Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Recent attacks and a false sense of security

Published: 2009-07-14
Last Updated: 2009-07-14 14:30:49 UTC
by Swa Frantzen (Version: 1)
7 comment(s)

With the most recent ActiveX vulnerability (CVE-1136-2009) still very fresh and the attacks still evolving out there, reactive protection mechanisms need to update for such exploits rapidly, and as the exploit is quite easy to modify and obfuscate they have their work cut out for them.

Still some out there might get lulled into feeling safe and above all of this e.g.:

  • IPS (or IDS) users e.g. might feel their device will protect them. Let's see: will it protect you if the (hacked) website your user visits is of the https kind ? I'd not be convinced at all.
    Yet the link to a fortinet advisory sent in by Juha-Matti states: "Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability"
    Hmm. do get that killbit out there nonetheless, it'll help much more fundamentally.
  • The same goes for other IDS/IPS vendors and most likely for AV vendors as well. Let's not forget there is a metaploit module for this and most of the signature makers I've talked to consider it too hard to make a signature for all possible exploits from metaploit.
  • Then there is those of us who simply don't use windows and/or IE and hardly are surprised ActiveX once again is an attack vector cutting deep. But let's not forget other browsers have their vulnerabilities too. A popular exploit site e.g.mentions a new Firefox Firefox Memory Corruption Vulnerability. And Secunia seems to be confirming it as well (Thanks for the anonymous reports).

So what would I do in a corporate setting? 

  • Get the killbit set ASAP
  • Provide staff up front with a choice of 2 browsers, make sure they know they have a choice (and keep both up to date). This yield diversity which is a good thing. Most importantly be ready to forbid and technically block either one as you need it to keep them safe should it get out of control anyway. Such a measure can be part of your BCP/DRP.
  • Make sure nobody sees this as a reason not to have things like AV and IDS as they will catch some of it, maybe enough, but even more so because too often the AV on a desktop is the only line of defense (e.g. with encrypted traffic)

--
Swa Frantzen -- Section 66

Keywords:
7 comment(s)
Diary Archives