Dailydave mailing list archives
We got owned by the Chinese and didn't even get a "lessons learned"
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 24 May 2006 07:42:27 -0400
I was talking to an anonymous source yesterday at a large government
organization, and he related to me this story about how although they
got a heads up on the Word 0day, they can't do anything about it.
They're not allowed to block Word documents at the perimeter, so they're
basically helpless. The solution here might be some sort of really
really good IPS that can parse .doc perfectly and normalize it, but of
course nothing of that kind exists. Another solution might be some sort
of PaX on every workstation, but this solution is essentially waiting
for Vista deployment. Most modern Anti-Virus has some basic overflow
protection in it, so maybe that would help, except that by nature these
Word 0day attacks are targeted, which means they can spend the ten
thousand dollars to bypass all the popular HIDS. A more drastic solution
is to take every .doc going through the mail gateway and covert it to
ODF, which is probably a good idea anyways just to save bandwidth.
Most of what I've seen published is people saying that you are safe with
their product because they either:
* prevent buffer overflows generically, which is clearly not true
against a targeted attacker with today's technology (if it's a
heap overflow, then maybe a good place to overwrite with your
Write4 is the "isScriptingAllowed" variable?). It's only true
against some random sample someone collected, but that's not the
attack as it is used today.
* prevent the W32.backdoor.whatever from running or connecting
outbound, which requires that the attacker not use a known trojan
or listening post (a five minute change)
So essentially, the only part of network security that protected you
against this was a human component. Some random dude got suspicious and
picked it up. Perhaps this was the thousandth time it was used. It
certainly wasn't the first.
Protecting networks against worms is a valuable thing. But it's not
security, and I think events like this are a wake up call to what the
technology you've deployed actually can do.
-dave
Current thread:
- We got owned by the Chinese and didn't even get a "lessons learned" Dave Aitel (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" val smith (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)