Download - Rp Nss Labs Corporate Exploit Protection
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
1/16
CORPORATEAV/EPPCOMPARATIVEANALYSIS
ExploitProtection
2013RandyAbrams,DiptiGhimire,JoshuaSmith
TestedVendors
AVG,ESET,F-Secure,Kaspersky,McAfee,Microsoft,Norman,Panda,Sophos,Symantec,TrendMicro
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
2/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 2
Overview
EndpointProtectionProducts(EPP)aredesignedtoprotectagainstabroadspectrumofthreats.Products
originallydevelopedtodetectself-replicatingcode(virusesandworms)haveaddedprotectionagainstadware,spyware,rootkits,bootkits,phishingattacks,andexploits,inadditiontoprovidingfirewallcapabilitiesandmore.
TheabilitytoblockexploitsisoneofthemostsignificanttasksrequiredofEPPproducts.Whenanewvulnerability
isexploited,notonlycanmalware,knownorunknown,besilentlyinstalled,criminalscantakeovertheexploited
computermanually,therebyevadingsignaturesandheuristicsdesigned todetectmaliciouscode.If anEPP can
blockanexploit,ithaseffectivelyblockedanyandallmalwarethattheexploitmayattempttoexecuteorinstall.
Theabilitytocatchthepayloadanexploitdelivershasvaluebutprovidesfarlessprotectionthanblockingthe
exploititself.
Exploit kits such as Blackhole have essentially made the mass exploitation of websites a low cost franchise
operationwithalowbuy-inandanimmediatelucrativereturn.SoftwaresuchasOraclesJava,AdobesFlashand
Reader/Acrobat,inadditiontowebbrowsers,keepafreshsupplyofexploitablevulnerabilitiesavailableevenasoldexploitscontinuetoplagueconsumersandcorporationsalike.
Theexploitationofvulnerabilitiesincommonsoftwareprogramsenablesattackerstobreachnetworks,steal
intellectualproperty,hijackemailandsocialnetworkaccounts,andengaginginseveralothertypescybercrimes.
NSSvulnerabilityresearch revealsthatthenumberofreportedvulnerabilitiesrosesignificantlyin2012andthe
vulnerabilitylandscapeisgoingthroughsignificanttransformations1.
Enterpriseshaveseveraltoolstohelppreventtheexploitationofvulnerabilities.Patchingisoneofthemost
importantdefenses.Howevermanycorporationsfailtopatchalloftheapplicationsontheirdesktopsandoften
areslowtodeploythemostcurrentsoftwareversions.Intrusionpreventionsystems(IPS),andinsomescenarios
nextgenerationfirewalls(NGFW),canprovideavaluablelineofdefenseagainstexploitsforenterprises.NSS
providesextensivecomparativetestingforIPSandNGFWproducts.Theuseofcurrentwebbrowsersisanotherlineofdefense.Themostwidelyusedbrowsershaveaddedfeaturessuchasreputationsystemsandapplication
blockingtohelpdefendagainsttheexploitationofvulnerabilities.Theuseofendpointprotectionproducts,
colloquiallyknownasantivirus,isalsoacommondefense.
NSStested11popularenterpriseEPPproductstomeasuretheireffectivenessinprotectingWindowscomputers
againstexploits.Alloftheexploitsusedduringthistesthavebeenpubliclyavailableformonths(andsometimes
years)priortothetest,andhavealsobeenobservedinuseontheInternet.
Enterprises,especiallythoseemployingtheBYODmodel,thatseekprotectionfromexploitdrivenattacksagainst
desktopPCsandlaptopsshouldcloselyexamineresultsfromthistest.
1https://www.nsslabs.com/reports/vulnerability-threat-trends
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
3/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 3
Figure1-CombinedBlockRates(includingalternatevectors)
Figure1combines203exploitdownloadandpayloadexecutiontestswith30alternatevectorattackstoprovide
theoverallexploitprotectionrateforthetestedEPPproducts.
KeyFindings:
Withafewnotableexceptions,endpointproductsarenotprovidingadequateprotectionfromexploits.
