The focus of hackers and bug hunters seems to be shifting these days. Vulnerabilities, occurring in widespread network services such as http, ftp and others, are becoming less common and are less exploitable because of better educated programmers, more sophisticated and more widely deployed network and host controls, and the increase in IPS devices at many locations. Because of this, both hackers and security researchers have moved up a level and are increasing their focus on client side (e.g., desktop, end user) vulnerabilities. Security administrators have learned how to adjust to threats coming from the outside by blocking unused ports and locking down the systems as much as possible. However, the everyday computer user still has to be able to do his job and that is why attackers are going after him.

Here at SecureWorks, the research team has seen a significant rise in the number of attacks targeting file format vulnerabilities. We blocked as many attacks of this type in the first four months of 2007 as we did in all of 2006. In the past, these types of attacks would have been disregarded and downplayed in the security community. But with programs such as Microsoft Office and QuickTime (e.g. CVE-2007-0515, CVE-2007-0714 being in such widespread use, exploiting client side vulnerabilities has become viable method of attack. Add to this is the number of vulnerabilities which directly affect Internet Explorer and Mozilla Firefox or allow attackers to use them as a medium to reach the targeted system, and we are looking at a very large percentage of the computers in use today. Simply receiving a Microsoft Office file in your inbox or downloading a video from a friend’s webpage can result in a full compromise of your system.

These types of attacks normally require some level of social engineering to trick the user into opening the file, but the user is often the weakest link in the security infrastructure. Spammers and hackers have had a lot of practice over the years learning how to get the response they are looking for from users, and attacking client side vulnerabilities lets them slip under the precautions that many users have learned to take. Security professionals have taught for a long time not to go to the shadier sites on the internet, not to run executables sent to you from questionable sources, and even to turn off macros in Office documents - but to not open a PowerPoint presentation, or view a video from the web? These precautions seem impractical to everyday users - my grandmother still does not believe anything malicious can come over email! However, these vulnerabilities are a clear threat and with the line between data and programs becoming increasingly blurred, we are required to change the way we use computers. Being secure demands a new and changing focus all the time, and it looks like these types of vulnerabilities are here to stay in one form or another for quite a while. The key to protecting against these types of attacks is clear and proactive policies, both in the technologies and with the users, and the education of these users.

This brings me to a side point that I’ll likely address more in a later post. We need to change the way we look at, rate, and prioritize vulnerabilities. CVSS is a good start, but as technologies become more integrated, we are going to need something where the categories are less black and white and more shades of grey. Many of the rating systems for vulnerabilities rely on local vs. remote as a large factor in determining the severity. These types of bugs do not quite fit into either of these, and we should all start looking at adding a “client side” category to give the rating more granularity and to make more sense in the real world. These vulnerabilities are more likely to affect organizations that have many users, and they present a much bigger threat than what is normally considered local.

This entry was posted on Friday, May 4th, 2007 at 2:25 pm.

Share This Information | Changing Definitions and the Increasing Number of Client Side Bugs SlashDot | del.ico.us | Digg it | Technorati | Reddit

Other SecureWorks Blog Categories: General (20) Links (7) Phishing (1) Research (60) Spam (1) Trojans (4)