In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.

While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.

“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”

With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.

We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.

A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.

Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.

Security patches cripple Windows XP computers

Windows customers were up in arms over a Microsoft security patch that left their PCs locked down with the notorious Blue Screen of Death. This was yet another glaring example of the problems organizations experience when rolling out patches quickly.

In a follow-up article to Microsoft’s patching problems, evidence suggested that a rootkit infection was behind problems Windows users experienced after installing several security updates. According to the computer expert who discovered the infection:

“This particular rootkit can be very difficult to detect. Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads.”

Zeus Trojan found on 74,000 PCs in global botnet

It was reported that over 74,000 computers at nearly 2,500 organizations around the world were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks and email systems. While Operation Aurora had its own success with popular networks internationally, the number of corporate and government systems infected paled in comparison to the Zeus Trojan.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures and Juniper Networks were among the targets in the attack.

To make matters worse, a competing crimeware toolkit called SpyEye is waging a turf war against the mighty Zeus bot. For $500, aspiring rival cybercriminals can use the tool to uninstall Zeus from an infected system and keep SpyEye running on the system to steal credit cards and email accounts. Talk about cyber gang warfare.

Malicious PDF files comprised 80% of all exploits in 2009

In the often-seen case where hackers gravitate to the most popular Internet applications, it was reported that rogue PDFs accounted for 80% of all exploits by the end of 2009. And much like other leading technology companies, Adobe continues to patch several critical vulnerabilities in Adobe Reader and Adobe Acrobat for Windows, Mac and Linux.

Google teams up with NSA to fight cybercrime

As a result of Operation Aurora, The Washington Post reported that Google has teamed up with the National Security Agency (NSA) to help the Internet research firm defend itself and its users from future attacks. The Director of National Intelligence call the Google attacks a “wake-up call,” and that cyberspace cannot be protected without a “collaborative effort that incorporates both the U.S. private sector and our international partners.”

Unfortunately, what we are continuing to see in early 2010 is that patching and other traditional antivirus software are failing to adequately defend our systems. In fact, if anything they appear to be causing more problems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from executing in the first place. This is where a solution such as application whitelisting can defend even flawed networks from running malware within their operation systems. If it’s not an authorized application, it does not run in the system. It’s that simple.

As always, I thank you for stopping by to read this blog. I hope it continues to bring to light some of the important issues we all face as security professionals. Come back soon.

The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide.

Industry works closely with the government to advance the ‘state of the possible’ in cyber defense. As a former CIO and military systems analyst, I have witnessed several generational cycles of defensive technology developments in the cyber arena. In the mid-90s, for example, system administrators configured firewalls (from standard computer systems) by hand, and reviewed log files (either manually or through then-clever application of scripts) to detect, characterize, assess, and potentially contain cyber intrusions. Today, automated intrusion prevention systems are available as commercial-off-the-shelf (COTS) products, integrated with firewalls and incident management solutions to allow very rapid detection and blocking of cyber attacks. This is just one example of how industry has worked closely with the government to deliver significant advances in cyber defense technologies.

Unfortunately, our cyber adversaries today have proven relentless and highly flexible in their endless pursuit of effective attacks (for an entertaining perspective on the topic, please read Toney Jenning’s “Caddyshack & The Defense of Cyberspace: No More “Wack-a-Mole”” post on GlobalSCAPE’s blog site). Those of us in the information security industry understand that the next major terrorist strike very well may come from the cyber domain or, at a minimum, include cyber attacks as part of a broader operation. From a traditional national security perspective, it is a near certainty that future adversaries will continue to develop their cyber attack capabilities. Such asymmetric warfare capabilities are increasingly attractive, given the overwhelming superiority of US forces in conventional, force-on-force combat.

As a result, GlobalSCAPE, our partners and many others in the industry are working tirelessly to deliver next-generation cyber defense capabilities and stay one step ahead of our adversaries. Our continued development in this area is a national imperative. We are excited by the prospects for transformational solutions like application whitelisting to allow more assured defense of the cyber frontier. We’ll be addressing a variety of cyber defense topics in future posts. Stay tuned!

As I mentioned in last week’s entry, “Latest Microsoft patch illustrates the dilemma and dangers of fire drill patching,” relying on antivirus defenses to protect endpoints ties organizations to fire drill software patching. Reactive software application patching will never provide the level of protection today’s companies need to adequately protect their networks against harmful malware. As Mr. Westervelt goes on to write:

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits.

What these recent stories point out is that malware infections on these devices only highlights the fact that existing desktop security isn’t working properly. Why else are these companies regularly patching? The desktop security paradigm of antivirus and patching simply isn’t working.

Unfortunately, what we’re seeing is that patching itself is also causing problems with their systems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from deploying in the first place than aimlessly reacting to cyber criminals exploiting the known and unknown vulnerabilities within their network. Playing catch up with more patches is not only a losing proposition for IT security professionals, it seems to be compounding the problem.