Dec 22, 2008

Which endpoint protection products stop IE Exploits?

During the week of Dec 15-18, NSS Labs conducted a series of tests of popular anti-malware and endpoint protection products to evaluate their ability to protect clients from exploits targeting the IE vulnerability. The results are somewhat surprising, showing a broad lack of protection from current enterprise products. Admins are advised to read this and address any gaps ASAP.

Tested antivirus/anti-malware/endpoint protection products include:

  • AVG Internet Security Network Edition v8.0
  • Kaspersky Total Space Security v6.0
  • McAfee Total Protection for Endpoint
  • Sophos Endpoint Security and Control v8.0
  • Symantec Endpoint Protection 11.0.2 MR2
  • Trend Micro Officescan 8.0 SP1 R3
Read the report here.

Exploits vs Drive-by Downloads


What's a "drive-by download" anyways? Recent discussions and the flurry of media articles about the recent Microsoft Internet Explorer vulnerability have given rise to some discussion. So, we at NSS Labs decided to provide this clarification of exploits vs drive-by downloads in response to some research and discussions we've had with a number of end-users and vendors. Our recent research into the Internet Explorer exploits revealed that some vendors and enterprises were not 'framing' the problem properly.

The "drive-by download" is the result of a successful exploit. It is worth noting that the exploit could have executed any arbitrary code, including returning a shell prompt, deleting or encrypting files, etc. But, more likely than not these days, the perpetrator prefers to go unnoticed so they can continue to leverage the newest memeber of their botnet in their quest for world domination. So, more frequently we see keyloggers, trojans, and other 'quiet' culprits. Come to think of it, drive-bys are usually pretty noisy with all the shooting and screeching of tires and such.

So, when vendors and end-users talk about the "download" it can unduly shift the focus towards the result and away from the cause. There are very few exploits compared to hundreds of thousands of pieces of malware. And the exploits are easier to detect - if you are looking in the right place... Network IPS and Host IPS (which can be part of an endpoint protection product) are two great solutions.

Exploits vs Drive-by Downloads.

Dec 17, 2008

Microsoft IE7 zero day exploit - patch released

Today, just 7 days after the discovery of a critical zero-day exploit in Microsoft's popular Internet Explorer (see Microsoft Security Advisory 961051), Microsoft has released its analysis and a public patch via various Windows Update services.

We at NSS Labs has been following this closely, as live exploits have been circulating and growing rapidly, reaching more than 10,000 infected sites (TrendMicro). There are different implementations, including java script and ActiveX that exploit the XML parser in IE versions 5.01 through IE8 beta 2. See the official description and analysis from Microsoft MS08-078 for a complete list of affected versions and systems. And on the more interesting side, HD Moore at BreakingPoint Systems describes his analysis.

Dec 15, 2008

IBM’s Proventia Server for Windows v2 passes NSS Labs PCI Suitability Testing

IBM’s Proventia Server for Windows v2 has successfully passed NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS). The security effectiveness of Proventia Server for Windows 2.0 was excellent. NSS Labs tested the product on numerous Windows platforms, and a wide range of applications. Proventia Server for Windows 2.0 detected and blocked a total of 64 exploits (98.5%) – all of which were Attacker Initiated. Support for PCI DSS requirements was excellent. Overall, out of 58 tested requirements, the product supports 57 (98%).

Read the complete report on IBM's Proventia Server