Dailydave mailing list archives
We got owned by the Chinese and didn't even get a "lessons learned"
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 24 May 2006 07:42:27 -0400
I was talking to an anonymous source yesterday at a large government organization, and he related to me this story about how although they got a heads up on the Word 0day, they can't do anything about it. They're not allowed to block Word documents at the perimeter, so they're basically helpless. The solution here might be some sort of really really good IPS that can parse .doc perfectly and normalize it, but of course nothing of that kind exists. Another solution might be some sort of PaX on every workstation, but this solution is essentially waiting for Vista deployment. Most modern Anti-Virus has some basic overflow protection in it, so maybe that would help, except that by nature these Word 0day attacks are targeted, which means they can spend the ten thousand dollars to bypass all the popular HIDS. A more drastic solution is to take every .doc going through the mail gateway and covert it to ODF, which is probably a good idea anyways just to save bandwidth. Most of what I've seen published is people saying that you are safe with their product because they either: * prevent buffer overflows generically, which is clearly not true against a targeted attacker with today's technology (if it's a heap overflow, then maybe a good place to overwrite with your Write4 is the "isScriptingAllowed" variable?). It's only true against some random sample someone collected, but that's not the attack as it is used today. * prevent the W32.backdoor.whatever from running or connecting outbound, which requires that the attacker not use a known trojan or listening post (a five minute change) So essentially, the only part of network security that protected you against this was a human component. Some random dude got suspicious and picked it up. Perhaps this was the thousandth time it was used. It certainly wasn't the first. Protecting networks against worms is a valuable thing. But it's not security, and I think events like this are a wake up call to what the technology you've deployed actually can do. -dave
Current thread:
- We got owned by the Chinese and didn't even get a "lessons learned" Dave Aitel (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" val smith (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)