The Microsoft JPEG Vulnerability and the Six New Content Security Requirements



Similar documents
Content Inspection Director

Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions

Top five strategies for combating modern threats Is anti-virus dead?

Attack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

INSTANT MESSAGING SECURITY

WHITE PAPER. Understanding How File Size Affects Malware Detection

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Top Four Considerations for Securing Microsoft SharePoint

INSIDE. Malicious Threats of Peer-to-Peer Networking

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

What Do You Mean My Cloud Data Isn t Secure?

Practical tips for a. Safe Christmas

End-user Security Analytics Strengthens Protection with ArcSight

Attacks from the Inside

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

The Benefits of SSL Content Inspection ABSTRACT

Thexyz Premium Webmail

How to detect hackers on your web server

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

Evolutionism of Intrusion Detection

ANTIVIRUS BEST PRACTICES

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Express Websense Hosted Web Security

Building A Secure Microsoft Exchange Continuity Appliance

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

HoneyBOT User Guide A Windows based honeypot solution

Network Instruments white paper

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Uncover security risks on your enterprise network

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Statistical Analysis of Internet Security Threats. Daniel G. James

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Computer Viruses: How to Avoid Infection

AntiVirus and AntiSpam scanning The Axigen-Kaspersky solution

Protecting Your Organisation from Targeted Cyber Intrusion

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Firewall and UTM Solutions Guide

Firewalls Overview and Best Practices. White Paper

Web Gateway Security for Large Enterprises and Service Providers

Check Point FireWall-1 HTTP Security Server performance tuning

Countermeasures against Bots

Intro to Firewalls. Summary

Content Security Gateway Series Real-time Gateway Web Security Against Spyware and Viruses

Networking for Caribbean Development

Firewalls for small business

Our Mission. Provide traveling, remote and mobile laptop users with corporate-level security

Security - A Holistic Approach to SMBs

Guideline for Prevention of Spyware and other Potentially Unwanted Software

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

100% Malware-Free A Guaranteed Approach

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

4 Steps to Effective Mobile Application Security

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Proxy Server, Network Address Translator, Firewall. Proxy Server

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Top tips for improved network security

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

ViRobot Desktop 5.5. User s Guide

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Web Tap: Detecting Covert Web Traffic. Presented By: Adam Anthony

ANDRA ZAHARIA MARCOM MANAGER

Antivirus Best Practices

Securing Corporate on Personal Mobile Devices

Practical guide for secure Christmas shopping. Navid

Websense Web Security Solutions

FIREWALL POLICY November 2006 TNS POL - 008

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Enterprise K12 Network Security Policy

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

NetDefend Firewall UTM Services

Endpoint Security: Moving Beyond AV

A Decision Maker s Guide to Securing an IT Infrastructure

Endpoint Based Policy Management: The Road Ahead

NetDefend Firewall UTM Services

Beyond the Hype: Advanced Persistent Threats

Seamless ICT Infrastructure Security.

Improving Network Protection and Performance with Network-Based Antivirus Technology

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Basic computer security

SiteCelerate white paper

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Targeted attacks: Tools and techniques

INFORMATION SECURITY TRAINING CATALOG (2015)

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Network and Host-based Vulnerability Assessment

CMPT 471 Networking II

Protection for Mac and Linux computers: genuine need or nice to have?

Unified Threat Management: The Best Defense Against Blended Threats

Anti-SPAM Solutions as a Component of Digital Communications Management

Penetration Testing Service. By Comsec Information Security Consulting

Thin Client Virus Vulnerability Analysis HP Compaq t5000 Thin Clients

How To Get The Most Out Of Your From Your Mail Server (For A Small Business)

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Transcription:

