Recent attacks and a false sense of security
With the most recent ActiveX vulnerability (CVE-1136-2009) still very fresh and the attacks still evolving out there, reactive protection mechanisms need to update for such exploits rapidly, and as the exploit is quite easy to modify and obfuscate they have their work cut out for them.
Still some out there might get lulled into feeling safe and above all of this e.g.:
- IPS (or IDS) users e.g. might feel their device will protect them. Let's see: will it protect you if the (hacked) website your user visits is of the https kind ? I'd not be convinced at all. 
 Yet the link to a fortinet advisory sent in by Juha-Matti states: "Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability"
 Hmm. do get that killbit out there nonetheless, it'll help much more fundamentally.
- The same goes for other IDS/IPS vendors and most likely for AV vendors as well. Let's not forget there is a metaploit module for this and most of the signature makers I've talked to consider it too hard to make a signature for all possible exploits from metaploit.
- Then there is those of us who simply don't use windows and/or IE and hardly are surprised ActiveX once again is an attack vector cutting deep. But let's not forget other browsers have their vulnerabilities too. A popular exploit site e.g.mentions a new Firefox Firefox Memory Corruption Vulnerability. And Secunia seems to be confirming it as well (Thanks for the anonymous reports).
So what would I do in a corporate setting?
- Get the killbit set ASAP
- Provide staff up front with a choice of 2 browsers, make sure they know they have a choice (and keep both up to date). This yield diversity which is a good thing. Most importantly be ready to forbid and technically block either one as you need it to keep them safe should it get out of control anyway. Such a measure can be part of your BCP/DRP.
- Make sure nobody sees this as a reason not to have things like AV and IDS as they will catch some of it, maybe enough, but even more so because too often the AV on a desktop is the only line of defense (e.g. with encrypted traffic)
--
Swa Frantzen -- Section 66
Keywords: 
7 comment(s)
  
  ×
  
  ![modal content]() 
  
  
Diary Archives
         
              
Comments
I have noticed most exploits now come through https for exactly this reason. A redirect from a standard http website will point to a https server that contains the actual malware. Most IPSes will fail to detect anything unless they are inspecting inside SSL.
Jason
Jul 14th 2009
1 decade ago
Stephane
Jul 14th 2009
1 decade ago
@Stephane: the key is to have that method to enforce the switch if and when you feel it is warranted/needed.
The unpredictable nature also helps in not getting caught and loosing it all. Would you rather have half of your users infected twice as often or all of them less often ?
Since it's a client (not a server) it's only exposed when used so somebody never using the other browser doesn't really double the attack surface to that user.
There are dozens of ways to block a given browser ranging from simply asking the users to enforcing it via custom signatures in AV, global policies, proxies that refuse service and many more.
Swa
Jul 14th 2009
1 decade ago
Jon
Jul 14th 2009
1 decade ago
Mozilla Firefox Memory Corruption Vulnerability
http://secunia.com/advisories/35798/3
Karl
Jul 14th 2009
1 decade ago
dsh
Jul 14th 2009
1 decade ago
Scott
Jul 14th 2009
1 decade ago