rp nss labs corporate exploit protection

7/29/2019 Rp Nss Labs Corporate Exploit Protection

1/16

CORPORATEAV/EPPCOMPARATIVEANALYSIS

ExploitProtection

2013RandyAbrams,DiptiGhimire,JoshuaSmith

TestedVendors

AVG,ESET,F-Secure,Kaspersky,McAfee,Microsoft,Norman,Panda,Sophos,Symantec,TrendMicro


2/16

NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection

2013NSSLabs,Inc.Allrightsreserved. 2

Overview

EndpointProtectionProducts(EPP)aredesignedtoprotectagainstabroadspectrumofthreats.Products

originallydevelopedtodetectself-replicatingcode(virusesandworms)haveaddedprotectionagainstadware,spyware,rootkits,bootkits,phishingattacks,andexploits,inadditiontoprovidingfirewallcapabilitiesandmore.

TheabilitytoblockexploitsisoneofthemostsignificanttasksrequiredofEPPproducts.Whenanewvulnerability

isexploited,notonlycanmalware,knownorunknown,besilentlyinstalled,criminalscantakeovertheexploited

computermanually,therebyevadingsignaturesandheuristicsdesigned todetectmaliciouscode.If anEPP can

blockanexploit,ithaseffectivelyblockedanyandallmalwarethattheexploitmayattempttoexecuteorinstall.

Theabilitytocatchthepayloadanexploitdelivershasvaluebutprovidesfarlessprotectionthanblockingthe

exploititself.

Exploit kits such as Blackhole have essentially made the mass exploitation of websites a low cost franchise

operationwithalowbuy-inandanimmediatelucrativereturn.SoftwaresuchasOraclesJava,AdobesFlashand

Reader/Acrobat,inadditiontowebbrowsers,keepafreshsupplyofexploitablevulnerabilitiesavailableevenasoldexploitscontinuetoplagueconsumersandcorporationsalike.

Theexploitationofvulnerabilitiesincommonsoftwareprogramsenablesattackerstobreachnetworks,steal

intellectualproperty,hijackemailandsocialnetworkaccounts,andengaginginseveralothertypescybercrimes.

NSSvulnerabilityresearch revealsthatthenumberofreportedvulnerabilitiesrosesignificantlyin2012andthe

vulnerabilitylandscapeisgoingthroughsignificanttransformations1.

Enterpriseshaveseveraltoolstohelppreventtheexploitationofvulnerabilities.Patchingisoneofthemost

importantdefenses.Howevermanycorporationsfailtopatchalloftheapplicationsontheirdesktopsandoften

areslowtodeploythemostcurrentsoftwareversions.Intrusionpreventionsystems(IPS),andinsomescenarios

nextgenerationfirewalls(NGFW),canprovideavaluablelineofdefenseagainstexploitsforenterprises.NSS

providesextensivecomparativetestingforIPSandNGFWproducts.Theuseofcurrentwebbrowsersisanotherlineofdefense.Themostwidelyusedbrowsershaveaddedfeaturessuchasreputationsystemsandapplication

blockingtohelpdefendagainsttheexploitationofvulnerabilities.Theuseofendpointprotectionproducts,

colloquiallyknownasantivirus,isalsoacommondefense.

NSStested11popularenterpriseEPPproductstomeasuretheireffectivenessinprotectingWindowscomputers

againstexploits.Alloftheexploitsusedduringthistesthavebeenpubliclyavailableformonths(andsometimes

years)priortothetest,andhavealsobeenobservedinuseontheInternet.

Enterprises,especiallythoseemployingtheBYODmodel,thatseekprotectionfromexploitdrivenattacksagainst

desktopPCsandlaptopsshouldcloselyexamineresultsfromthistest.

1https://www.nsslabs.com/reports/vulnerability-threat-trends


3/16



Figure1-CombinedBlockRates(includingalternatevectors)

Figure1combines203exploitdownloadandpayloadexecutiontestswith30alternatevectorattackstoprovide

theoverallexploitprotectionrateforthetestedEPPproducts.