The Microsoft JPEG Vulnerability and the Six New Content Security Requirements

Table of Contents OVERVIEW...3 1. THE VULNERABILITY DESCRIPTION...3 2. NEEDED: A NEW PARADIGM IN CONTENT SECURITY...4 3. PRACTICAL EXPLOIT SCENARIOS...5 SCENARIO 1: EMAIL ATTACHMENT...5 SCENARIO 2: IMAGE ON A WEB PAGE...5 SCENARIO 3: EMAIL WITH A LINKED IMAGE...6 4. THE THEORETICAL MEGA VIRUS...7 5. SITE OWNERS PROBLEMS...8 6. THE SHORTCOMINGS OF EXISTING SOLUTIONS...8 7. A NEW APPROACH TO BLENDED SMTP-HTTP ATTACKS...9 8. THE SIX NEW CONTENT SECURITY REQUIREMENTS...10 CONTACT INFORMATION...11 2004 Aladdin Knowledge Systems. All rights reserved 2-11

Overview In November 2004, a critical Microsoft security vulnerability (MS04-028) was discovered which could allow attackers to embed malicious code inside JPEG image files, the most ubiquitous image files used. Until that time, JPEG image files were considered immune to attack. The fact that JPEG files can contain malicious code creates a much more serious vulnerability than initially realized. Conventional desktop and email anti-virus solutions have created a false sense of security, particularly with the fact that Microsoft has released a patch for only Windows XP, Windows 2003 Server and MS Office. There is no patch available or planned for Windows 9x, Windows NT, and Windows 2000 platforms, although they are still in use. To effectively deal with this vulnerability, security and IT professionals will need to incorporate six new and critical content security requirements (described in Section Number 8) into their networks. First, however, we need to look at the nature of this new threat. 1. The Vulnerability description The JPEG GDI+ files processing vulnerability affects most Microsoft platforms and applications (see Microsoft security bulletin MS04-028 at http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx). It allows an attacker to execute malicious code when a vulnerable application is used for viewing an infected JPEG image. The list of vulnerable applications is very long and includes numerous popular Microsoft applications as well as many applications developed using Microsoft GDI+ libraries. The malicious code itself could be used to elevate rights, allow remote access, initiate worms, steal information and download and execute other malicious code from the Internet. Several hacker toolkits exploiting this vulnerability are readily available. These toolkits can be used to create custom-infected JPEG images containing the hackers' choice of malicious code. At the time of writing, infected images have already spread via chat and newsgroups: http://www.eweek.com/print_article/0,1761,a=136093,00.asp In a recently discovered attack, the JPEG itself contained a small footprint code which -- once executed -- connected by FTP to the hacker s servers, downloaded other hacking tools totaling nearly 2MB, and installed a backdoor Trojan as a service. It also installed RadMin, a commercial remote administration application which allows a complete take-over of "owned" machines -- as hackers like to call them. "Once this JPEG overflowed GDI+, it phoned home, connected to an FTP site and downloaded almost 2MB of stuff. It installs a Trojan that installs itself as a service. The Trojan also installs Radmin, a package that allows users to remotely administer a machine across the Internet, running under the name of r_server." Several factors contribute to make this vulnerability especially dangerous: 1. JPEG is probably the most common image file format and can be found in web pages, email attachments, FTP sites, zip files and more. 2. Most Microsoft applications are vulnerable. 2004 Aladdin Knowledge Systems. All rights reserved 3-11

