Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Transcription

1 Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT TESTED PRODUCTS: AVG Internet Security Network Edition v8.0 Kaspersky Total Space Security v6.0 McAfee Total Protection for Endpoint Sophos Endpoint Security and Control v8.0 Symantec Endpoint Protection MR2 Trend Micro Officescan 8.0 SP1 R3 DECEMBER 20, 2008

2 Published by NSS Labs NSS Labs CONTACT: 5115 Avenida Encinas Suite H Carlsbad, CA Tel: info@nsslabs.com Internet: All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this Report is conditioned on the following: 1. The information in this Report is subject to change by NSS Labs without notice. 2. The information in this Report is believed by NSS Labs to be accurate and reliable, but is not guaranteed. All use of and reliance on this Report are at your sole risk. NSS Labs is not liable or responsible for any damages, losses or expenses arising from any error or omission in this Report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY THE NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that the products will meet your expectations, requirements, needs or specifications, or that they will operate without interruption. 5. This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report. For PCI-related reports, this does not constitute an endorsement by the PCI Security Standards Council. 6. All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective owners, and no endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or NSS Labs is implied, nor should it be inferred NSS Labs, Inc.

3 CONTENTS 1 Introduction Affected systems Microsoft Response Test Relevance Results Security Effectiveness Memory Utilization Post-Exploit Partial Exploit Code NSS Labs Recommendations The Products Under Test Products tested Settings Used Endpoint Protection Test Environment Client Host Description Network Description NSS Labs, Inc.

4 1 INTRODUCTION On December 10, 2008 Microsoft published Microsoft Security Advisory (961051), detailing a vulnerability in Internet Explorer that could allow arbitrary Remote Code Execution. This vulnerability in IE5, IE6, IE7 and IE8 Beta allows an attacker to take complete control of an affected system. Active exploits have been seen in the wild. There are two known variants: an Active X variant, and a Javascript variant. Users with vulnerable versions of Internet Explorer are at high risk of being exploited if they visit a website hosting the exploit code. Sources indicated over 10,000 web sites are hosting these exploits, and potentially even more variants of malware. Based on the potential impact as well as concerns from a number of enterprises, NSS Labs conducted a series of tests of popular endpoint protection products to evaluate their ability to protect clients from exploits targeting the IE vulnerability. 1.1 AFFECTED SYSTEMS Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable MICROSOFT RESPONSE Microsoft has reacted extremely quickly and by providing a patch within 7 days of the vulnerability being disclosed. At the time of testing, Dec 18, 2008, Microsoft had just released a patch. For those unable to update immediately, Microsoft offers some mitigating steps at: TEST RELEVANCE Internet Explorer is the most popular web browser on the planet, owning the lion s share of the market. This increases the importance of this vulnerability and the potential reach of exploits. Most Enterprises have change control procedures governing patching of systems. As a result, the adoption rate of this patch will likely occur over an extended period of time. Therefore, Endpoint Protection products will be relied upon heavily during the period of exposure to this vulnerability NSS Labs, Inc. p. 1

5 2 RESULTS During the week of December 15, NSS Labs performed a focused test of popular Endpoint Protection products to evaluate the protection offered against this exploit. This section provides a quick overview of the test results collected during live testing conducted through Thursday, December 18 th SECURITY EFFECTIVENESS All of the products tested were classified as Enterprise class Endpoint Protection by the vendor, meaning they had both Client Host Intrusion Prevention (HIPS) and anti-malware components. In addition, they also all included a reputation-based component meaning they block and warn users about malicious web-sites in order to prevent them from downloading malware. Each vendors system works differently, but they generally rely on collective intelligence and back-end analysis of specific URLs and files to supplement the local signatures and heuristics. This was first and foremost a test of intrusion prevention, and not anti-malware, capabilities. Our goal was to clearly identify the protective layers within the products to combat the exploits against IE. In this scenario there are two distinct attacks against the IE vulnerability. Exploits could deliver any number of different malicious payloads to be executed. Preventing either the URL from being accessed or the exploit from executing would be the ideal solution. To do this properly, an in-line intrusion prevention system must be able to prevent the requested web page from reaching the web browser before it can be analyzed and declared safe. For a more complete discussion of exploits and drive-by downloads, refer to the article on NSS Labs website: Test AVG Kaspersky McAfee Sophos Symantec Trend 1. Block URL Access Blocked & Warned Warned but did not block properly 2. Block Exploit Blocked Exploit Blocked but called it malware (mislabel) 3. Malware Detection N/A N/A Quarantined Malware Quarantined the first but Unable to Quarantine the second NSS Labs, Inc. p. 2

6 Our investigation showed that most products are looking for so-called Drive-by downloads and focusing on detecting the malware downloaded in step 3, thereby missing the opportunity to prevent the initial exploit from occurring. Preventing the exploit would eliminate the necessity to research and detect multiple variants of malware. Kaspersky Antivirus (part of Total Space Security) was the only product we tested, which effectively blocked the exploit using its reputation-based system, The product apparently has a blocking function that delays display of a website until after the URL has been verified. Total Space Security was also the only product to block the javascript exploit and classify it correctly. Sophos Endpoint Security and Control correctly identified the website as malicious, however it did not prevent the javascript exploit from running. This was a puzzle until we realized that their Reputation-based product is not does not block access to the URL while it is looking up the reputation. Thus, Sophos reputation solution is akin to Intrusion Detection, and not Intrusion Prevention. The approach is not effective where the browser itself is being exploited since the Reputation system is in a race with the web browser, and the browser is nearly always going to win. Both Symantec and Trend were able to identify the malware that was included in the payload of the exploit, but failed to prevent the exploit itself from running. Symantec was able to accurately identify and quarantine the malware. Trend was able to accurately identify the malware, but unable to quarantine one of the two pieces of malware inserted into our test system by the exploit. 2.2 MEMORY UTILIZATION POST-EXPLOIT Average normal memory utilization of Internet Explorer ranges between 21 and 40MB depending on a range of factors (e.g. operating system, plugins and number of open windows). Successfully exploited browsers consume more than 230MB, as shown in the example here. Note, that different systems and endpoint protection products react differently to the exploit. In some cases the browser closed or crashed, while in others it continued to operate NSS Labs, Inc. p. 3

7 2.3 PARTIAL EXPLOIT CODE In this case, an attack against the data binding engine which delivered a keylogger. 3 NSS LABS RECOMMENDATIONS Due to the lack of protection provided by Endpoint Protection products, NSS recommends that all companies patch immediately. Also, a Network IPS product with current signatures for the vulnerability will provide an additional layer of protection. Most companies have already scheduled maintenance for updates and patches over the next week due to the upcoming holidays and end of year cycles. Even those companies that have not had time to run the patch through a full testing regime, should consider patching due to the severity of the vulnerability. It is NSS Labs opinion that the risk of being exploited outweighs the risk of patching without full testing. NSS Labs plans to test network IPS products as well as retest endpoint products for IE exploit protection in the near future. For further information please check our website ( or contact us to schedule a briefing at NSS Labs, Inc. p. 4

8 4 THE PRODUCTS UNDER TEST The Endpoint Protection products were downloaded from the vendors sites. All products were updated immediately prior to testing in order to provide the latest protection. 4.1 PRODUCTS TESTED Product & Version Engine & Signatures AVG Internet Security Network Edition v8.0 v Virus DB: /1855 Kaspersky Total Space Security v6.0 12/18/ :21:56am McAfee Total Protection for Endpoint Host Intrusion Prevention 7.0 HIPS: 2373 VirusScan Enterprise 8.5i Scan Engine Ver SiteAdvisor Enterprise 1.5 DAT: BOAP DAT: 354 Sophos Endpoint Security and Control v8.0 Anti-virus 7.6 SAV v Client Firewall v1.53 Threat Detection data: 4.37E Symantec Endpoint Protection MR2 AVAS: Dec 17, 2008 r50 Proactive: Dec 17, 2008 r19 Network: Dec 12, 2008 r1 Trend Micro Officescan 8.0 SP1 R3 VSE: VP: SETTINGS USED Where possible, we tested with the most aggressive settings. While vendors may have advanced in-the-cloud technologies, they are often deployed in their home-user products before rolling them into corporate offerings. Also, some (like Trend) offer a separate application as an add-on. Note: This testing represents a point in time, and it is quite feasible (and desirable) for vendors to add protection depending on their implementations - some quicker than others NSS Labs, Inc. p. 5

9 5 ENDPOINT PROTECTION TEST ENVIRONMENT ABOUT THIS TEST The NSS Labs test reports are designed to address the challenges faced by IT professionals in selecting security products. This NSS Labs report provides readers with empirically validated evidence about a product s features and capabilities. NSS Labs tests host anti-malware and endpoint protection products against a comprehensive methodology including: Security Effectiveness (Anti-malware and Intrusion Prevention) Management and Usability Performance The scope of this test was limited to on-access protection of the browser application while surfing to live sites on the internet which had been infected. Client machines accessed live exploits hosted on malicious web sites on the internet and were tested simultaneously. Availability of the malicious sites was validated before, during and after the test to ensure validity of the sample set. 5.1 CLIENT HOST DESCRIPTION The Systems Under Test were installed on the following Operating System and service pack. Windows XP, SP3 Internet Explorer 7 (without the Security Update released by Microsoft on 12/17) HARDWARE: DELL SC440 Two 3.0 GHz processors 2 GB RAM NSS Labs, Inc. p. 6

10 5.2 NETWORK DESCRIPTION The endpoint protection product was tested in a live environment, connected directly to the internet. The host system has one network interface card (NIC) and is connected to the network via a 1Ge switch port. The NSS Labs test network is a multi-gigabit infrastructure based around Cisco Catalyst 6500-series switches (with both fiber and copper Gigabit interfaces) NSS Labs, Inc. p. 7