KeyFindings:

Withafewnotableexceptions,endpointproductsarenotprovidingadequateprotectionfromexploits.

EnterpriseEPPproductsdifferupto53%ineffectivenessatblockingexploits,withprotectionlevels

varyingbetween44%and97%

KeepingAVsoftwareup-to-datedoesnotyieldadequateprotectionagainstexploits,asevidencedbygaps

incoverageforvulnerabilitiesfoundtobeseveralyearsold.

Javaisasignificantattackvector

41%

47%

65%

71%

73%

76%

79%

88%

91%

92%

97%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Panda

Norman

Microso

ESET

Trend

F-Secure

AVG

Sophos

Symantec

Kaspersky

McAfee


4/16



TableofContents

Analysis..................................................................................................................................5

TestBackgroundThreatLandscape...........................................................................................................5

StagesofProtection.....................................................................................................................................6

HowThisTestWasConducted.....................................................................................................................7

ProtectionFromExploitsAcrossProtocols..................................................................................................7

ExploitBlockingResults................................................................................................................................8

AlternativeAttackVectors.........................................................................................................................11

TestMethodology.................................................................................................................12

TheTestedProducts...................................................................................................................................12

ClientHostDescription...............................................................................................................................13

TheVulnerabilities......................................................................................................................................13

AppendixA:Definitions........................................................................................................15

Vulnerability...............................................................................................................................................15

Exploit.........................................................................................................................................................15

Payload.......................................................................................................................................................15

ContactInformation..............................................................................................................16

TableofFigures

Figure1-CombinedBlockRates(includingalternatevectors)....................................................................3

Figure2-Howadesktop/laptopcomputerisexploited...............................................................................5

Figure3-HTTPvs.HTTPSblockrates...........................................................................................................8

Figure4-Non-IE6OverallExploitBlockRate..............................................................................................9

Figure5-IE6OverallBlockRate.................................................................................................................10

Figure6-OverallExploitBlockRate...........................................................................................................10


5/16



Analysis

TheresultsofNSSin-depthtestingof41individualexploitsandover200attackscenariosrevealedsignificant

differencesinthedefensivecapabilitiesof11leadingendpointprotectionsolutions.Resultsareprovidedfor

exploitsthatrequireInternetExplorer6andthosethatdonot.Giventhatmanyenterprisesareforcedtosupport

IE6becauseoflegacyapplications,thiscapabilitymaybeadeterminingfactorinselectinganEPPproduct.

ExcludingexploitsrequiringIE6,theaverageblockratewas77%,withtheweakestproductblocking44%andthe

bestproductblocking98%oftheattacks.ForexploitsrequiringIE6toexecute,theaverageblockingabilitywas

65%,withtheweakestperformerblocking20%oftheattacksandthetopproductsblocking100%oftheattacks.

Enterprisesrelyonendpointsecurityproductstohelpprovideavirtualshieldagainstexploits.Thenumberof

potentiallyvulnerableapplicationsthatneedtobepatchedtaxestheresourcesofmostITdepartmentsandmay

allowvulnerabilitiestopersistlongerthantheyordinarilymightonaconsumercomputer.NSStestingshowsthat

themajorityofEPPproductsfailtoblocksomeofthemostwidelyusedanddangerousexploitsfromrecentyears.

Giventheimportanceandgrowingprevalenceofthisclassofthreat,NSSrecommendsthatenterprisesgive

appropriateweighttothequalityofexploitpreventiontechnology,aswellasperformanceandthreatdetection,

whenselectingEPPproducts.

TestBackgroundThreatLandscape

Thelayersofdefenseusedinenterprisesvarywidely.TheextenttowhichtechnologiessuchasIPS,NGFW,web

andapplicationwhitelisting,thinclients,andothermeasuresareemployedwillaffecthowcriticalitisthatanEPP

productiscapableofblockingexploits.Whereemployeesworkfromhome,orthebringyourowndevice(BYOD)

modelisadopted,theimportanceofexploitpreventioninEPPproductsmaybesignificantlyincreased.

