Thanks for clarifying that On 16 April 2012 16:25, Andrew S. Baker <[email protected]> wrote:
> Here's one typical scenario: > > - WinWord.exe has a a buffer overflow vulnerability. > - WinWord.exe is a whitelisted app, so the vulnerability can be > exploited. > - Bad guy creates a hand-crafted data file that takes advantage of the > buffer overflow vulnerability > - User opens bad data file, which exploits the vulnerability > > > In a traditional environment, the exploit of the vulnerability would > likely include the uploading or installation of some files to the exploited > machine for the purpose of controlling it more directly. > > In an environment that makes use of whitelisting technology, the code that > is spawned by the exploit (either because it is embodied in the bad data, > or because it is downloaded from some remote server) will be unable to run > -- because it is not an approved application/code. > > This is a key benefit of whitelisting. > > Now, if the malware exploit only attempts to make use of existing files > (CMD, etc) then these executions will be subject to whether or not they are > approved from a whitelisting perspective, but the scope of the exploit is > still *greatly* reduced. (Read Only or Blocked Attack vs full system > compromise) > > > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Mon, Apr 16, 2012 at 11:12 AM, James Rankin <[email protected]>wrote: > >> Ah yes, I recall this debate before. >> >> So it's not that if you used a Word exploit, for example, you could get >> winword.exe to do bad stuff under the context of that process - it would >> have to be remote code execution under its own badapp.exe - which even if >> you called it winword.exe would get caught by a hash value rule or check >> for signed code, am I thinking along the right lines? >> >> >> On 16 April 2012 15:54, Andrew S. Baker <[email protected]> wrote: >> >>> Yes, but if the bad data is used to perform a buffer overflow so that >>> custom *code* can be executed to do nefarious acts, then that last step >>> will fail because the custom malicious code is not authorized to run -- >>> even in a zero day. >>> >>> No, it doesn't solve every last malware issue known to man, and there >>> can be some management overhead depending on the implentation, but it >>> addresses more issues than blacklisting does, and does so more effectively. >>> >>> Of course, we've been saying the same thing for a while here: >>> >>> http://www.mail-archive.com/[email protected]/msg72561.html >>> >>> >>> http://www.mail-archive.com/[email protected]/msg106004.html >>> >>> >>> * * >>> >>> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >>> Technology for the SMB market… >>> >>> * >>> >>> >>> >>> On Mon, Apr 16, 2012 at 10:28 AM, James Rankin <[email protected]>wrote: >>> >>>> Agreed, if you've got a malicious Word document that exploits a flaw in >>>> MS Word itself, then the only defence is good patching or some other form >>>> of exploit detection. If it's a zero-day, then there's probably nothing >>>> except exploit detection. >>>> >>>> Don't want to plug it too much but AppSense Application Manager does a >>>> good job of detecting execution beyond the "expected" capabilities of an >>>> application, but I've never been able to test it much beyond the types of >>>> things like malicious PDFs with Java exploits or exploits that call out to >>>> malicious dll files. Wonder how much work it would be to craft an Office >>>> document that tries to exploit a vulnerability to see if it can stop this >>>> sort of vector as well? >>>> >>>> On 16 April 2012 15:19, Alex Eckelberry <[email protected]> wrote: >>>> >>>>> >But, if we ever get to a world where whitelisting is the predominant* >>>>> *** >>>>> >>>>> >means of execution control, the bad guys will, out of necessity, be** >>>>> ** >>>>> >>>>> >relegated to exploiting flaws in applications through data files.**** >>>>> >>>>> ** ** >>>>> >>>>> I don’t understand how you can have an exploit in a data file >>>>> resulting in anything else but code execution. Data itself is harmless; >>>>> it’s the executables that cause harm. **** >>>>> >>>>> ** ** >>>>> >>>>> There will always be code executed, in some form or another (unless >>>>> I’m misunderstanding your point). **** >>>>> >>>>> ** ** >>>>> >>>>> Alex**** >>>>> >>>>> ** ** >>>>> >>>>> ** ** >>>>> >>>>> ** ** >>>>> >>>>> *From:* Crawford, Scott [mailto:[email protected]] >>>>> *Sent:* Monday, April 16, 2012 12:25 AM >>>>> >>>>> *To:* NT System Admin Issues >>>>> *Subject:* RE: Whitelisting**** >>>>> >>>>> ** ** >>>>> >>>>> Possibly...even probably. But, if we ever get to a world where >>>>> whitelisting is the predominant means of execution control, the bad guys >>>>> will, out of necessity, be relegated to exploiting flaws in applications >>>>> through data files. A scanner that looks for signatures of exploits in >>>>> files will be a useful tool. Assuming of course, all applications aren't >>>>> secure. >>>>> >>>>> >>>>> Sent from my Windows Phone**** >>>>> >>>>> ------------------------------ >>>>> >>>>> *From: *Andrew S. Baker >>>>> *Sent: *4/15/2012 1:08 PM >>>>> >>>>> *To: *NT System Admin Issues >>>>> *Subject: *Re: Whitelisting**** >>>>> >>>>> You can't. :) >>>>> **** >>>>> >>>>> *ASB***** >>>>> >>>>> *http://XeeMe.com/AndrewBaker***** >>>>> >>>>> *Harnessing the Advantages of Technology for the SMB market…***** >>>>> >>>>> >>>>> >>>>> **** >>>>> >>>>> On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R < >>>>> [email protected]> wrote:**** >>>>> >>>>> How do you blacklist all possible bad data files?**** >>>>> >>>>> ------Original Message------ >>>>> From: Crawford, Scott >>>>> To: NT System Admin Issues**** >>>>> >>>>> ReplyTo: NT System Admin Issues >>>>> Subject: RE: Whitelisting >>>>> >>>>> Sent: 14 Apr 2012 18:02 >>>>> >>>>> A combination is needed. Whitelisting for traditional executable code >>>>> and blacklisting for data files that exploit vulnerable white listed >>>>> applications. >>>>> >>>>> -----Original Message----- >>>>> From: Alex Eckelberry [mailto:[email protected]] >>>>> Sent: Saturday, April 14, 2012 10:10 AM >>>>> To: NT System Admin Issues >>>>> Subject: Whitelisting >>>>> >>>>> I'm curious, what's the general feeling about about whitelisting? As >>>>> a former AV guy, I tend to prefer blacklisting, but I'm seeing signs >>>>> things >>>>> might be changing. >>>>> >>>>> Thoughts?**** >>>>> >>>>> >>>>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell makes you quake in your boots and turn yourself over to law enforcement immediately. If you receive this e-mail by mistake, please advise the sender immediately. That would be me, and as I am clearly prone to sending emails to completely the wrong person, I should instantly be stripped of my status as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
