Software Exploits Running Wild

Moving assuredly, if not swiftly, through Ed Skoudis's "Most Dangerous Attack Vectors" list brings us to third-party client-side software exploits. Translated to English, attackers exploit all those programs that make your life easier (Word, Excel, Powerpoint) or your computing experience more fun (iTunes, Real Player, QuickTime). Any third-party software running on top of Windows or Mac operating systems, especially document viewing tools like Adobe Reader, is vulnerable to this kind of attack. Additionally, attackers often launch these exploits on the same day the vulnerability becomes generally known--before a vendor has released a patch.

It's important to give a realistic example of how these work, so in my interview with Skoudis, I asked him to map out an attack on iTunes from start to finish. The end user surfs to a Web site, any place an attacker can post content. If the user clicks on a malicious link associated with said site, the link causes the browser to launch iTunes, making it fetch something. The iTunes software will think it is fetching a song list or song, but in actuality the attacker has set things up so that the response back to iTunes exploits a buffer overflow or other error in iTunes. The attack finally causes iTunes to run the malicious code. "When the attacker's code runs, it then pulls down backdoor software or a bot, so the attacker can have long-term control of the victim machine," Skoudis writes.

According to Johannes Ullrich, chief research officer for the SANS Institute, attackers target this exploit because third-party software tends to be harder to patch. As a result, the probability of finding a vulnerable host is higher compared to software included with the operating system, which tends to be patched faster.

Combating software exploits isn't as easy as one might hope. Antivirus tends to pick up anywhere from 70 to 95 percent of these attacks, according to Skoudis. "But, with a huge amount of exploits in the wild, even picking up 95 percent is not good enough," he adds. Ullrich notes that typically antivirus will not detect this kind of attack, but the malware installed as a result. So what can a user do?

Don't install software you don't need. Patch, patch and patch. If the software comes with an automatic patching tool, enable it. If it doesn't, Ullrich recommends "Secunia PSI," a free tool which catalogs software on a system and keeps track of when software needs patching. Be careful about opening attachments. Limit outbound traffic from your host, and keep your antivirus up to date. Limit the user privileges. And finally, for the particularly paranoid users: Consider using a virtual machine that can revert to a snapshot periodically after accessing sites that may host malicious content.