Exploitdetectionandpreventionisadifficultproblemandrequiresadifferentsetofskillsandfocusthan

traditionalmalwareprotection.

InthistestNSSdemonstratesthecapabilitiesof11popularenterprise-levelendpointprotectionproducts.

Figure2-Howadesktop/laptopcomputerisexploited


6/16



StagesofProtection

Thefollowingtableoutlinesprosandconsofstoppingthethreatatthevariousstages.

Stageof

Protection Pros Cons

Stage

Vulnerability

Providesthebestprotectionpreventsthe

vulnerabilityfromtriggering

90%proactive: Candevelopprotectionbefore

exploitsbaseduponthevulnerabilityarereleased

ALLalternateexploitvariantsofthevulnerability

areblocked

Nearlyimpossibletoevade

Veryaccurate

Generatestheleastfalsepositives

Requiresalotofworkandishardtodo

10%reactive: Mustknowvulnerability

Requirescomplexapplicationorprotocol

decoding

Mustunderstandthevulnerability

Mostprocessor-intensive

Stage1

Exploit

Offerstargetedprotectionpreventsthe(known)

exploit

Noneedtounderstandthevulnerabilityorthe

protocolbeyondacursorylevel

Canbedoneeasilythroughregularexpression

matching

Fast

Generatesfewfalsepositives

Provideslimitedtargetedprotection

50%reactive: Mustseetheexploitfirst

Onlypreventsthespecific(known)exploit

Easyforattackerstofindalternativestobypass

Maximumcoverage=manysignatures

Requirestuningtopreventfalsepositives

Stage2

Payload

Focusesonthemaliciouspayload(malware)

Detectsmalwarethatisdeliveredbyothermeans

(i.e.USB)

Simplepatternmatching

Fast

Basedonmaturetechnology

Detectionoccursafterasuccessfulattackhasput

maliciouscodeonanendpoint

100%reactive:Mustseethepayloadfirst

Doesnotdetectnon-standardattacks

Easyforattackerstoobfuscateattacksand

bypass

Requiresthemostsignatures+constantupdates

tobeeffective

Onlyprovideslimitedprotection


7/16



HowThisTestWasConducted

BetweenOctoberandDecember2012,NSStested11enterpriseendpointprotectionproducts,assessingtheir

respectiveprotectioncapabilitiesagainstexploits.Vulnerabilitiesusedinthistestwereexploitedwhenauser

visitedaninfectedwebpagehostingtheattackcode.Theattacksoccurredintwostages:

1. Theattackercausedaspeciallycraftedstreamofdataandcodetobedeliveredtoapreciselocation.This

exploitedthevictimscomputer,gainingtheattackertheabilitytoperformarbitrarycodeexecution.

2. Maliciouscodewassilentlyexecutedonthevictimscomputer.

Iftheattackcanbethwartedinstageone(successfulexploit),thenitcannotprogresstostagetwo.Aslongasthe

exploitisnotdefeated,theninstallingmalwareisjustoneofmanypossibleactionstheattackercantake.Priorto

exploitingavulnerability,attackershavetheabilitytouseservicessuchasGooglesVirusTotalandeventhe

productsthemselves,toensurethepayloadwillnotbedetectedbyanyantivirusproduct.Sincecybercriminals

havethetimeandresourcestoensurecustommalwarewillgoundetected,itisimperativethatattacksbe

defeatedintheearliestpossiblestage.Thoseproductsthatareunabletopreventtheexploitationofvulnerabilitiesarealsounabletoprovidesignificantprotectionagainsttheinfinitenumberofpayloadsthatcanbedelivered.