3. A new blended-threat attack vector, mixing HTTP and SMTP protocols, can easily penetrate conventional email anti-virus solutions. 4. Microsoft has released a patch only for Windows XP, Windows 2003 Server and MS Office. There is no patch available or planned for Windows 9x, Windows NT, Windows 2000 platforms although they are still in use. 2. Needed: A New Paradigm in Content Security Up until now, all graphic files, including JPEG, were considered safe and were not inspected. This now incorrect assumption is exacerbated by the fact that many organizations only have two levels of anti-virus defense -- desktop anti-virus and email antivirus. Both of these defenses are completely inadequate to protect against this vulnerability and can allow hackers to easily implant viruses through exploited JPEG files. Desktop anti-virus limitation Desktop anti-virus can only see and inspect files written or downloaded to the hard drive. However, JPEG files are rendered by the browser in memory and as soon as the first chunk of data arrives from the web server, the browser will start processing it; this increases the possible buffer overflow and execution of the embedded virus. Email anti-virus limitation In case of email anti-virus, the infected image will in most cases reside on a web server with the email having just a link to it (see scenario 3 below). Conventional email anti-virus products, which reside on an Exchange server or on an SMTP relay, will see nothing suspicious or malicious in the email -- just a regular link -- and will allow it in. Outlook or Outlook Express email clients will then download the requested image from the web server via the HTTP protocol. As the user is viewing the email the exploit initiates. Circumventing file inspection Most anti-virus products can now be configured to inspect JPEG images. The problem, however, is that they rely on the file extension to identify a file as a JPEG. There are many JPEG extensions, such as the common.jpg and JPEG extensions, as well as lesser known ones such as SJP and HSI. File extensions could also be changed by hackers to BMP, GIF or others. But probably the most problematic extension issue is that Internet Explorer, Outlook and other applications would process a JPEG image even if the extension is as random as ABC. Relying on patches is not enough The availability of Microsoft security patch is also not the answer. Organizations cannot fully rely on this "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things." "Internet Explorer processes JPEGs before it caches them. That could also mean that desktops may become infected before antivirus software has a chance to work." patch because they might still use Windows 2000 servers or other legacy systems that cannot be patched. The most serious risk is the lack of total control of what is connected to the network. A non-patched desktop or laptop, or a newly installed operating system that is not yet patched, could always be connected to the local area network. It just takes one vulnerable computer to contaminate the entire network or create a backdoor into the organization. 2004 Aladdin Knowledge Systems. All rights reserved 4-11

From now on, it is not enough to rely only on a desktop and email anti-virus solutions. Organizations MUST implement gateway solutions that inspect for vulnerabilities in JPEG files coming from the web via HTTP and FTP protocols, and also make sure that the solution is secured against spoofing. 3. Practical Exploit Scenarios Below are a few typical scenarios in which the JPEG vulnerability can be exploited, along with descriptions of the associated problems. Scenario 1: Email Attachment Method: An attacker sends an email with an attached JPEG file containing malicious code. The code is executed the moment the image is viewed or previewed in Outlook / Outlook Express, or opened in a vulnerable associated application. Solution: Inspect all email attachments. Most anti-virus solutions were updated to inspect JPEG email attachments. Problems: Some anti-virus products do not know how to handle file spoofing and rely on file extension and MIME type for identification as images. Scenario 2: Image on a Web Page Method: An attacker places an infected image on a web server, possibly as part of web page content. An image on an FTP server could be linked in a web page or accessed directly. The code is executed the moment the image is viewed in an infected application such as Internet Explorer. 2004 Aladdin Knowledge Systems. All rights reserved 5-11

Solution: Inspect all JPEG files in web pages (HTTP and FTP traffic.) Problems: Most gateway solutions do not inspect JPEG files in HTTP and FTP. Mainstream solutions that do inspect HTTP/FTP traffic are proxy-based and must cache the images before inspection. Some proxy solutions also have to copy the file from the caching proxy to the content security server, resulting in serious performance impact. In addition, proxy servers will now be forced to inspect 80% more files that were not inspected in the past. This fact alone could mean over 5 times slower HTTP inspection. Scenario 3: Email with a linked image Method: An attacker or spammer sends an email containing an HTML image link to a JPEG containing malicious code. The JPEG itself resides on a web server and is automatically downloaded via HTTP when the email is viewed or previewed. The code is executed the moment the image is viewed or previewed in Outlook / Outlook Express. As seen in the example above, the HTML content will be inspected by email anti-virus products, but the image will be transparently downloaded via HTTP and will not be inspected by the email anti-virus solution. To the right of the image we can see the HTML coded image link to a web server. 2004 Aladdin Knowledge Systems. All rights reserved 6-11

