Roger you are right to be skeptical about BLADE being fool-proof. It is simplistic technology much in the same way that most of the white listing technology becomes absolutely useless as they are NOT stopping malicious code execution but rather the side effects (malware being downloaded and executed) of malicious code execution at just one layer deeper than anti-virus but not at the root of the problem.
In the case of this BLADE technology they are doing file and process related hooking and are essentially not allowing Adobe to create and execute the malicious malware file but not preventing the exploit and execution of malicious code within Adobe itself. They do this by not preventing the exploit (the root cause) but by not allowing the exploit to create the malware file and execute it. What happens though when the exploit does not create a malware executable to execute? What if the exploit simply does all of its malicious behavior in memory without ever creating a file on disk? In that case BLADE, and most white listing, completely fails as again they are not stopping the root cause ... the vulnerability being exploited for code execution. And when I mean code execution I mean the malicious code that is executed through a buffer overflow, in this video within Adobe, and that code is executing WITHIN the Adobe process itself. Not to mention the malicious code, executing within Adobe itself from the buffer overflow, could not only not write out a malware.exe to disk to execute but simply kill the BLADE code itself and then write out a malware.exe and execute to disk JUST AS NORMAL. Again the point is in all of these protection technologies you must prevent the root cause of what allows malicious code, whether malware or the exploit code itself within a valid process, to execute in the first place. [Stop reading here if you don't want to hear my vendor angle] It should be shamelessly noted that my companies Blink product does exactly that in stopping the root cause of why systems are compromised - exploits against software vulnerabilities - stopping the execution of malicious code from the very start vs. reactively trying to remove malware after the fact (anti-virus) or selectively trying to disallow execution of malware executables after the fact (BLADE). The great part is that we offer this better way of protecting a system and without having to create complex rules as you would with BLADE as you would have to create *exceptions* for *valid* executables, such as Adobe, but neither the lack of this technology working against any level of sophistication or the eventual realities of how you manage it across thousands of systems are put forth in this video. Which reminds me once again why I start every speaking engagement at conferences by saying I truly feel for folks working in IT as they have a mountain of security problems to solve with people around every corner saying they have the solution and IT is never typically supported by management by either the time, resources, education, to be able to cut through the clutter and know what might actually truly help them. It does make me proud though watching folks on NTSYSADMIN become more aware and cautious over the years, it is a good thing. Anyone who has followed me on this list knows that to me selling products is always secondary to educating IT people. Not simply because it is a passion I have but because I believe if you cannot establish a rapport as being a trusted advisor with the IT community you will never show them why your technology cuts through the clutter to actually help them in their day to day dealings. We do this monthly in our Vulnerability Expert Forum which if you are not already familiar is happening tomorrow: http://www.eeye.com/vef Please note I will not be hosting this VEF as I normally do as I am going to be out speaking at a conference. Two of my researchers however, the smart guys, will be rocking it though and answering *any* questions you have. -Marc Signed, Marc Maiffret Co-Founder/CTO eEye Digital Security Web: http://www.eeye.com Blog: http://blog.eeye.com VEF: http://www.eeye.com/vef Twitter: http://www.twitter.com/marcmaiffret -----Original Message----- From: Roger Wright [mailto:[email protected]] Sent: Tuesday, October 12, 2010 6:49 AM To: NT System Admin Issues Subject: Re: Possibly interesting security tool I like to concept and the YouTube Video (http://www.youtube.com/watch?v=9emHejh8hWE) looks convincing, but... "foolproof"? I doubt it... Roger Wright On Tue, Oct 12, 2010 at 4:55 AM, James Rankin <[email protected]> wrote: http://www.net-security.org/secworld.php?id=9976 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