ProtectionFromExploitsAcrossProtocols

TheFirefoxadd-on,Firesheep,broughtsubstantialmediaattentiontosessionhijackingattacks,andforcedmany

socialmediasitestoimplementencryptedsessions.Today,Gmail,Twitter,andFacebookallofferend-to-end

HTTPSsessions,asdoesvirtuallyeveryfinancialsite.WhentrustedSSLsitesarecompromised,productsthat

cannotpenetrateSSLencryptionareblindtotheattacksandtothemalwarebeingdeliveredthroughtheHTTPS

transportprotocol.DetectionofexploitsdeliveredacrossHTTPversusHTTPSprotocolscanvarybyasmucha39%

inasingleproduct.


8/16



Figure3-HTTPvs.HTTPSblockrates

NSSprotocoltestingutilizedapayloadthatwasproventobedetectablebyallproductsinatleastsomecases.The

payloadwasdeliveredviabothHTTPandHTTPSleveraging39differentexploits.Browsersusedintheprotocol

testingincludedmultipleversionsofMicrosoftInternetExplorer,MozillaFirefox,AppleSafari,andGoogleChrome.

Vulnerableapplicationsincludedversionsof.NET,Flash,Java,Office,Shockwave,RealPlayer,Reader,QuickTime,

WMItools,andWMP.Toprovidethebestprotection,securityproductsshouldideallyprotectagainstallexploits

foragivenvulnerability,regardlessoftransportprotocol.

ExploitBlockingResults

Inthenon-IE6tests,noproductwasabletoblockalloftheexploits,andonlythreeproducts,Kaspersky(98%),

McAfee(96%)andSymantec(92%)wereabletoblockmorethan90%oftheexploits.Fourproducts,ESET(74%),

Microsoft(66%),Norman(52%),andPanda44%failedtoblockatleast75%oftheexploits.

Formostproducts,theproblemwasnotwhetherornotthetrafficwasencrypted,butratherafailuretodetect

exploitsatall(overbothHTTPandHTTPS).Afewproductsevendemonstratedmoreeffectiveexploitblocking

performanceoverHTTPSthanoverHTTP.Onaverage,therewasa7%differenceintheabilityofproductsacross

theboardtoblockHTTPSversusHTTPexploitattacks.

47%

50%

66%

74%

82%

71%

89%

50%

87%

95%

97%

42%

50%

66%

74%

79%

87%

87%

89%

95%

97%

100%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Panda

Norman

Microso

ESET

F-Secure

AVG

Sophos

Trend

Symantec

McAfee

Kaspersky

HTTP

HTTPS


9/16



TrendMicroblocked39%fewerattacksdeliveredviaHTTPSthanthroughHTTPandAVGblocked16%fewer

attackswhenSSLwasused.OnlyESET,Microsoft,andNormanconsistentlyblockedthesameattacksdelivered

throughHTTPSastheydidwhenSSLwasnotused.

Theoveralleffectivenessofthe11productsinblocking(non-IE6)exploitsisasfollows:

Figure4-Non-IE6OverallExploitBlockRate

WhentestingprotectionagainstexploitsthatrequiretheuseofInternetExplorer6.0,threeproducts,McAfee,

Sophos,andSymantecwereabletoblock100%oftheexploits.Theaveragedetectionoftheseexploitswas65%.

AmongtheIE6drivenattacksthatMicrosoftfailedtoblockwasanexploitthataffectsMicrosoftOffice2003.

Therewere5productsthatabletoblockmorethan75%oftheattacks.Fiveproductsfailedtoblock50%ofthe

exploitsthataffectIE6uses.

44%

52%

66%

74%

78%

81%

82%

88%

92%

96%

98%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Panda

Norman

Microso

ESETF-Secure

Trend

AVG

Sophos

Symantec

McAfee

Kaspersky


10/16



Figure5-IE6OverallBlockRate

Thecombinedexploitprotectionoffigures4and5areshowninfigure6below.

Figure6-OverallExploitBlockRate

20%

40%

40%

40%

48%

56%

80%

88%

100%

100%

100%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Norman

ESET

Microso

Panda

Trend

AVG

F-Secure

Kaspersky

McAfee

Sophos

Symantec

44%

48%

63%

70%

77%

78%

79%

89%

93%

97%

97%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Panda

Norman

Microso

ESET

Trend

F-Secure

AVG

Sophos

Symantec

McAfee

Kaspersky


11/16



AlternativeAttackVectors

IntestingEPPproductsagainstexploitstheprimarytestswereperformedusingavarietyofwebbrowsers.NSS

engineersalsoperformedafewtestsusingalternateattackvectors.Howeverthesamplesetwastoosmallto

presentqualitativeproductdifferencesonthosecriteriaalone,butdidrevealsomegapsinprotection.

NSSengineerstested5exploits,eachexecutedfromanOutlookemailmessage,executedfromanetworkshare,

andcopiedfromanetworkshareandexecutedfromthedesktop.Mostproductswouldblocktheexploitswhen

deliveredfromalternatevectorsiftheyblockedtheexploitondownload.Therewereacoupleofnotableand

interestingexceptions,however.

ForoneexploitKasperskyfailedtoblockanexploitwhenrunfromalternatevectors.Onfurtherinspectionitwas

determinedthattheinitialblockwhenabrowserwasusedwasbaseduponaheuristicthatdetectedtheexploit

scriptratherthantheexploititself.F-Securefailedtoblocktwoexploitsiftheywereexecutedfromanetwork

sharebutdetectedtheexploitswhendownloaded,openedfromemailoropenedfromthedesktop.TrendMicro

blockedanexploitondownloadandwhenopenedfromOutlook,butnotwhenexecutedfromanetworkshareor

thedesktop.Thesmallsamplesetprecludesconclusionsthattheotherproductswouldnothavesimilarissuesifa

statisticallysignificantsamplesetwereusedinthesetests.Howeverthetestingdoesconclusivelydemonstrate

thattheabilitytoblockanexploitondownloaddoesnotautomaticallytranslatetoprotectionagainstalternate

deliverymethods.

NSSengineersnotedotherdisconcertingbehaviorswhileconductingthetests.Therewereseveralinstanceswhere

productsflaggedanexploitbutthepayloadwasstillexecuted.Thesecasesweretabulatedasfailures.Initial

indicationspointtoaprobableraceconditionwhereatempfileiswrittentodiscandsometimestheEPPdetects

priortopayloadexecutionandsometimesthepayloadwinstherace.

ThestandardNSStestingmethodologycallsfortheuseofstandardportsforbrowsingandexploitdelivery.

However,whenNSSengineerstriedthesametestsovernon-standardports,Kasperskyfailedtodetectthe

exploits.Thismaybeattributabletoconfigurationoptionsandunderscorestheneedtoblockunusedportsatthe

firewallaswellastheneedtotestimplementationsofsecurityproductsintheactualenterpriseenvironment.

IntestingexploitsdeliveredoverHTTPS,NSSengineersnotedthatthebrowserwouldoftencrashwhentestingthe

Kasperskyproduct.Whilethisdidpreventthepayloadfromexecuting,itisnottheidealapproachtoexploit

protectionandcanresultinexcessivehelpdeskcalls.


12/16



TestMethodology

MethodologyVersion:EndpointProtectionTestMethodologyv3.0

ThistestreportisoneofaseriesofseveraltestsinourWholeProductTestseries.Thescopeofthisparticular

reportislimitedtoHostIntrusionPrevention vs.Exploits.NoZero-Dayexploitsagainstunknownvulnerabilities

wereincludedinthistest.

Othertestsinthisseriesinclude:

1. SociallyengineeredMalware Web-basedmalwarethattricksusersintodownloadingandinstallingit.

2. HostIntrusionPreventionThisreport

3. EvasionDefensesPreventingattemptstocircumventAVandHIPS

4. Anti-Malware(classic)Email,NetworkShare,andUSBinfectionvectors

5. Live Web-Based Drive-By Exploits Live testing using Internet-borne exploits that insert malware

payloads.AlsoknownasDrive-byornon-consensualdownloads

6. PerformanceIncreaseinMemory,CPU,BootTime,andApplicationLoadTime.

TheTestedProducts

Thefollowingisacurrentlistoftheproductsthatweretestedandaresortedalphabetically:

1. AVGInternetSecurityBusinessEdition20122012.0.2221

2. ESETEndpointSecurity55.0.2126.0

3. F-SecureClientSecurity9.31

4. KasperskyEndpointSecurity201212.0.0.3748.1.0.831(a)

5. McAfeeEndpointProtection8.8.0

6. MSSystemCenter2012EndpointProtection2.2.903.0

7. NormanEndpointProtection9.00.000

8. PandaCloudAntivirusPro2.0.0

9. SophosEndpointSecurity&Control10.0

10. SymantecEndpointProtection12.1.1101.401RU1MP1

11. TrendMicroOfficeScan10.6.2401ServicePack1

Vendorswereallowedtomakeconfigurationchangesifitwasdeterminedthatthedefaultsettingswerenot

optimal.ProductsettingswereverifiedbybrowsingtorealwebsitesontheInternetthatutilizecommon

applicationsusedduringthetest.Thisensuredvendorsappliedrealisticpoliciesanddidnotskewthetestby

simplysettingtheirproducttoblockall.


13/16



ProductswereconnectedtotheliveInternet,andhadaccesstovendorcloudservices.Updateswereenabledwith

whateverfrequencywassetbythemanufacturer.

Oncetestingbegan,theproductversionwasfrozen,inordertopreservetheintegrityofthetest.Giventhenature

ofendpointprotectionplatforms,virussignaturesanddefinitionupdatesaswellasHIPSupdateswereenabledwithwhateverfrequencywassetbythemanufacturer.

ClientHostDescription

Alltestedsoftwarewasinstalledonidenticalmachines,withthefollowingspecifications:

MicrosoftWindowsXPSP3,andWindows732-bitoperatingsystems

2GBRAM(XPSP3),4GBRAM(Windows7)

20GBHD(XPSP3),40GBHD(Windows7)

TheVulnerabilities

Vulnerabilitieswereprimarilyselectedbasedupontheirseverityandprevalence.Theyincludevulnerabilities

foundinMicrosoftWindowsInternetExplorer,MozillaFirefox,AdobeAcrobat,AppleQuickTimeandotherwidely

usedapplications.

AllofthevulnerabilitiesselectedbyNSShadbeenpublicforseveralmonths(oryears).Thetestsetdidnotcontain

anyzero-dayvulnerabilities.Eachoftheselectedvulnerabilitiespermittedarbitrarycodeexecution.Allexploits

werevalidatedonvulnerablesystems.

Thefollowinglistcontainssomeexamplesofthevulnerabilitiestested(thislistisnotexhaustive,andisprovided

onlytogiveanindicationofthetypesofvulnerabilitiesusedintesting):

Vulnerabilities Descriptions

CVE-2012-1875 Microsoft InternetExplorer8does notproperlyhandleobjects inmemory,whichallows

remote attackers toexecutearbitrarycode byaccessing adeletedobject,aka "Same ID

PropertyRemoteCodeExecutionVulnerability."

CVE-2011-1276 BufferoverflowinMicrosoftExcel2002SP3,2003SP3,and2007SP2;Office2004and2008

for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office

CompatibilityPackforWord,Excel,andPowerPoint2007FileFormatsSP2allowsremote

attackerstoexecutearbitrarycodeorcauseadenialofservice(memorycorruption)viaacraftedExcelspreadsheet,relatedtoimpropervalidationofrecordinformation,aka"Excel

BufferOverrunVulnerability."

CVE-2011-2371 IntegeroverflowintheArray.reduceRightmethodinMozillaFirefoxbefore3.6.18and4.x

through4.0.1,Thunderbirdbefore3.1.11,andSeaMonkey through2.0.14allows remote

attackerstoexecutearbitrarycodeviavectorsinvolvingalongJavaScriptArrayobject.