Solution: Inspect all email and all HTTP traffic for JPEG exploits. Problems: Conventional solutions either only inspect JPEG files in SMTP or suffer from the HTTP limitations discussed in Scenario 2. 4. The Theoretical Mega Virus Taking the scenarios above and expanding on them, it is clear that some highly threatening new mega viruses based on the JPEG exploit could emerge in the near future. Imagine a JPEG worm that, upon infection of a vulnerable PC, connects to a specific destination on the Internet, downloads more malicious code, hacker tools and back doors, and then creates a local mini web server. Below is a theoretical evolution of such a JPEG mega-worm: 1. Attack starts with the arrival of infected content. This might be via email, instant message or other means. 2. As the image is viewed, the exploit executes and contacts another computer of the hacker or an infected system. 3. Malicious payload is downloaded directly from the remote computer. This can include a variety of hacking tools, backdoors, remote control Trojans, spamspreading tools, etc. 4. The now infected computer starts spreading via multiple methods: - email with image links - links to infected web sites - instant messenger links - instant messengers image file transfers - P2P image collections - chat room file transfer and links 5. With most of the infection methods, the image itself will be downloaded via HTTP from the original computer which now acts as a web server hosting the image files. 2004 Aladdin Knowledge Systems. All rights reserved 7-11

5. Site Owners Problems Site owners, especially community sites as well as hosting farms, could face a serious situation where their sites are the source of malicious code. Beyond the obvious problems raised by such a scenario is the increased risk of legal liability. Some potential examples include: Newsgroup sites: many newsgroups are allowing web access to image files. Because of the relative anonymity, newsgroups are one of the first "test sites" for such attacks -- as we have already seen in the JPEG vulnerability. Forum sites: many of these sites allow users to upload images or even worse, use images as signatures in all their postings -- greatly increasing the exposure potential. Community sites: MSN and Yahoo communities, among others, allow the creation of photo albums. ecommerce sites: many ecommerce sites such as ebay, and many community portals, allow sellers to upload images of the goods they sell. Creating infected "too good to be true" ads will guarantee many viewers. Photo sites: Many photo-serving sites exist which allow users to upload images. The images can be linked in other sites or sent by email. Googling: Google and other web image search services could provide easy access to infected images. 6. The Shortcomings of Existing Solutions As mentioned before, desktop solutions inspect only files written to disk -- but not code that runs in memory, as can happen with the JPEG exploit. Mail server anti-virus solutions are limited by the fact that they do not inspect images that are downloaded or linked in HTTP. While most gateway-level security solutions inspect JPEG email attachments, most do not inspect JPEG files in HTTP and FTP (see exploit scenarios 2 and 3 in Section 3). Conventional solutions that do inspect HTTP/FTP traffic are proxy-based, and cache the images before inspection. Some proxy solutions also require that the file be moved from the caching proxy to the content security server, significantly impacting performance. The problem with caching and proxybased solutions is that they have to download the entire file before it is sent to the client, because existing anti-virus solutions are unable to inspect files packet by packet. It is also not permissible to release small parts of the file before inspection is completed -- as is done today by some solutions in order to overcome Chart 1: Proxy-based AV scanner workflow 2004 Aladdin Knowledge Systems. All rights reserved 8-11