EnterpriseEPPproductsdifferupto53%ineffectivenessatblockingexploits,withprotectionlevels
varyingbetween44%and97%
KeepingAVsoftwareup-to-datedoesnotyieldadequateprotectionagainstexploits,asevidencedbygaps
incoverageforvulnerabilitiesfoundtobeseveralyearsold.
Javaisasignificantattackvector
41%
47%
65%
71%
73%
76%
79%
88%
91%
92%
97%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Panda
Norman
Microso
ESET
Trend
F-Secure
AVG
Sophos
Symantec
Kaspersky
McAfee
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
4/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 4
TableofContents
Analysis..................................................................................................................................5
TestBackgroundThreatLandscape...........................................................................................................5
StagesofProtection.....................................................................................................................................6
HowThisTestWasConducted.....................................................................................................................7
ProtectionFromExploitsAcrossProtocols..................................................................................................7
ExploitBlockingResults................................................................................................................................8
AlternativeAttackVectors.........................................................................................................................11
TestMethodology.................................................................................................................12
TheTestedProducts...................................................................................................................................12
ClientHostDescription...............................................................................................................................13
TheVulnerabilities......................................................................................................................................13
AppendixA:Definitions........................................................................................................15
Vulnerability...............................................................................................................................................15
Exploit.........................................................................................................................................................15
Payload.......................................................................................................................................................15
ContactInformation..............................................................................................................16
TableofFigures
Figure1-CombinedBlockRates(includingalternatevectors)....................................................................3
Figure2-Howadesktop/laptopcomputerisexploited...............................................................................5
Figure3-HTTPvs.HTTPSblockrates...........................................................................................................8
Figure4-Non-IE6OverallExploitBlockRate..............................................................................................9
Figure5-IE6OverallBlockRate.................................................................................................................10
Figure6-OverallExploitBlockRate...........................................................................................................10
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
5/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 5
Analysis
TheresultsofNSSin-depthtestingof41individualexploitsandover200attackscenariosrevealedsignificant
differencesinthedefensivecapabilitiesof11leadingendpointprotectionsolutions.Resultsareprovidedfor
exploitsthatrequireInternetExplorer6andthosethatdonot.Giventhatmanyenterprisesareforcedtosupport
IE6becauseoflegacyapplications,thiscapabilitymaybeadeterminingfactorinselectinganEPPproduct.
ExcludingexploitsrequiringIE6,theaverageblockratewas77%,withtheweakestproductblocking44%andthe
bestproductblocking98%oftheattacks.ForexploitsrequiringIE6toexecute,theaverageblockingabilitywas
65%,withtheweakestperformerblocking20%oftheattacksandthetopproductsblocking100%oftheattacks.
Enterprisesrelyonendpointsecurityproductstohelpprovideavirtualshieldagainstexploits.Thenumberof
potentiallyvulnerableapplicationsthatneedtobepatchedtaxestheresourcesofmostITdepartmentsandmay
allowvulnerabilitiestopersistlongerthantheyordinarilymightonaconsumercomputer.NSStestingshowsthat
themajorityofEPPproductsfailtoblocksomeofthemostwidelyusedanddangerousexploitsfromrecentyears.
Giventheimportanceandgrowingprevalenceofthisclassofthreat,NSSrecommendsthatenterprisesgive
appropriateweighttothequalityofexploitpreventiontechnology,aswellasperformanceandthreatdetection,
whenselectingEPPproducts.
TestBackgroundThreatLandscape
Thelayersofdefenseusedinenterprisesvarywidely.TheextenttowhichtechnologiessuchasIPS,NGFW,web
andapplicationwhitelisting,thinclients,andothermeasuresareemployedwillaffecthowcriticalitisthatanEPP
productiscapableofblockingexploits.Whereemployeesworkfromhome,orthebringyourowndevice(BYOD)
modelisadopted,theimportanceofexploitpreventioninEPPproductsmaybesignificantlyincreased.
