Zero Day Protection with Privilege Management

-

Have you used Internet Explorer to visit a malicious website recently? Have you used Internet Explorer to visit any website lately? How do you know for sure that you are not infected? On September 17, 2012 a zero-day vulnerability for Internet Explorer versions 6-9 was reported affecting everything from Windows XP to Windows 7 and Windows Servers. Zero-day vulnerabilities are a common fact of life, but the same old approaches to protection continue to be insufficient. Let’s discuss this vulnerability and how privilege management can mitigate the impact.
In the case of this zero-day vulnerability, a malicious website can be crafted then unsuspecting victims can visit it with Internet Explorer only to be exploited. Once exploited, security software can be disabled, files are downloaded or malicious software is installed so that system can be reused as a zombie or SPAM relay.
Traditional endpoint security technologies often struggle with zero-day vulnerabilities as there is no signature for a virus that is not known, the heuristics for malicious behavior may not be known preventing intrusion prevention from blocking the behavior, and firewalls won’t block a process that is initiated by the end user as is the case with browser vulnerabilities. Now in the case of this Internet Explorer vulnerability, heuristic signatures were created by the end of the day (September 17, 2012) that the vulnerability was publicly disclosed, but many media sources have discussed exploits in the wild. Who knows how long such vulnerability has been available to the hacker underground, but it has been known to be used since September 14, 2012.
Privilege management is simply running users and applications with least privileges necessary to compute. Historically, all Windows users have run with administrator accounts which leaves the door wide open for malware to do maximum damage against those systems. A simple mitigating factor is running with a standard user account or reducing the privileges of commonly exploited applications so that damages are minimized. Running as a standard user is easy to accomplish although many applications need privilege elevation to function via a solution such as Arellia Application Control Solution. Likewise, the ability to reduce an application’s running privileges cannot be accomplished with Windows alone.
In the case of this zero-day vulnerability, we ran tests using Rapid 7’s Metasploit to see what would happen in different privilege states. Using Metasploit, we created a malicious URL using the module for this vulnerability and accessed it from Internet Explorer. In a real world, this link might be a link to the latest headline in an e-mail, a malicious ad served through a legitimate website via an ad network, or any other social engineering to get someone to click on the URL.
Administrator Account
Most of the world is running with Windows administrator accounts and in this case it was game over. Using Metasploit, I targeted Windows XP with Internet Explorer 8 and it was easily exploited allowing me to download files, upload applications, run a VNC session, and crack passwords. There was more that could have been done, but I stopped there.  In the case of the Metasploit toolkit, a process called notepad.exe was created running as the same administrator account which accessed the malicious webpage. This process gave me the ability to do all the bad things.
Limited or Standard User Account
There are many protections for Windows by simply running as a standard user. When accessing the malicious URL as a limited user, the same notepad.exe process was spawned, but in this case it was running as the standard user that accessed the malicious web page. Using Metasploit, files could still be downloaded, but nothing could be uploaded to the file system. I was still able to run a VNC session. This falls in line with the rights of a standard user. The system was still vulnerable to data loss, but deeper infection or system modification was difficult to achieve.
Reducing Internet Explorer Privileges Using Arellia Application Control Solution
Taking things a step further, we applied a policy using Arellia Application Control Solution to reduce the privileges of Internet Explorer when logged in as an administrator. In this case, the malicious notepad.exe process was not able to spawn; thus, no data loss or further intrusion. Of course, one might ask what limitations there are with a browser running with reduced privileges. I was able to browse any website without issues. I was not able to install Adobe Flash Player from the browser when I need to access a video, but when running as a an administrator, I downloaded the Flash Player installer, ran it as an administrator and it installed perfectly allowing me to go back to Youtube and watch videos. The same limitation occurred with Silverlight and Java both of which could be installed by downloading the installer and running with administrative rights. ActiveX controls could not be installed, but this could be enabled using an additional Arellia Application Control Solution policy.
So the end effect is my browser was better protected with reduced rights using Arellia Application Control Solution and the only impact was I couldn’t install plugins from the browser (although we could create policies to make this possible). This is a reasonable tradeoff for protection against zero-day vulnerabilities.
Summary
So what does this all mean to the average enterprise? Most organizations have their users running with administrator accounts. There were at least 3 days between known exploitation of this vulnerability and the release of Intrusion Prevention signatures for major endpoint security suites to identify malicious behavior. What could happen in 3 days? Disable security software, steal data, and insert additional malicious software into the system to further access the organization. 3 days is enough to do a lot of damage.
Running as a stand user was a big improvement although it still opens the system up to data loss. Running Internet Explorer with reduced privileges limited malicious process from being launched allowing further evil from occurring. My browsing experience was exactly the same with some small differences when it came to installing plugins. And most importantly, I did this with an administrator account so I didn’t have to do anything else.
This is just an example using Internet Explorer, but zero day vulnerabilities for Adobe Reader, Adobe Flash, Microsoft Office, and other browsers will result in the same problems.
So, why are you still running with administrator rights?

for more updates join us :Facebook

Comments

Post a Comment

Popular posts from this blog

AntiCloud Trojan Reverse Engineering Analysis

-
Image
Introduction In this paper we are going to talk about the Anticloud Trojan, also know as the  TrojanDropper:Win32/Bohu.A and  B  variant. This malware originated in China and was designed to target the Cloud-Based Technology of major Chinese AntiVirus Vendors. For this reason, Bohu has also been called  AntiCloud Trojan . This is the first malware to specifically target cloud based technologies and will likely set a trend. As more corporations and governments move applications and services into the cloud, it will become an increasingly important target for malware developers. We can expect sophisticated malware that attacks clients and embeds itself into cloud-based apps, potentially without the user being able to determine that the cloud-based service is compromised. This trojan presents some interesting features, such as: Hash Check Evasion. Packet Interception via NDIS Filter. Cloud-Servers Access Lock via SPI network filter in order to Bypass antivirus Detection. So
Read more

SQL Injection: The Equal Opportunity Vulnerability

-
Image
Introduction In the  first installment of this series , we discussed application security within the Software Development Process by demystifying the adoption of security controls within the development organization. We also took a deeper dive into identifying potential vulnerabilities based on threats to attack surfaces exposed to the application, a process known as threat modeling. In this installment, we are going to take a technical dive into specific vulnerabilities that can be used to compromise the attack surfaces and discuss what is arguably one of the most prevalent attacks to applications and inflicts the most exposure of sensitive data: SQL Injection. Injection attacks attempt to infiltrate an application by injecting malicious content into the application through available input channels. Input channels can be in the form of form fields, uploads, 3 rd  party API, data access channels, configuration files, input files: essentially, any point at which the application r
Read more

Secure Sockets Layer (SSL)

-
Image
Secure Sockets Layer (SSL): How It Works What Happens When a Browser Encounters SSL > A browser attempts to connect to a website secured with SSL. > The browser requests that the web server identify itself. > The server sends the browser a copy of its SSL Certificate. > The browser checks whether it trusts the SSL Certificate. If so, it sends a    message to the server. > The server sends back a digitally signed acknowledgement to start an SSL encrypted session. > Encrypted data is shared between the browser and the server. Encryption Protects Data During Transmission Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, th
Read more