Security Threats: Software Vulnerabilities vs User Decisions

Discussion in 'other security issues & news' started by Rmus, Dec 17, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've long argued that with today's many effective solutions, protecting against malware installing through software vulnerabilities is the easier of the two threats to protect against. The current IE7 exploit is a good example: with a properly secured system, the trojan payload has no chance to install, and is denied entrance by default.

    A comment on another forum:
    The success of social engineering is different matter altogether. From an article posted in another thread:

    http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html
    The Quicktime exploit directed at MacOS users is a good example, where links posted on MAC forums led to videos which, when played, prompt for a Codec, which, of course, is malware. The user happily grants Root privileges, and that's that. It is the same with Windows users:

    http://isc.sans.org/diary.html?storyid=3595
    That malware infecting in this manner is becoming more prevalent is pointed out by some researchers, as here:

    Vulnerabilities play only a minor role in malware spread, says researcher
    http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122901&intsrc=hm_list
    One of the more effective exploits uses email, many of which prey upon current events, or entice people to watch pictures of naked movie stars:

    Storm
    http://www.eset.com/threat-center/blog/?p=34

    Another effective attack vector is through Google:

    1) Google Ads Lead to Phony Apps
    http://voices.washingtonpost.com/securityfix/2008/12/google_ads_lead_to_phony_apps.html
    2) Google sponsored links caught punting malware
    http://www.theregister.co.uk/2008/12/16/google_sponsored_links/
    Much misery can be avoided by following Brian Krebs' two tips, which have been part of my policies since starting out using the internet. A good example:

    http://isc.sans.org/diary.html?storyid=5437
    One user policy should be to know how your applications do updates, how to check for the latest version, and knowing the vendor's site URL. I have them keep that information in a file.

    People argue that it is difficult to teach the "average user" good security policies. I disagree. While you can't be responsible for those who won't listen, those who will can benefit from your expertise.

    Once you have secured the user's system to protect against the attack vector provided by possible software vulnerabilites (remote code execution) you can emphasize safe computing habits to include email and downloading, and go from there.

    For the holidays: Adopt a User and teach her/him safe computing habits!


    ----
    rich
     
  2. Dogbiscuit

    Dogbiscuit Guest

    One thing that is unclear is how opening an MS Word document, for example, can automatically result in infection by a trojan file embedded in the document, even if the OS and Applications are completely patched (assuming no "unknown" vulnerability is being exploited).
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    See my post on MSWord exploits:

    https://www.wilderssecurity.com/showpost.php?p=1366882&postcount=5

    As you point out, like any other exploit, if the OS or application is not vulnerable, the exploit fails.

    In some cases, MSWord was not patched during the early days of the exploit, but other security measures in place could block the payload, a trojan file.


    ----
    rich
     
  4. tlu

    tlu Guest

    and from here:
    ... but can be implemented in XP Home, too.

    Rich, you're hitting the nail on the head - as usual :thumb:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    And SRP is also available on VISTA but I'm not sure if all versions.

    ----
    rich
     
  6. tlu

    tlu Guest

    Business and Ultimate.
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Rich, I agree totally with you here. It is the first thing one should consider and paramount in my opinion with a system and I think an 'average user' can understand this as part of their computer experience. All the computers here are locked down to how I want them, everything else flows from that.

    :D :)
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I mentioned that I have people keep information about update information for their applications in a file. The written word is more reliable than memory.

    Some other suggestions using the written word:

    The twelve (or so) hints of Christmas.
    http://isc.sans.org/diary.html?storyid=5521
    ----
    rich
     
  9. Dogbiscuit

    Dogbiscuit Guest

    In addition, don't forget programs such as UpdateStar, Sumo, Secunia PSI, and Update Checker that keep track of patches and updates for software.
     
    Last edited by a moderator: Dec 22, 2008
Loading...
Thread Status:
Not open for further replies.