Exploitdetectionandpreventionisadifficultproblemandrequiresadifferentsetofskillsandfocusthan
traditionalmalwareprotection.
InthistestNSSdemonstratesthecapabilitiesof11popularenterprise-levelendpointprotectionproducts.
Figure2-Howadesktop/laptopcomputerisexploited
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
6/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 6
StagesofProtection
Thefollowingtableoutlinesprosandconsofstoppingthethreatatthevariousstages.
Stageof
Protection Pros Cons
Stage
Vulnerability
Providesthebestprotectionpreventsthe
vulnerabilityfromtriggering
90%proactive: Candevelopprotectionbefore
exploitsbaseduponthevulnerabilityarereleased
ALLalternateexploitvariantsofthevulnerability
areblocked
Nearlyimpossibletoevade
Veryaccurate
Generatestheleastfalsepositives
Requiresalotofworkandishardtodo
10%reactive: Mustknowvulnerability
Requirescomplexapplicationorprotocol
decoding
Mustunderstandthevulnerability
Mostprocessor-intensive
Stage1
Exploit
Offerstargetedprotectionpreventsthe(known)
exploit
Noneedtounderstandthevulnerabilityorthe
protocolbeyondacursorylevel
Canbedoneeasilythroughregularexpression
matching
Fast
Generatesfewfalsepositives
Provideslimitedtargetedprotection
50%reactive: Mustseetheexploitfirst
Onlypreventsthespecific(known)exploit
Easyforattackerstofindalternativestobypass
Maximumcoverage=manysignatures
Requirestuningtopreventfalsepositives
Stage2
Payload
Focusesonthemaliciouspayload(malware)
Detectsmalwarethatisdeliveredbyothermeans
(i.e.USB)
Simplepatternmatching
Fast
Basedonmaturetechnology
Detectionoccursafterasuccessfulattackhasput
maliciouscodeonanendpoint
100%reactive:Mustseethepayloadfirst
Doesnotdetectnon-standardattacks
Easyforattackerstoobfuscateattacksand
bypass
Requiresthemostsignatures+constantupdates
tobeeffective
Onlyprovideslimitedprotection
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
7/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 7
HowThisTestWasConducted
BetweenOctoberandDecember2012,NSStested11enterpriseendpointprotectionproducts,assessingtheir
respectiveprotectioncapabilitiesagainstexploits.Vulnerabilitiesusedinthistestwereexploitedwhenauser
visitedaninfectedwebpagehostingtheattackcode.Theattacksoccurredintwostages:
1. Theattackercausedaspeciallycraftedstreamofdataandcodetobedeliveredtoapreciselocation.This
exploitedthevictimscomputer,gainingtheattackertheabilitytoperformarbitrarycodeexecution.
2. Maliciouscodewassilentlyexecutedonthevictimscomputer.
Iftheattackcanbethwartedinstageone(successfulexploit),thenitcannotprogresstostagetwo.Aslongasthe
exploitisnotdefeated,theninstallingmalwareisjustoneofmanypossibleactionstheattackercantake.Priorto
exploitingavulnerability,attackershavetheabilitytouseservicessuchasGooglesVirusTotalandeventhe
productsthemselves,toensurethepayloadwillnotbedetectedbyanyantivirusproduct.Sincecybercriminals
havethetimeandresourcestoensurecustommalwarewillgoundetected,itisimperativethatattacksbe
defeatedintheearliestpossiblestage.Thoseproductsthatareunabletopreventtheexploitationofvulnerabilitiesarealsounabletoprovidesignificantprotectionagainsttheinfinitenumberofpayloadsthatcanbedelivered.
ProtectionFromExploitsAcrossProtocols
TheFirefoxadd-on,Firesheep,broughtsubstantialmediaattentiontosessionhijackingattacks,andforcedmany
socialmediasitestoimplementencryptedsessions.Today,Gmail,Twitter,andFacebookallofferend-to-end
HTTPSsessions,asdoesvirtuallyeveryfinancialsite.WhentrustedSSLsitesarecompromised,productsthat
cannotpenetrateSSLencryptionareblindtotheattacksandtothemalwarebeingdeliveredthroughtheHTTPS
transportprotocol.DetectionofexploitsdeliveredacrossHTTPversusHTTPSprotocolscanvarybyasmucha39%
inasingleproduct.
