Configuring for security in a world of 0-days
Last month, Microsoft published two separate notices of 0-day vulnerabilities that were being used in the wild to attack Microsoft products. The first flaw is in a code library for the TIFF graphic format parser and was fixed in the December patch bulletin. The second is in Internet Explorer and the attack vector is malicious webpages; there was no patch released this month, but Microsoft will work on a patch that we can expect soon.
Unfixed, these types of vulnerabilities are exploitable, though there are configurations that can be applied in order to bolster security. These are not the first occurrences of 0-days discovered this year; vulnerabilities were detected for Internet Explorer in January, May and September, for Oracle’s Java in January and March, and for Adobe’s Reader in February.
Zero-day vulnerabilities are code flaws that are being exploited by attackers in the wild, but which have no patch available. It often takes the vendor, in this case Microsoft or Oracle, another patch cycle, i.e. over 30 days to come out with an official patch. However, there is something that organizations can do in their defense — they can configure their setups to allow for maximum defense.
In each of the recently released 0-day security advisories, Microsoft informed users that computers with EMET configured are immune against the attacks in their present forms. EMET stands for Enhanced Mitigation Experience Toolkit and is an additional security tool, freely downloadable from Microsoft’s website. It provides a kind of “straitjacket” for Windows programs, monitoring for abnormal behavior and aborting programs that misbehave.
Abnormal behavior, such as heapspraying or manipulation of exception handlers is often an indication of the early stages of cyber-attack should be investigated and prevented. The newest version of EMET added an alert-only capability, which should make it make easier for IT administrators to roll out in a larger IT installation.
Alert-only mode allows IT admins to run EMET in a monitoring mode to see if an organization’s workstations are running legitimate applications that misbehave and would be aborted running under normal mode. Applications can then be investigated and if necessary, exceptions can be configured.
For Oracle’s Java, there are similar recommendations for secure configurations. Known attack vectors use the “applet” Java mechanism, the easiest way to counter attacks is to disable the execution of Java in the browser altogether by disabling the browser plugin.
If applets are necessary for business applications, then IT administrators can look for a whitelisting solution that allows the applet to only run on sites that are necessary for the business. Microsoft’s Internet Explorer supports this type of whitelisting through its “Zone” mechanism, which prohibits Java in the “Internet” zone, but allows it in “Trusted Sites,” thus limiting the attack surface of an organization to sites that have a legitimate business need for Java applets.
For Adobe Reader, most known attacks use Javascript to set up the environment required for the code exploit to execute correctly. If your organizations can live without Javascript in Adobe Reader, try disabling it on your workstations. Normal PDF functionality such as visualizing documents will continue to work, but some functions in forms might be impacted, so it really depends on your organization’s usage profile as to how widely this configuration can be implemented.
Fast patching of vulnerabilities continues to be the most important cornerstone of a successful security program, providing workstations security inside and outside of corporate networks. But even for non-patchable vulnerabilities, there are security measures available that counter attackers’ attempts, make their lives harder and incentivize them to find different targets.