Last week, a new exploit technique was disclosed that bypasses a critical Windows security feature, DEP (data execution prevention), as well as an ASLR security enhancement for address space layout randomization.
In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.
While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.
“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”
With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.
Yesterday, I sat in the RSA panel titled, “Cyber Security: An Arms Race.” It was an interesting panel because, of course, cyber security is an arms race. One of the recurring comments from the audience was centered around, “Who should be responsible for defending our networks?” This is a question that has been debated for some time now. The answer kept leading back to government and compliance. However, members of the audience did not realize that one of the fundamental axioms of computer security is: Compliance does not mean secure.
We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.
A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.
Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.
In a month known for love, February was filled with more heartbreaking stories of security problems and problematic fire drill patching. Is it me, or does it seem like everybody’s experiencing security compromises stemming from patching flaws and vulnerabilities within their system? Instead of resulting in more secure networks, what these and other recent stories point out is that malware only highlights the fact that existing desktop security isn’t working properly. Check out some of the top stories from February 2010.
Security patches cripple Windows XP computers
Windows customers were up in arms over a Microsoft security patch that left their PCs locked down with the notorious Blue Screen of Death. This was yet another glaring example of the problems organizations experience when rolling out patches quickly. ( Read More… )
There is no question that cyberspace is a new frontline in traditional and untraditional conflict. Many nations and organizations have the ability, directly and by proxy, to target and attack critical infrastructure within the US and worldwide. The recent cyber attacks launched within China against Google and several other companies raised questions about the state of industry preparedness to help defend cyberspace.
The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide. ( Read More… )
Growing evidence suggests that a rootkit infection was *one* of the culprits behind last week’s Blue Screen of Death incident that caused countless Windows PCs to lock down after installing several Microsoft security patches. While many follow-up articles have focused on the malware infection that caused the problem, including Robert Westervelt’s SearchSecurity.com article, “Windows blue screen may be result of rootkit infection,” from an endpoint security standpoint, most seem to be missing the point. And that point is even though malware may be causing this problem, rushed patching is a process that can always cause problems. ( Read More… )
Most recent comment:
Greg Newman
"What these recent stories point out is that malware infections on these devices only highlights the fact that existing desktop ...