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
8/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 8
Figure3-HTTPvs.HTTPSblockrates
NSSprotocoltestingutilizedapayloadthatwasproventobedetectablebyallproductsinatleastsomecases.The
payloadwasdeliveredviabothHTTPandHTTPSleveraging39differentexploits.Browsersusedintheprotocol
testingincludedmultipleversionsofMicrosoftInternetExplorer,MozillaFirefox,AppleSafari,andGoogleChrome.
Vulnerableapplicationsincludedversionsof.NET,Flash,Java,Office,Shockwave,RealPlayer,Reader,QuickTime,
WMItools,andWMP.Toprovidethebestprotection,securityproductsshouldideallyprotectagainstallexploits
foragivenvulnerability,regardlessoftransportprotocol.
ExploitBlockingResults
Inthenon-IE6tests,noproductwasabletoblockalloftheexploits,andonlythreeproducts,Kaspersky(98%),
McAfee(96%)andSymantec(92%)wereabletoblockmorethan90%oftheexploits.Fourproducts,ESET(74%),
Microsoft(66%),Norman(52%),andPanda44%failedtoblockatleast75%oftheexploits.
Formostproducts,theproblemwasnotwhetherornotthetrafficwasencrypted,butratherafailuretodetect
exploitsatall(overbothHTTPandHTTPS).Afewproductsevendemonstratedmoreeffectiveexploitblocking
performanceoverHTTPSthanoverHTTP.Onaverage,therewasa7%differenceintheabilityofproductsacross
theboardtoblockHTTPSversusHTTPexploitattacks.
47%
50%
66%
74%
82%
71%
89%
50%
87%
95%
97%
42%
50%
66%
74%
79%
87%
87%
89%
95%
97%
100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Panda
Norman
Microso
ESET
F-Secure
AVG
Sophos
Trend
Symantec
McAfee
Kaspersky
HTTP
HTTPS
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
9/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 9
TrendMicroblocked39%fewerattacksdeliveredviaHTTPSthanthroughHTTPandAVGblocked16%fewer
attackswhenSSLwasused.OnlyESET,Microsoft,andNormanconsistentlyblockedthesameattacksdelivered
throughHTTPSastheydidwhenSSLwasnotused.
Theoveralleffectivenessofthe11productsinblocking(non-IE6)exploitsisasfollows:
Figure4-Non-IE6OverallExploitBlockRate
WhentestingprotectionagainstexploitsthatrequiretheuseofInternetExplorer6.0,threeproducts,McAfee,
Sophos,andSymantecwereabletoblock100%oftheexploits.Theaveragedetectionoftheseexploitswas65%.
AmongtheIE6drivenattacksthatMicrosoftfailedtoblockwasanexploitthataffectsMicrosoftOffice2003.
Therewere5productsthatabletoblockmorethan75%oftheattacks.Fiveproductsfailedtoblock50%ofthe
exploitsthataffectIE6uses.
44%
52%
66%
74%
78%
81%
82%
88%
92%
96%
98%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Panda
Norman
Microso
ESETF-Secure
Trend
AVG
Sophos
Symantec
McAfee
Kaspersky
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
10/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 10
Figure5-IE6OverallBlockRate
Thecombinedexploitprotectionoffigures4and5areshowninfigure6below.
Figure6-OverallExploitBlockRate
20%
40%
40%
40%
48%
56%
80%
88%
100%
100%
100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Norman
ESET
Microso
Panda
Trend
AVG
F-Secure
Kaspersky
McAfee
Sophos
Symantec
44%
48%
63%
70%
77%
78%
79%
89%
93%
97%
97%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Panda
Norman
Microso
ESET
Trend
F-Secure
AVG
Sophos
Symantec
McAfee
Kaspersky
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
11/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 11
AlternativeAttackVectors
IntestingEPPproductsagainstexploitstheprimarytestswereperformedusingavarietyofwebbrowsers.NSS
engineersalsoperformedafewtestsusingalternateattackvectors.Howeverthesamplesetwastoosmallto
presentqualitativeproductdifferencesonthosecriteriaalone,butdidrevealsomegapsinprotection.
