The highly critical patches to Microsoft Excel, Internet Explorer, Visual Basic ActiveX, Word, and Windows Media Player from the week of 8 December represent attack vectors that could have been used to penetrate and hijack our PCs on any given day prior to their implementation. These are complex applications! So, we have not seen the last of such patches. Which begs the question, what are you doing to protect your interests from the vulnerabilities revealed in tomorrow’s patches?

All software is developed by imperfect programmers. So, any application that processes files or data from the outside represents a potential attack vector. We mustn’t trust the software that runs on our computers!

A common refrain from security experts is to run PCs in non-admin mode. This makes matters more difficult but not impossible for malware to implant itself and/or steal information.

There’s a term I’d like to propagate that some of us call user-space. In technical terms, it’s a file directory within the Windows lexicon. It looks like c:/Documents and Settings/user_login_name.

In here one finds “My Documents” and “Desktop”. In here, end-users without admin rights can install and run software that would make enterprise IT administrators cringe. In here, an exploited application vulnerability (e.g., Internet Explorer vulnerabilities being patched this week) can “drop” a malicious executable without an end-user knowing. Add to that, the attack adds an entry to the registry (e.g., HKCU/Run) that causes the malicious executable to automatically launch after Windows does. And for good measure, every time a USB thumbdrive is inserted, malware gets added to it to spread the malware joy. Even more fun can be had by using your instant messenger or any number of other applications to infect your peers’ machines.

So, if you have a personal firewall on every PC, do the malware makers care? No. What about antivirus or anti-spyware security software? Less and less actually, I’m referring to signature-based only tools. Does disk encryption help? No. Most PCs are grossly unprotected.

Some PCs with host intrusion prevention system (HIPS) software are far less protected than their users or administrators realize. HIPS products are complex and burdensome. The vendors try to simplify the user-experience with the creation of low, medium, and high modes. Naturally, most deployments are in medium mode. But, that leaves people with a false sense of security.

I’ve personally seen zero-day malware blocked by HIPS products in high mode but fail to do so in medium mode. High mode can be extremely annoying, asking end-users super technical ‘do you want to allow this’ questions. Administrators can spend enormous time fine-tuning these products to spare the end-users. What happens when software is added, updated, or patched, more fine-tuning, false positives analysis, and regression testing. No thank you!

So, what are you doing to protect your PC from vulnerabilities revealed in tomorrow’s patches?

Posted: Thursday, December 11th, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback