Posts tagged ‘Zero Day’

« Previous Entries

F-Secure on Java

December 23, 2011, 9:37 am

F-Secure generated a lot of traffic in the blogosphere with their post declaring Java harmful and better to not be installed on computers.   To me the only surprising part is the discussions this generated.   Isn’t this old news?   Principle of least privilege says to remove it if you don’t need it.   So when you’re regularly updating an application for security fixes it may be time to consider alternatives.

F-Secure links Larry Seltzer’s month without Java from 2010.   Brian Krebs posted a blog article around the same time recommending Java be removed.   I couldn’t find an earlier article, but I thought Krebs had been banging this drum for much longer.

Removing software you don’t need certainly lowers the attack surface area.   At work, I’d caution that you’re likely to find groups of users using Java for internal applications.   If you don’t put Java on your system image, they are going to install the ancient version of Java supplied by their application developer.   I found a couple users with Java 1.6.0 update zero.   When I removed that and installed the latest Java 1.6, the application still worked fine.    If you’re actively patching your environment having Java installed may not be that bad.

The articles liked mention alternatives such as only allowing Java to run on specific sites.   Sometimes I install Java only for use on my non-day-to-day browser.   I’m not sure either solution scales into the enterprise where you have to account for all sorts of computer literacy.

Tags: , ,
Category: General  |  Comment

Zscaler protects against IE Zero Day

March 10, 2010, 11:20 pm

On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.

Tags: , , , , , ,
Category: Microsoft  |  4 Comments

Unicorn sighting

February 7, 2010, 12:15 am

A few weeks ago my officemate posted to Facebook,

I’ve just been told by two different Mac Geniuses that installing an antivirus software could actually make the Mac computer less secure. Unfortunately, both were phone conversations because I’m almost certain they were doing the Jedi mind trick hand motions.

  As I read that, I figured this was Mac users in our company fighting our policy requiring antivirus for Macs. Certainly antivirus can slow a system. And any software can have vulnerabilities. But this wasn’t about that. No this was actual honest to god responses from Apple support. My officemate wanted to know if this was official policy. So he asked for it in writing. That got him escalated to the next level where he was apologetically told it was not Apple’s policy that antivirus is not necessary.

I thought of this today as Graham Cluley tweeted links to a couple of video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because it’s not a zero day doesn’t mean the systems isn’t owned. Fake Codecs and Fake anti-maiware aren’t the exclusive providence of Microsoft Operating Systems.

  

 

Tags: , , ,
Category: Apple  |  1 Comment

Adobe Shockwave Update

January 19, 2010, 11:44 pm

Adobe has released an update for Shockwave to patch security vulnerabilities. A security bulletin was released today.

As usual Adobe is giving enterprise admins the finger by advising that in order to upgrade Shockwave, you must first uninstall old Shockwave versions, reboot and then install the new version of Shockwave. Does anyone actually do that? I don’t know about anyone else, but I try to minimize the disruption of my patching program. Part of that is limiting reboots. I can’t think of another application that makes such unreasonable demands. Fortunately I’ve ignored rebooting while upgrading Shockwave and it hasn’t caused me any major issue yet.

I also wonder where Shockwave fits into Adobe’s security program. If it’s so important that Adobe Reader only be upgraded on a planned quarterly basis, then why isn’t Shockwave updated in the same predictable manner? (BTW, I don’t find it helpful to have all my patches released on the same day. I don’t find it feasible to deploy all these patches at the same time, so some items will not be patched as quickly. When a patch is released (assuming there wasn’t already a zero day) there is a mad dash by the bad guys to reverse engineer the patch, find the vulnerable code, and develop an exploit. So releasing the patches any week other than the second week would be preferable.)

If someone finds a Flash zero day next week, I’m going to think someone declared an unofficial “Month of Adobe bugs”.

Tags: , ,
Category: General  |  1 Comment

Web Security – The Problem

October 9, 2009, 12:26 am

Web security has changed a lot in the past few years. It is no longer good enough to take a desktop antivirus scan engine and scan web content. URL filtering isn’t enough. It is not enough to put HTTP security on your corporate gateway.
The reason its not good enough to have a HTTP security gateway should be rather obvious. People go home. People travel. People work at client sites. People work at the Starbucks. An increasingly mobile workforce necessitates a mobile security solution.
URL filtering isn’t enough. URL filtering is reactionary and there are many new sites each day. When a legitimate site is compromised, URL filtering can categorize it as a malware serving site and block it. But how quickly will the site be rechecked after the virus is clean? Viruses are showing up on otherwise legitimate sites. Sites can be compromised through lack of patching, through SQL Infection. In several cases advertising networks have inadvertently included malicious content. Some sites are potentially insecure by design. Web 2.0 sites accept user provided content with little controls in place. While some URL filtering solutions are better than others, it is an incomplete solution at best.
Some web security solutions are merely URL filtering combined with a desktop antivirus engine. I don’t think I need to rehash the failure of the antivirus engine. But there is better technology. The best web security solutions include zero day protection as more than a marketing term. A web malware scanner is looking at the context of the file. The site its on. The number of requests for the file. The history. Its then running it through heuristics in a way much more accurate than any desktop heuristic.
The web is a ready avenue of attack. Strengthened defenses against email and network attacks have left http the prime target for attackers.
Its a good time to be looking at alternative solutions. I think that SaaS web security has hit the sweet spot in what Gartner would call the hype cycle. Its at that point where you’re still on the leading edge but not on the bleeding edge. I’ll be trying to get a “why SaaS” post out.

Tags: , , ,
Category: General  |  Comment

Apple Innovations

September 20, 2009, 1:39 pm

I usually skip over the Mac versus PC adds, but due to the hazards of watching football live I caught one today.
It was about the hardware innovations of the Mac. Kind of silly since last time I checked my hardware was from Dell not from Microsoft.
How about Macs software innovations. Apple went all out with XProtect in Snow Leopard.
Here is Sophos’ writeup

When files are downloaded through the following applications:

  • Entourage
  • Safari
  • Mail
  • Firefox
  • Thunderbird
  • iChat
  • and other programs that use LSQuarantine
    XProtect is invoked.
    Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:
    Skype
    Adium
    BitTorrent
    and Finder (via USB keys, network share, etc …)
    Then you’re sort of out of luck.

- source: Sophos
But hey, you’re not missing that much anyway. This “feature” only scans for the hash of 2 Mac trojans according ZDnet’s Zero Day blog.
Now that is innovation.

Tags: , , ,
Category: Apple  |  Comment

Evaluating HTTP Security Solutions

September 15, 2009, 7:53 pm

While trying to eval a HTTP security solution I’ve been trolling for viruses by browsing Google Top Trends.
The vender advertizeing their zero day protection detects the virus even when virustotal has only one scanner detecting (and not one used by this vender). So they are showing off their zero day protection rather well. The problem I have is the incumbent protection which would not have detected the virus with AV was able to block the site completely with URL filtering.
I normally don’t think too much of URL filtering as protection anymore. Malware can be on legitimate sites. New sites that aren’t catagorized come online. But for my extremely small sample set, its actually providing the same level of protection.

Tags: ,
Category: Antivirus  |  Comment

Flash Zero Day

July 22, 2009, 10:11 pm

I wrote about a Flash zero day yesterday.
Its important to note that while it may be possible to disable Flash (and other multimedia) content inside of Adobe Reader PDFs (in fact that may be the default setting, its not clear to me) (this setting has no effect) the attack has been seen as straight Flash on websites. You’d only be mitigating against one attack vector.
Symantec’s writeup is here
Adobe has updated their security advisory.
One mitigation listed is to “Delete, rename, or remove access to the authplay.dll.” At the time of this blog entry, Adobe did not say what side effects this would have.
Updates for Adobe Flash are expected by July 30th for Windows, Mac and Linux. Updates for Solaris are bending. Updates for Adobe Reader and Adobe Acrobat are expected by July 31.
I just started the process for updating Adobe Shockwave. Looks like Adobe is keeping me busy.
Keep an eye on that Adobe Security Advisory link as well as http://blogs.adobe.com/psirt/

Tags: , ,
Category: General  |  Comment

Flash zero day

July 21, 2009, 6:37 pm

iDefense has seen a Flash zero day exploit within a PDF file during a recent zero day attack investigation.
Its hard to believe that at one point in time PDF files were considered safe.

Tags:
Category: Antivirus  |  Comment

SmartDraw and Office 2007

April 14, 2009, 10:37 am

I received a bit of unsolicited commercial email from SmartDraw that claimed I can get the benefits of Microsoft Office 2007 without the costs and headaches of upgrading. In smaller type they claimed that the biggest improvements in Office 2007 over previous versions is new graphic and drawing tools. That you can buy their product and get those graphics improvements without upgrading Office.
I wonder how many people would agree with their premise. For me, I hadn’t noticed changes in graphics, but as a security guy I think Office 2007 is a great security update. While many of the improvements have been backported to Office 2003 in service pack 3, 2007 is still safer as seen in the latest Powerpoint zero day.
I’m also pretty happy with Outlook since the Feb 2009 update.
Paying $80-200 for Smartdraw so you can stay on a 5 year old version of Office, just doesn’t seem like such a good plan.

Tags: , ,
Category: General  |  Comment
« Previous Entries