NSSengineerstested5exploits,eachexecutedfromanOutlookemailmessage,executedfromanetworkshare,
andcopiedfromanetworkshareandexecutedfromthedesktop.Mostproductswouldblocktheexploitswhen
deliveredfromalternatevectorsiftheyblockedtheexploitondownload.Therewereacoupleofnotableand
interestingexceptions,however.
ForoneexploitKasperskyfailedtoblockanexploitwhenrunfromalternatevectors.Onfurtherinspectionitwas
determinedthattheinitialblockwhenabrowserwasusedwasbaseduponaheuristicthatdetectedtheexploit
scriptratherthantheexploititself.F-Securefailedtoblocktwoexploitsiftheywereexecutedfromanetwork
sharebutdetectedtheexploitswhendownloaded,openedfromemailoropenedfromthedesktop.TrendMicro
blockedanexploitondownloadandwhenopenedfromOutlook,butnotwhenexecutedfromanetworkshareor
thedesktop.Thesmallsamplesetprecludesconclusionsthattheotherproductswouldnothavesimilarissuesifa
statisticallysignificantsamplesetwereusedinthesetests.Howeverthetestingdoesconclusivelydemonstrate
thattheabilitytoblockanexploitondownloaddoesnotautomaticallytranslatetoprotectionagainstalternate
deliverymethods.
NSSengineersnotedotherdisconcertingbehaviorswhileconductingthetests.Therewereseveralinstanceswhere
productsflaggedanexploitbutthepayloadwasstillexecuted.Thesecasesweretabulatedasfailures.Initial
indicationspointtoaprobableraceconditionwhereatempfileiswrittentodiscandsometimestheEPPdetects
priortopayloadexecutionandsometimesthepayloadwinstherace.
ThestandardNSStestingmethodologycallsfortheuseofstandardportsforbrowsingandexploitdelivery.
However,whenNSSengineerstriedthesametestsovernon-standardports,Kasperskyfailedtodetectthe
exploits.Thismaybeattributabletoconfigurationoptionsandunderscorestheneedtoblockunusedportsatthe
firewallaswellastheneedtotestimplementationsofsecurityproductsintheactualenterpriseenvironment.
IntestingexploitsdeliveredoverHTTPS,NSSengineersnotedthatthebrowserwouldoftencrashwhentestingthe
Kasperskyproduct.Whilethisdidpreventthepayloadfromexecuting,itisnottheidealapproachtoexploit
protectionandcanresultinexcessivehelpdeskcalls.
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
12/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 12
TestMethodology
MethodologyVersion:EndpointProtectionTestMethodologyv3.0
ThistestreportisoneofaseriesofseveraltestsinourWholeProductTestseries.Thescopeofthisparticular
reportislimitedtoHostIntrusionPrevention vs.Exploits.NoZero-Dayexploitsagainstunknownvulnerabilities
wereincludedinthistest.
Othertestsinthisseriesinclude:
