Feb 23 2007

Zero-Day Sucker Punch

Diligently downloading fixes on Patch Tuesday isn't enough to protect your network from increasingly frequent zero-day attacks.

When the security vulnerability hasn’t been publicly disclosed or the patch isn’t yet available from the vendor, it adds up to a zero-day attack because there’s no known fix. This makes the vulnerability a prime target for hackers.

An unprecedented rise in zero-day vulnerabilities was one of the top security trends last year — 16 such vulnerabilities were discovered in Microsoft products alone. The most common vectors for zero-day attacks were through Web pages containing malicious code for exploiting Internet Explorer and e-mail attachments containing malicious code for Microsoft Office applications.

Another alarming trend is that zero-day vulnerabilities in Microsoft Office applications are being used for corporate espionage. Attackers are using spear-phishing techniques to single out potential victims within a company and then send them a fraudulent e-mail message, which appears to originate from a trusted contact and includes an attachment containing a malicious file that tries to exploit a zero-day vulnerability in one of the Office applications. In a typical attack, this malicious Office file then runs arbitrary code that installs keyloggers and other data-stealing crimeware on the victims’ computers. Because, in these cases, the malware is not spammed indiscriminately to thousands of users but appears to come from a known contact, it is much more difficult for security software to detect such attacks.

Microsoft generally issues security patches on the second Tuesday of the month — nicknamed “Patch Tuesday” — and it rarely deviates from this custom. One nasty trick used by malicious attackers is to start exploiting zero-day vulnerabilities immediately after Patch Tuesday — sometimes the very next day. This ensures that a vulnerability can remain unpatched, in the wild, until Microsoft’s next patch cycle.

One of the most recent, high-profile zero-day exposures, popularly known as the Windows Metafile (WMF) vulnerability, was in the Windows Graphic Rendering Engine (MS06-001). Security researchers found the weakness after spyware vendors began using it to load their applications on unsuspecting users’ systems. The WMF vulnerability let attackers run arbitrary code on affected systems just by enticing victims to view a specially crafted image file. It was especially insidious because there were many potential exploit vectors, and several versions of Windows were affected by it. This vulnerability was later exploited in a malicious banner advertisement on MySpace.com that infected about 1 million users.

How to Protect Against Zero-Day Attacks

Lock Down Internet Explorer: The majority of zero-day exploits use Explorer as an attack vector, so it is extremely important to secure it to the maximum extent possible.

Restrict User Account Privileges: Upon successful exploitation of most vulnerabilities, arbitrary code runs in the context of the logged-in user. In other words, the exploit can do everything that a user can do but not much more. If a user account is restricted from performing certain actions, that will mitigate or minimize an attack’s impact.

Today, most regular users run Windows with an administrator account. A better approach from a security perspective would be to follow the rule of least privilege and to grant user rights. Users should be allotted only the privileges that they absolutely need. It is a good idea to create a company policy that disallows administrator accounts on most typical users’ systems.

Establish E-Mail Best Practices: Many zero-day attacks use spoofed e-mail that purportedly comes from a known contact and persuades a user to view an attached file that turns out to be a malicious exploit for Office applications.

To prevent such attacks, use digital signatures for e-mail communications as much as possible. Digital signatures can be used to confirm a sender’s identity with a fair degree of certainty. Using digital signatures for e-mail also will help prevent spear-phishing attacks.

Most users know enough to be suspicious of e-mail attachments with executable files. Now, they must also be trained to treat Office file attachments suspiciously — not just attachments from strangers but those that arrive unexpectedly from known contacts, too.

Optimize Security Software: Signature-based antiviruses have trouble detecting malicious code that exploits zero-day vulnerabilities. But in many cases, antiviruses might be able to detect attempts to exploit a vulnerability using existing signatures and heuristics. This makes antivirus apps a required — if not perfect — defense against zero-day attacks.

Host intrusion prevention systems (HIPS) are effective against zero-day attacks because they can detect malware based on its behavior rather than depending on signatures. This leads to a higher probability of detecting even previously unknown malicious code.

Consider Expert Workarounds: When creating a patch for a zero-day vulnerability that is already being exploited in the wild, vendors often suggest workarounds that users can follow to either mitigate the vulnerability or limit its impact. Other independent security organizations and experts might also suggest such workarounds.

Verify That DEP Is Enabled: Data Execution Prevention is a security feature introduced in Windows XP SP2 that protects software from several memory-based exploits such as buffer overflows, for example. A limited software version of DEP comes enabled on Windows XP SP2 and later systems. But, to work properly, DEP requires hardware support. If the processor supports it, then Windows automatically turns on the hardware-based version of DEP.

Most processors now support DEP. But it’s a good idea to verify that DEP is enabled and working.

Set a Default Deny Security Policy: “Default Deny” stipulates that everything not explicitly permitted is forbidden. Follow this rule as diligently as possible while configuring security software and devices, especially firewalls. By doing so, you will reduce your systems’ attack surface.

CEO Takeaway
Because zero-day attacks exploit vulnerabilities for which no solution is available from the vendor, it is harder, although not impossible, to prevent them. To put up a good defense, make sure your IT shop:

• updates vendor patches immediately after they are available, but stays diligent between patches;
• locks down desktop systems by removing or disabling software services and applications that are not in use or used by that end user, which reduces the
attack surface available to hackers;
• follows workarounds suggested by vendors and security experts while waiting for vendors to issue patches for specific vulnerabilities.
S.G. Masood is an internationally recognized Web security researcher for F-Secure (www.f-secure.com), a network security provider in Helsinki, Finland.

aaa 1