the time-out problem -- because the browser starts processing JPEG files even if partially downloaded and this can trigger the vulnerability. To overcome the spoofing problem of sending infected JPEG files with different extension or content type, proxy solutions now must send 100% of the passing files to the external antivirus product and can no longer rely on filtering the content beforehand (e.g., send only ZIP and EXE files). Some proxy solutions claim very fast performance, but this is only true in the case of files that were already cached. In reality, a proxy cache approach delivers only about 30% to 40% of browsing content, with the rest being new files which will have to be inspected prior to being cached. 7. A New Approach to Blended SMTP-HTTP attacks The only practical gateway content security technology on the market today that can deal with JPEG exploits is Aladdin s patented NitroInspection technology. esafe Gateway with NitroInspection is able to correctly identify (prevent file spoofing) and inspect JPEG files with a minimal impact on browsing performance. The JPEG files are identified using a binary identifier in the file header (a magic string) regardless of the file extension or the content type sent by the web server, thus preventing a common spoofing technique used by hackers. Once the JPEG file is identified, its session is handled by the NitroInspection real-time inspection engine, which inspects data in each packet as they arrive and does not wait until the entire file is downloaded before inspection. This leads to a lower latency and no visible impact on the users' browsing experience. Chart 2: esafe with NitroInspection technology All "good" JPEG files will continue to gradually build-up on screen as they are being downloaded, and "bad" files will instantly be blocked before they have a chance to arrive at the browser. esafe solution Benefits: JPEG inspection is performed while files are in transit -- no time-consuming file caching like all other solutions which are proxy-based. JPEG inspection is completely transparent and has minimal impact on web content security performance. 2004 Aladdin Knowledge Systems. All rights reserved 9-11

JPEG exploits are now blocked in HTTP and FTP traffic as well as SMTP. This is extremely important as can be seen in exploit scenario 2 in Section 3, above. JPEG inspection is integrated into esafe's NitroInspection engine. JPEGs are positively identified by binary signature in the file header to prevent spoofing. 8. The Six New Content Security Requirements IT professionals today are charged with the security of their organization s data, compliance with all applicable privacy and confidentiality regulations, and the effective performance of mission-critical applications in support of business requirements. The JPEG vulnerability presents a serious threat to all of these, and dictates a new way of implementing content security: 1. Don t rely on SMTP or internal mail server content inspection. A complete solution must be a gateway solution and must inspect HTTP and FTP in addition to SMTP. 2. Identification of JPEG files should not rely on extensions, or content type, to prevent spoofing. 3. JPEG files should be inspected packet-by-packet in real time to eliminate latency. Users should not have to wait until the entire file is downloaded and inspected by the proxy. 4. All parts of the JPEG file must be fully inspected before being released to the client. Solutions cannot rely on partially releasing non-inspected content. 5. The gateway solution must not pose any delays and timeouts or create any visible impact on users' browsing experience -- either when cached JPEG files are delivered or when new images are downloaded. 6. For hosted web sites that allow file uploads, inspect all uploaded JPEG files. 2004 Aladdin Knowledge Systems. All rights reserved 10-11

Contact Information For more info: ealaddin.com/esafe International North America UK Germany Benelux France Israel Japan Spain T: +972-3-6362222, Email: esafe@ealaddin.com T: 1-800-562-2543, Email: esafe.us@ealaddin.com T: +44-1753-622266, Email: esafe.uk@ealaddin.com T: +49-89-89-4221-0, Email: esafe.de@ealaddin.com T: +31-30-688-0800, Email: esafe.nl@ealaddin.com T: +33-1-41-37-70-30, Email: esafe.fr@ealaddin.com T: +972-3-6362222, Email: esafe.il@ealaddin.com T: +81-426-607-191, Email: esafe.jp@ealaddin.com T: +34-91-375-99-00, Email: esafe.es@ealaddin.com About Aladdin Knowledge Systems Aladdin (NASDAQ: ALDN) is a leader in digital security, providing solutions for software digital rights management and Internet security since 1985, serving more than 30,000 customers worldwide. Aladdin products include: the USBbased etoken device for strong user authentication and e-commerce security; the esafe line of integrated content security solutions that protect networks against malicious, inappropriate and nonproductive Internet-borne content; and the HASP family of hardware- and software-based products that flexibly protect, license and distribute software and intellectual property. http://www.ealaddin.com. Visit the Aladdin Web site at For free trial software, success stories and additional white-papers, visit esafe.com. If you would like to obtain pricing or suggestions on esafe for your organization s architecture, please contact one of the Aladdin offices listed above. 2004 Aladdin Knowledge Systems. All rights reserved 11-11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information