1. SociallyengineeredMalware Web-basedmalwarethattricksusersintodownloadingandinstallingit.
2. HostIntrusionPreventionThisreport
3. EvasionDefensesPreventingattemptstocircumventAVandHIPS
4. Anti-Malware(classic)Email,NetworkShare,andUSBinfectionvectors
5. Live Web-Based Drive-By Exploits Live testing using Internet-borne exploits that insert malware
payloads.AlsoknownasDrive-byornon-consensualdownloads
6. PerformanceIncreaseinMemory,CPU,BootTime,andApplicationLoadTime.
TheTestedProducts
Thefollowingisacurrentlistoftheproductsthatweretestedandaresortedalphabetically:
1. AVGInternetSecurityBusinessEdition20122012.0.2221
2. ESETEndpointSecurity55.0.2126.0
3. F-SecureClientSecurity9.31
4. KasperskyEndpointSecurity201212.0.0.3748.1.0.831(a)
5. McAfeeEndpointProtection8.8.0
6. MSSystemCenter2012EndpointProtection2.2.903.0
7. NormanEndpointProtection9.00.000
8. PandaCloudAntivirusPro2.0.0
9. SophosEndpointSecurity&Control10.0
10. SymantecEndpointProtection12.1.1101.401RU1MP1
11. TrendMicroOfficeScan10.6.2401ServicePack1
Vendorswereallowedtomakeconfigurationchangesifitwasdeterminedthatthedefaultsettingswerenot
optimal.ProductsettingswereverifiedbybrowsingtorealwebsitesontheInternetthatutilizecommon
applicationsusedduringthetest.Thisensuredvendorsappliedrealisticpoliciesanddidnotskewthetestby
simplysettingtheirproducttoblockall.
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
13/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 13
ProductswereconnectedtotheliveInternet,andhadaccesstovendorcloudservices.Updateswereenabledwith
whateverfrequencywassetbythemanufacturer.
Oncetestingbegan,theproductversionwasfrozen,inordertopreservetheintegrityofthetest.Giventhenature
ofendpointprotectionplatforms,virussignaturesanddefinitionupdatesaswellasHIPSupdateswereenabledwithwhateverfrequencywassetbythemanufacturer.
ClientHostDescription
Alltestedsoftwarewasinstalledonidenticalmachines,withthefollowingspecifications:
MicrosoftWindowsXPSP3,andWindows732-bitoperatingsystems
2GBRAM(XPSP3),4GBRAM(Windows7)
20GBHD(XPSP3),40GBHD(Windows7)
TheVulnerabilities
Vulnerabilitieswereprimarilyselectedbasedupontheirseverityandprevalence.Theyincludevulnerabilities
foundinMicrosoftWindowsInternetExplorer,MozillaFirefox,AdobeAcrobat,AppleQuickTimeandotherwidely
usedapplications.
AllofthevulnerabilitiesselectedbyNSShadbeenpublicforseveralmonths(oryears).Thetestsetdidnotcontain
anyzero-dayvulnerabilities.Eachoftheselectedvulnerabilitiespermittedarbitrarycodeexecution.Allexploits
werevalidatedonvulnerablesystems.
Thefollowinglistcontainssomeexamplesofthevulnerabilitiestested(thislistisnotexhaustive,andisprovided
onlytogiveanindicationofthetypesofvulnerabilitiesusedintesting):
Vulnerabilities Descriptions
CVE-2012-1875 Microsoft InternetExplorer8does notproperlyhandleobjects inmemory,whichallows
remote attackers toexecutearbitrarycode byaccessing adeletedobject,aka "Same ID
PropertyRemoteCodeExecutionVulnerability."
CVE-2011-1276 BufferoverflowinMicrosoftExcel2002SP3,2003SP3,and2007SP2;Office2004and2008
for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office
CompatibilityPackforWord,Excel,andPowerPoint2007FileFormatsSP2allowsremote
attackerstoexecutearbitrarycodeorcauseadenialofservice(memorycorruption)viaacraftedExcelspreadsheet,relatedtoimpropervalidationofrecordinformation,aka"Excel
BufferOverrunVulnerability."
CVE-2011-2371 IntegeroverflowintheArray.reduceRightmethodinMozillaFirefoxbefore3.6.18and4.x
through4.0.1,Thunderbirdbefore3.1.11,andSeaMonkey through2.0.14allows remote
attackerstoexecutearbitrarycodeviavectorsinvolvingalongJavaScriptArrayobject.
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
14/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 14
CVE-2011-3544 Unspecifiedvulnerability in theJavaRuntime Environmentcomponent in Oracle Java SE
JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start
applicationsanduntrustedJavaappletstoaffectconfidentiality,integrity,andavailability
viaunknownvectorsrelatedtoScripting.
CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR before
2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on
WindowsandMacOSX,allowremoteattackerstoexecutearbitrarycodeorcauseadenial
of service(memorycorruption) viacrafted SWFcontent,related toauthplay.dll andthe
ActionScriptVirtualMachine2(AVM2)newfunctioninstruction,asexploitedinthewildin
June2010.
CVE-2010-0886 UnspecifiedvulnerabilityintheJavaDeploymentToolkitcomponentinOracleJavaSEand
JavaforBusinessJDKandJRE6Update10through19allowsremoteattackerstoaffect
confidentiality,integrity,andavailabilityviaunknownvectors.
CVE-2010-0806 Use-after-freevulnerability in the PeerObjects component (aka iepeers.dll)inMicrosoft
InternetExplorer6, 6 SP1,and 7 allows remote attackers to executearbitrary code via
vectorsinvolvingaccesstoaninvalidpointerafterthedeletionofanobject,asexploitedin
thewildinMarch2010,aka"UninitializedMemoryCorruptionVulnerability."
CVE-2009-0927 Stack-basedbufferoverflowinAdobeReaderandAdobeAcrobat 9before9.1,8before
8.1.3,and7before7.1.1allowsremoteattackerstoexecutearbitrarycode
CVE-2009-0075 MicrosoftInternetExplorer7doesnotproperlyhandleerrorsduringattemptedaccessto
deleted objects,which allows remote attackers to execute arbitrary code via a craftedHTMLdocument,relatedtoCFunctionPointerandtheappendingofdocumentobjects,aka
"UninitializedMemoryCorruptionVulnerability."
CVE-2008-5353 TheJavaRuntimeEnvironment(JRE)forSunJDKandJRE6Update10andearlier;JDKand
JRE 5.0Update 16andearlier; and SDK and JRE 1.4.2_18 and earlierdoesnotproperly
enforcecontextofZoneInfoobjectsduringdeserialization,whichallowsremoteattackers
to run untrusted applets and applications in a privileged context, as demonstrated by
"deserializingCalendarobjects"
CVE-2008-4844
Use-after-freevulnerability inmshtml.dllinMicrosoft InternetExplorer5.01,6,and7on
WindowsXPSP2andSP3,Server2003SP1andSP2,VistaGoldandSP1,andServer2008
allowsremoteattackerstoexecutearbitrarycodeviaacraftedXMLdocumentcontaining
nestedSPANelements,asexploitedinthewildinDecember2008.
Furtherinformationaboutvulnerabilitiescanbefoundat http://cve.mitre.org,apublic,government-fundedweb
siteestablishedasaclearinghouseforvulnerabilityinformation.
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
15/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 15
Vulnerability
(e.g.CVE-2010-
0249)
AppendixA:DefinitionsThefollowingdefinitionsandanalogiesareprovidedinanefforttoprovideclarification,aswellastobridgean
ongoingcommunicationgapbetweensecurityvendorsandtheircustomers.
Vulnerability
Aperfectlockcanonlybeopenedbyakeywithaspecificpattern.Ifalockcanbeopenedwithadifferentkeythen
ithasavulnerability.Ifnobodycanactuallybuildthealternatekeythatwillopenthelockthenthevulnerability
cannotbeexploited.Anexampleofasoftwarevulnerabilityisanimproperlydefinedmemoryusagewithina
functionthatenablesunauthorizedcontenttobesenttoaspecificmemorylocationandthenexecutedwith
privilegedrights.
Exploit
Anexploitisaspeciallycraftedcodesequencewhichcantriggerorunlockavulnerabilitywithinanapplication,
suchasaheapspray,bufferoverflowattack,etc.Inthecontextoftheabovevulnerabilityexample,anexploitis
usinganincorrectkeytounlockthevulnerablelock.Whensuchakeyisbuiltexclusivelytoprovethatlockis
vulnerableitiscalledaproofofconcept.Whensuchakeyisusedtocriminallyexploitsystemsitissaidtobein
thewild.Practicallyspeaking,virtuallyanyexploitforwhichthereisaviableproofofconceptisbeingexploited
inthewildandposesathreattoconsumers,corporationsandgovernments.Anexploitcanbeplantedina
compromisedwebsitewhereitsilentlyinfectsvisitingcomputers,canbeembeddedinanattachmentdelivered
thoughemail,orcanbelaunchedfromananothercomputer(remoteattack)automaticallyviasoftwareor
manuallybyahacker.
