"Beat the Worm:" A Guide to Mitigating Critical Flaws, Part II

The Complexity of Flaw Exploitation

The complexity of a security flaw is one of biggest factors to consider when gauging the potential impact of any worm threat. A second factor would be whether the worm relies on user interaction. Security flaws that have been publicly exploited – and the exploit programs that are easily available – offer a much higher worm threat than those that have yet to be exploited.

Worms that require user interaction are less severe. Worms, such as email-based worms, may rely on the interaction of unknowing users to aid in their propagation. Email-based worms can be prevented by enforcing a strong employee use policy, through email filtering, or with the aid of third party security solutions.

Worms that do not require user interaction (i.e. "socially engineered" threats) are more severe and typically spread faster than those that require user interaction. Worms such as Code Red, Sapphire, Blaster and Witty all propagated without user interaction.

What these worms have in common is that they were all propagated through the exploitation of a buffer overflow in a software product. Vulnerabilities such as buffer overflows that allow an attacker to overwrite portions of a target’s process memory, come in many forms. The majority, if not all, of the worms that propagated without user interaction exploited stack-based buffer overflow vulnerabilities, which are the most documented and regarded as the easiest to exploit.

There are literally tens of thousands of people today who can create a program to exploit a buffer overflow. The same cannot be said for other classes of attack. For this reason, security flaws such as stack-based buffer overflows have a much higher worm threat and can be easily exploited. If an exploit was released for a new security hole that many systems are likely to be vulnerable to, then the threat of a new worm would be much higher than usual.

See our next issue for Part III: Reliability of Exploitation.

Source: eEye Research Team

eWeek: Man Charged With Hacking Database Company
"A Florida man has been charged with stealing large amounts of consumer information from Acxiom Corp., one of the world's largest database companies." Full Article

SearchSecurity: New Attacks and Vulnerability Trends Highlighted at Black Hat
"Nearly 2,000 hackers of all stripes are expected at the 8th Annual Black Hat Briefings USA this week. Presentations beginning today will analyze vulnerabilities, zero-day code, phishing and secure wireless deployment, among many other topics." Full Article

InfoWorld: E-Commerce Growth Triggers Security
"It's easy for people to say that they're extremely or very confident that their IT department’s security is up to par, and it's even easier for executives to become convinced of a company's invulnerability to computer-borne attacks. Even though our respondents were no more confident than they were last year, they still seem to be convincing management they know what they're doing." Full Article

ZDNet: Important Windows Flaw Could Turn Critical
"Security experts are bracing themselves for a spate of new worms and viruses designed to exploit of the seven new vulnerabilities announced by Microsoft on Tuesday as part of its monthly patch cycle." Full Article

Q: Does Retina 5.0 need credentials to scan targets? If so, how do I use them/set them up?

A: Credential Management was added to Retina 5.0 to allow the use of several different administrative logins from the same scanner without having to log in and out. Retina 4.x would assume the credentials of the user running the application, which could make it difficult to scan multiple domains and workgroups.

Retina 5.0 runs as a service, therefore assuming local system privileges. You can always run a non-privileged scan via Null Session by simply not selecting any credentials for your scan. In order to properly scan the Windows platforms with administrative rights (to get remote registry access), you will need to add in credentials that you wish to scan with. If you are in a domain environment, it is best to scan with a domain admin login.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Release: eEye Digital Security Eliminates the Threat of Zero-Day Attacks with Blink
On July 26, eEye introduced Blink – the most powerful and comprehensive end-point security software product introduced to date. Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first end-point product to combine multiple layers of security technologies to protect enterprises from "zero-day" attacks that leverage yet unknown vulnerabilities within enterprise networks. Full Article

Now Available: Retina Network Security Scanner 5.0
eEye introduced version 5.0 of the Retina Network Security Scanner. Retina 5.0 is the latest edition of the industry's leading network scanner for identifying security vulnerabilities within enterprise networks. In addition to its award-winning scanning accuracy, open architecture and non-disruptive scanning capabilities, Retina 5.0 introduces multiple unique features that set it apart from other software and managed service scanner offerings. Full Article

Upcoming Webinar: Vulnerability Expert Forum
eEye Digital Security will be hosting special web seminars focusing on recently announced critical vulnerabilities. Press, prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts, such as Marc Maiffret. The Webinars explore the impact that high-risk vulnerabilities and exploits have on network environments and infrastructures. eEye's experts share in-depth knowledge about these issues and recommend solutions to detect and protect against current and future critical security weaknesses. Full Article

Webinar: Learn How to Proactively Safeguard Your Network from Vulnerabilities
Effectively safeguarding your network can be an overwhelming task. While the number of vulnerabilities is increasing, the window of opportunity to remediate them is decreasing. As evidenced by the recent Sasser worm, the time from the announcement of a critical vulnerability to the appearance of exploit code and corresponding attack has decreased from months to just days. The financial impact from such attacks is no longer theoretical - the average cost of a malicious attack on a corporate network has increased to almost $2 million per incident. Register today to reduce risk and increase your level of protection! Full Article

PCWorld: PDA Viruses Could Get Nasty
Viruses that target handhelds can be even more dangerous than their cousins that attack PCs, spawning self-replicating programs that hide easily, a security researcher told an audience of security professionals at the Black Hat Briefings conference here this week. More

Computerworld: 34 Flaws Found in Oracle Database Software
Oracle Corp. will soon issue patches to fix 34 different vulnerabilities in its database software that were disclosed to it early this year by a British bug hunter. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.