14/16



CVE-2011-3544 Unspecifiedvulnerability in theJavaRuntime Environmentcomponent in Oracle Java SE

JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start

applicationsanduntrustedJavaappletstoaffectconfidentiality,integrity,andavailability

viaunknownvectorsrelatedtoScripting.

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR before

2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on

WindowsandMacOSX,allowremoteattackerstoexecutearbitrarycodeorcauseadenial

of service(memorycorruption) viacrafted SWFcontent,related toauthplay.dll andthe

ActionScriptVirtualMachine2(AVM2)newfunctioninstruction,asexploitedinthewildin

June2010.

CVE-2010-0886 UnspecifiedvulnerabilityintheJavaDeploymentToolkitcomponentinOracleJavaSEand

JavaforBusinessJDKandJRE6Update10through19allowsremoteattackerstoaffect

confidentiality,integrity,andavailabilityviaunknownvectors.

CVE-2010-0806 Use-after-freevulnerability in the PeerObjects component (aka iepeers.dll)inMicrosoft

InternetExplorer6, 6 SP1,and 7 allows remote attackers to executearbitrary code via

vectorsinvolvingaccesstoaninvalidpointerafterthedeletionofanobject,asexploitedin

thewildinMarch2010,aka"UninitializedMemoryCorruptionVulnerability."

CVE-2009-0927 Stack-basedbufferoverflowinAdobeReaderandAdobeAcrobat 9before9.1,8before

8.1.3,and7before7.1.1allowsremoteattackerstoexecutearbitrarycode

CVE-2009-0075 MicrosoftInternetExplorer7doesnotproperlyhandleerrorsduringattemptedaccessto

deleted objects,which allows remote attackers to execute arbitrary code via a craftedHTMLdocument,relatedtoCFunctionPointerandtheappendingofdocumentobjects,aka

"UninitializedMemoryCorruptionVulnerability."

CVE-2008-5353 TheJavaRuntimeEnvironment(JRE)forSunJDKandJRE6Update10andearlier;JDKand

JRE 5.0Update 16andearlier; and SDK and JRE 1.4.2_18 and earlierdoesnotproperly

enforcecontextofZoneInfoobjectsduringdeserialization,whichallowsremoteattackers

to run untrusted applets and applications in a privileged context, as demonstrated by

"deserializingCalendarobjects"

CVE-2008-4844

Use-after-freevulnerability inmshtml.dllinMicrosoft InternetExplorer5.01,6,and7on

WindowsXPSP2andSP3,Server2003SP1andSP2,VistaGoldandSP1,andServer2008

allowsremoteattackerstoexecutearbitrarycodeviaacraftedXMLdocumentcontaining

nestedSPANelements,asexploitedinthewildinDecember2008.

Furtherinformationaboutvulnerabilitiescanbefoundat http://cve.mitre.org,apublic,government-fundedweb

siteestablishedasaclearinghouseforvulnerabilityinformation.


15/16



Vulnerability

(e.g.CVE-2010-

0249)

AppendixA:DefinitionsThefollowingdefinitionsandanalogiesareprovidedinanefforttoprovideclarification,aswellastobridgean

ongoingcommunicationgapbetweensecurityvendorsandtheircustomers.

Vulnerability

Aperfectlockcanonlybeopenedbyakeywithaspecificpattern.Ifalockcanbeopenedwithadifferentkeythen

ithasavulnerability.Ifnobodycanactuallybuildthealternatekeythatwillopenthelockthenthevulnerability

cannotbeexploited.Anexampleofasoftwarevulnerabilityisanimproperlydefinedmemoryusagewithina

functionthatenablesunauthorizedcontenttobesenttoaspecificmemorylocationandthenexecutedwith

privilegedrights.

