by Peter Tippett and David Kennedy

The acetaminophen and antacid consumption in enterprise IT staffs is likely on the increase due to the recent release of two Security Bulletins by Microsoft, one for Internet Explorer and one for Visual Studio. This security problem has the potential to be both far-reaching and subtle in nature.  We would like to offer a dose of reason in hopes that your stress-induced ailments will at least be caused by wrestling with the real problem. The biggest risk is not from attacks; lost productivity dealing with the scope and confusion around the ATL issue is the greatest risk from these announcements.

To be clear, we do expect attacks but do not believe they will be novel or pervasive. We have seen hundreds of browser vulnerabilities over the years and the pattern of successful exploits is well understood:  such attacks mainly result in home-user machines being absorbed into large-scale botnets.  Our series of Data Breach Investigations Reports, covering nearly 600 breaches studied over five years, consistently finds that browser vulnerabilities rarely contribute (even incidentally) to significant enterprise data breaches.

(more…)

The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

(more…)

Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

(more…)

In a recent blog post at ZDNet, Jason O’Grady mentioned the benefits of running an application that monitors outgoing (egress) traffic on your Mac. OS X malcode has been in the news lately, with Trojaned versions of iWork and Photoshop CS4 appearing on the BitTorrent network, and Jason offers Little Snitch (an egress firewall application) as “one way to keep tabs on software that likes to call home” (such as a Trojan).

As our recent series on Mac AV suggests, I don’t run antivirus software on my OS X client systems. However, I do run Little Snitch. We neglected to mention egress firewalls as a worthwhile addition to good OS X configurations in that series, and would like to take the opportunity to do so here.

(more…)

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)

by Peter Tippett and Kevin Long

This is Part III of a three-part series on OS X security. Please read Part I and Part II if you haven’t already.

If you ran Amtrak, would you install a missile defense system on your trains? Trains are certainly vulnerable to missile attack, and the cost of such an attack would be devastating. Luckily, trains are not commonly subjected to missile attack, so the cost of implementing such a defense is not justified.

Is the protection afforded by antivirus software (AV) worth the cost? First we’ll estimate the cost, then we’ll discuss the protection AV affords.

(more…)

by Peter Tippett and Kevin Long

This is Part II of a three-part series on OS X security. Please read Part I if you haven’t already.

Before we go further, a review of the Verizon Business RISK Team’s risk equation is in order. Risk is traditionally thought of as the product of Likelihood * Impact (Cost). In the world of computers, the Likelihood is itself the product of Threat, which is the frequency of attempts of an attack, and Vulnerability, which is the likelihood of success of an attempted attack considering all countermeasures that are already in place. Thus, Risk = Threat * Vulnerability * Impact.

For the purposes of this discussion, Impact is consistent across platforms, so Threat and Vulnerability are the factors that will be addressed.

The threat of attacks against OS X systems has traditionally been significantly lower than that against Windows systems. When OS X was introduced in 2001, reasons cited for that could have included the following: (more…)

by Peter Tippett and Kevin Long

What’s a Mac user to do? Depending on where (and when) you looked, during December you’ve been offered the following advice when it comes to having security software on your system:

• If you listened to Apple on December 1, you should be running multiple antivirus applications.
• If you listened to a maker of antivirus software, you should be running their respective antivirus application.
• If you listened to various bloggers and columnists, you’ve certainly not heard a consistent message.
• If you listen to Apple today, they’re suggesting that Leopard is protected against malicious code “right out of the box.”

Despite the existence of several notable posts already written about this topic, this month’s chatter provides an opportunity to share the reasons we recommend against running antivirus software on Macs (in most situations).

(more…)