[Part 2 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.]

Catch the Patch Batch

Keep applications and operating system components up-to-date with automated updates and patches, and by regularly reviewing the vendors’ product update sections on their web sites.

This point is particularly relevant right now, given the continuing volumes of Conficker that we’re continue to see. Win32/Conficker is a network worm that propagates by exploiting a vulnerability in the Windows operating system (MS08-67). The vulnerability is present in the RPC sub system and can be exploited remotely by an attacker. The attacker can perform his attack without valid user credentials. While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.

While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun, as described above. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and not using unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions, but clearly it isn’t happening.

Sometimes, it seems that the whole world assumes that the only vendor that suffers from vulnerabilities in its operating system and other software is Microsoft. To see how misleading claims like this can be, check out the weekly “Consensus Security Vulnerability Alert” published by SANS (see http://portal.sans.org), which summarizes some of the most important vulnerabilities and exploits identified in the preceding week. Even during a week that includes “Patch Tuesday”, you’ll typically find that problems are flagged with a frightening number of applications from other vendors. Certainly, any system administrator should consider making use of this resource.

At the moment vulnerabilities in applications are a serious threat (arguably more so than operating system vulnerabilities). Third party applications are expected to continue to bear the brunt of vulnerability attacks for a good while yet, as security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications.

Unfortunately, users are far less savvy about patching 3rd party applications than they are about patching the operating system. However, this vector will also decline in impact as application vendors learn to tighten their quality control and patching methodologies. Part of this will be driven by adoption of Windows 7. Computers originally sold with Windows XP, with a few exceptions (such as newer netbooks) are beginning to age and will be replaced with PCs that have Windows 7. The newer operating system’s move away from the misconceived, much misused Autorun facility will hopefully contribute to a gradual decline in INF/Autorun and related threats.

David Harley
Director of Malware Intelligence