update your software or die! wolfgang kandek qualys, inc. rmisc 2012 denver - may 18, 2012
TRANSCRIPT
Update your Software or Die!
Wolfgang KandekQualys, Inc.
RMISC 2012 Denver - May 18, 2012
Advanced Persistent Threat(APT)
Advanced Persistent Threat(APT)Or
Mass Malware Attacks
Attack Example #1
ExploitKits
ExploitKitsCVE-2006-0003 (MDAC)
ExploitKitsCVE-2006-0003 (MDAC)…
CVE-2011-3544 (Rhino)
Website
Website ExploitKit Server
Website ExploitKit Server
C&CServer
Website ExploitKit Server
C&CServer
• Has Traffic
• Was exploited to plant links
Website ExploitKit Server
C&CServer
• Serves Exploits
• Browser/Plug-in vulnerabilities
• Has Traffic
• Was exploited to plant links
• Controls malware
Website ExploitKit Server
C&CServer
• Serves Exploits
• Browser/Plug-in vulnerabilities
• Has Traffic
• Was exploited to plant links
Live Demo
Patching
CVE-2011-3544 Java RhinoCVE-2011-2140 Flash 10
CVE-2011-2100 Adobe ReaderCVE-2011-0611 Flash 10
CVE-2010-3971 IE8…
PatchingApps
PatchingApps and Browser
PatchingApps and Browser
and OS
Attack Example #2
CVE-2011-0611
CVE-2011-0611Flash 0-day
Attack VectorE-Mail
The Attachment
Flash 0-dayrunning
The Embedded Attachment
The Malware
Poison Ivy mincesur.com
DEPData Execution Prevention
XP SP2 forward
Live Demo
Attack Example #3
Java Applet AttackPentest Special
Uninstall Java
Restrict Java
Internet Explorer
1C00 to 0 In Zone 3
1C00 to 0 In Zone 3
Google Chrome
Google Chrome
Mozilla Firefox
Mozilla Firefox
Mac OS X
Mac OS X
Mac OS XMade it now simpler
Mac OS XMade it now simpler
Java 1.6U31 will autodisable if
Not used in 35 days
Restrict JavaIE – trusted sites
Attack Example #4
CVE-2011-2462
CVE-2011-2462Adobe Reader 0-day
No JavaScript in Adobe Reader
Live Demo
Counter-measures
Latest PatchesDEP
Restrict JavaJavaScript in Adobe Reader
Non-admin User
Flash 0-dayAdobe Reader 0-day
Microsoft Office 2010Protected View Sandbox
Flash 0-day
Autorun off
NoDriveTypeAutoRun -> FF
MSFT SIR: Malware propagation
Latest Software
Win 7 > XP
Office 2010 > 2007
Adobe Reader X > 9
IE9 > 8,7,6
How to apply what you have seen Configure for Safety
Force DEP On Whitelist Java on the Internet No Javascript in Adobe Reader Non Admin User Autorun off
How to apply what you have seen Run latest software
Office 2010 Adobe Reader X
Be fully patched Applications OS
Questions?
100
Bonus Slides
No Javascript in Adobe Reader
1C00 -> 0 in Zone 3