Payload
Thepayloadisthecontentthatisdeliveredoncethevulnerableapplicationhasbeenexploited.Payloadscan
rangefrominactivepoliticalorreligiousstatementstothecompleteremotecontroloftheaffectedcomputer.For
automatedattacksthepayloadmaybesomethingasrelativelyinnocuousasadwareorascostlyasarootkit
combinedwithabankingorgamingpassword-stealingtrojan.Foramanualattackthepayloadmayprovidea
remotehackerwithcompletecontrolofthecompromisedsystemandaccesstoallinformationonthesystem.Ina
homeenvironmentthepayloadmayresultinidentitytheft,orcompromiseofemailorsocialnetworkingaccounts.
Inabusinessenvironment,includingthoseallowingBYODnetworkaccess,compromiseofaworkstationmayallow
anattackertotunneldeeperintoanetwork.
ArbitraryMalicousPayloads
ShellcodeVirus/Trojanetc.
Exploits
JavaReaderBrowser
-
7/29/2019 Rp Nss Labs Corporate Exploit Protection
16/16
NSSLabs CorporateAV/EPPComparativeAnalysis-ExploitProtection
2013NSSLabs,Inc.Allrightsreserved. 16
2013NSSLabs,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedonaretrievalsystem,ortransmittedwithouttheexpresswrittenconsentoftheauthors.
Pleasenotethataccesstooruseofthisreportisconditionedonthefollowing:
1.TheinformationinthisreportissubjecttochangebyNSSwithoutnotice.
2.TheinformationinthisreportisbelievedbyNSStobeaccurateandreliableatthetimeofpublication,butisnotguaranteed.
Alluseofandrelianceonthisreportareatthereaderssolerisk.NSSisnotliableorresponsibleforanydamages,losses,or
expensesarisingfromanyerrororomissioninthisreport.
3.NOWARRANTIES,EXPRESSORIMPLIEDAREGIVENBYNSS.ALLIMPLIEDWARRANTIES,INCLUDINGIMPLIEDWARRANTIESOF
MERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON-INFRINGEMENTAREDISCLAIMEDANDEXCLUDEDBYNSS.
INNOEVENTSHALLNSSBELIABLEFORANYCONSEQUENTIAL,INCIDENTALORINDIRECTDAMAGES,ORFORANYLOSSOF
PROFIT,REVENUE,DATA,COMPUTERPROGRAMS,OROTHERASSETS,EVENIFADVISEDOFTHEPOSSIBILITYTHEREOF.
4.Thisreportdoesnotconstituteanendorsement,recommendation,orguaranteeofanyoftheproducts(hardwareor
software)testedorthehardwareandsoftwareusedintestingtheproducts.Thetestingdoesnotguaranteethatthereareno
errorsordefectsintheproductsorthattheproductswillmeetthereadersexpectations,requirements,needs,or
specifications,orthattheywilloperatewithoutinterruption.
5.Thisreportdoesnotimplyanyendorsement,sponsorship,affiliation,orverificationbyorwithanyorganizationsmentioned
inthisreport.
6.Alltrademarks,servicemarks,andtradenamesusedinthisreportarethetrademarks,servicemarks,andtradenamesof
theirrespectiveowners.
ContactInformationNSSLabs,Inc.
206WildBasinRoad,Suite200AAustin,TX78746
+1(512)961-5300
www.nsslabs.com
Thisandotherrelateddocumentsavailableat:www.nsslabs.com.Toreceivealicensedcopyorreportmisuse,
pleasecontactNSSat+1(512)[email protected].