or opinions presented in blog are solely those of the author... blah blah...
PPS: I used to work and am still working for the best IPS vendors :-B... I think IPS is very nice to have, if it's properly configure it can help... a LOT.
PPPS: but I am a true believer of web/mail/ftp content filtering... one day I will explain why...
PPPPS: for your own safety avoid using IE and outlook



Post a Comment

Subscribe to Post Comments [Atom]

<< Home