Sunday, January 6, 2008

Zero Day Exploits in 2007: Security Lessons Re-learned

I made a search for zero day exploits affecting different systems from eEye, Secunia, FrSirt, and US-CERT. I was not surprised to see Windows software leading the list of vulnerable software (It is the most popular platform after all, and older versions, including and prior to XP, not very secure). However, I was more interested in knowing about the mitigating factors, since my basic interest is in knowing how to remain unaffected by security issues. I was especially interested in finding out if any novel attack vectors had been employed that would make all forms of security redundant!
I was not at all surprised by the answer.
But first things first: Which software were affected? There were two exploits for quicktime , one for Real player, one for Winamp, two affecting Yahoo Messenger, one affecting MSN Messenger, one affecting telnet on Solaris, four affecting Windows and three affecting Microsoft Office, and one dealing with Internet Explorer. Thus, there were zero-day exploits for media players, Instant messengers, Remote backup devices, Office suites and Operating systems. I will be dealing with the exploits for desktop clients only.
Now , how did the attacks take place:
I)Media Players: The vulnerabilities in Quicktime and Winamp required users to be tricked into going to a malicious site,and clicking on either streaming media, or downloading media and playing them on the computer. The Real Player vulnerability was in the ActiveX control.   
Security lesson re-learned: Do not follow links on your e-mail , do not play media from unknown sites, do not download media from unknown or disreputable sites. If you do find a site which looks safe and interesting, look around, search Google or Yahoo! Or Ask! for recommendations. Avoid using Active X as far as possible.
II)Instant Messengers: Two of the vulnerabilities (one in Yahoo! Messenger, one in MSN messenger) affected the user only if he or she accepted a webcam invite from the attacker. Another vulnerability was in an active X control and needed users to be tricked into viewing specially crafted HTML files
Security lesson re-learned: Do not trust any strangers, be very careful who you chat with. Do not follow unknown links Further lesson: Avoid using Active X
III)Office Suites: All of them took place only when users opened a malicious document on MS Office.
Security Lesson re-learned: Do not open files given by unknown entities. Useless advice for those whose work depends on getting documentsfrom unknown persons, like publishers.
IV)Operating Systems: i)Windows .ANI Bug: The user has to be tricked into going to a malicious website or open a malicious document or mail. While Opening the mail with Outlook 2003 in pain text mitigates the vulnerability, opening the mail even in plain text in Outlook Express does not.
ii) Microsoft URI Handling flaw: Allows for drive-by exploitation on XP using an amazing array of software. Comment: See Security Lesson Above!
iii) Macrovision secdrv.sys Local Privilege Escalation: On Windows XP and 2000. The attacker needs to be a local user or a remote attacker already having login access to the system.
Security Lesson re-learned: Beware the insider on networked systems. 
iv) Solaris telnet: Remote attackers can auto login as root if the telnet daemon is running as root.
Comment: Platforms do not matter if insecure applications are used. (I know this is not a desktop application, but have added it just to make this point)
V)Internet Explorer and Outlook Express: i) Vector Markup Language Integer overflow vulnerability ii)DHTML Object memory corruption vulnerability: These need the user to go to a malicious website or open a HTML e-mail or attachment.
Security lesson re-learned: Open messages only in plain text. See point I). If you have to use Internet Explorer, harden it.

Almost all these exploits allow the attacker to take over the computer by allowing arbitrary code execution in the context of the logged in user. Thus, limited accounts will prevent these attacks from taking over the entire system. However, that is scant consolation for the user, as his or her useful data will be at risk. If the intrusion is detected early enough, however, his data may be saved by logging out, getting into the administrator mode, and transferring the user data into a new account. 

Final Conclusion: If the user follows basic security rules, he or she will be safe against the majority of the vulnerabilities on the web, even if they were zero-days. Hardening of the browser and very limited usage of ActiveX is essential. However, there are some vulnerabilities, the protection against which is very difficult. In these cases, Operating Systems having an additional layer of security, like Protected Mode on Windows Vista, or even better, Apparmor or SELinux on Linux, will certainly help. 
For persons or companies whose work depends on getting documents or files from other persons, and constantly interacting with the unknown world, the workarounds are very few. Virtualization is a compelling option in this case.

Your thoughts?
N.B: I have searched for the zero-day exploits as well as I could. However, it is quite possible that I may have missed some. You are welcome to inform me about any that I have missed.