Exploit

Anexploitisaspeciallycraftedcodesequencewhichcantriggerorunlockavulnerabilitywithinanapplication,

suchasaheapspray,bufferoverflowattack,etc.Inthecontextoftheabovevulnerabilityexample,anexploitis

usinganincorrectkeytounlockthevulnerablelock.Whensuchakeyisbuiltexclusivelytoprovethatlockis

vulnerableitiscalledaproofofconcept.Whensuchakeyisusedtocriminallyexploitsystemsitissaidtobein

thewild.Practicallyspeaking,virtuallyanyexploitforwhichthereisaviableproofofconceptisbeingexploited

inthewildandposesathreattoconsumers,corporationsandgovernments.Anexploitcanbeplantedina

compromisedwebsitewhereitsilentlyinfectsvisitingcomputers,canbeembeddedinanattachmentdelivered

thoughemail,orcanbelaunchedfromananothercomputer(remoteattack)automaticallyviasoftwareor

manuallybyahacker.

Payload

Thepayloadisthecontentthatisdeliveredoncethevulnerableapplicationhasbeenexploited.Payloadscan

rangefrominactivepoliticalorreligiousstatementstothecompleteremotecontroloftheaffectedcomputer.For

automatedattacksthepayloadmaybesomethingasrelativelyinnocuousasadwareorascostlyasarootkit

combinedwithabankingorgamingpassword-stealingtrojan.Foramanualattackthepayloadmayprovidea

remotehackerwithcompletecontrolofthecompromisedsystemandaccesstoallinformationonthesystem.Ina

homeenvironmentthepayloadmayresultinidentitytheft,orcompromiseofemailorsocialnetworkingaccounts.

Inabusinessenvironment,includingthoseallowingBYODnetworkaccess,compromiseofaworkstationmayallow

anattackertotunneldeeperintoanetwork.

ArbitraryMalicousPayloads

ShellcodeVirus/Trojanetc.

Exploits

JavaReaderBrowser


16/16



2013NSSLabs,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedonaretrievalsystem,ortransmittedwithouttheexpresswrittenconsentoftheauthors.

Pleasenotethataccesstooruseofthisreportisconditionedonthefollowing:

1.TheinformationinthisreportissubjecttochangebyNSSwithoutnotice.

2.TheinformationinthisreportisbelievedbyNSStobeaccurateandreliableatthetimeofpublication,butisnotguaranteed.

Alluseofandrelianceonthisreportareatthereaderssolerisk.NSSisnotliableorresponsibleforanydamages,losses,or

expensesarisingfromanyerrororomissioninthisreport.

3.NOWARRANTIES,EXPRESSORIMPLIEDAREGIVENBYNSS.ALLIMPLIEDWARRANTIES,INCLUDINGIMPLIEDWARRANTIESOF

MERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON-INFRINGEMENTAREDISCLAIMEDANDEXCLUDEDBYNSS.

INNOEVENTSHALLNSSBELIABLEFORANYCONSEQUENTIAL,INCIDENTALORINDIRECTDAMAGES,ORFORANYLOSSOF

PROFIT,REVENUE,DATA,COMPUTERPROGRAMS,OROTHERASSETS,EVENIFADVISEDOFTHEPOSSIBILITYTHEREOF.

4.Thisreportdoesnotconstituteanendorsement,recommendation,orguaranteeofanyoftheproducts(hardwareor

software)testedorthehardwareandsoftwareusedintestingtheproducts.Thetestingdoesnotguaranteethatthereareno

errorsordefectsintheproductsorthattheproductswillmeetthereadersexpectations,requirements,needs,or

specifications,orthattheywilloperatewithoutinterruption.

5.Thisreportdoesnotimplyanyendorsement,sponsorship,affiliation,orverificationbyorwithanyorganizationsmentioned

inthisreport.

6.Alltrademarks,servicemarks,andtradenamesusedinthisreportarethetrademarks,servicemarks,andtradenamesof

theirrespectiveowners.

ContactInformationNSSLabs,Inc.

206WildBasinRoad,Suite200AAustin,TX78746

+1(512)961-5300

[email protected]

www.nsslabs.com

Thisandotherrelateddocumentsavailableat:www.nsslabs.com.Toreceivealicensedcopyorreportmisuse,

pleasecontactNSSat+1(512)[email protected].

rp nss labs corporate exploit protection

Documents