Is Sandboxing the End-All Solution?

When you have millions of lines of code, like you have in an Operating System, you will have bugs. Hackers can use these coding bugs to create exploits. Microsoft and Adobe products have been a favorite target for hackers. But how do you protect software from hackers when there are unknown bugs?

The answer just might be sandboxing. But what is sandboxing? According to Wikipedia:

A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

We see this technology used in Virtual Machines. Several guest operating systems can run on a host system, and each has its own memory space, hard drive storage, etc.  They are on a single machine but are not allowed to communicate with each other. These types of features are being used in the development of secure Operating Systems. The client user space will not be allowed to communicate (or theoretically infect) the core functions of the system.

Programs can be sandboxed too.  Google and Adobe have added sandboxing features to their Chrome and PFD Reader products. If the products are compromised, this should limit the ability of the hacker to access the rest of the system.

But how well will this work? Sandboxing is a great idea, and will help a lot in dealing with buggy code. Although in reality is just another level of defense. Granted it adds to the difficulty of penetration, but it will be compromised just like everything else is over time.

Unfortunately security, like Anti-Virus, is a constantly evolving process. As soon as a new anti-virus definition comes out for the latest virus, three more new viruses are detected. The same is true in the security field. When a new security product comes out to address an issue, exploits and ways to bypass it follow along shortly.

At this point in the game, your hope is that you have added enough protection to your systems that the attacker gives up and moves on to easier pray. And to keep logs and monitor your systems in case they don’t.

Advertisements

Adobe Reader PDF 9.3.4 “Cooltype Sing” Zero Day Exploit

Yeah, I know, another Adobe exploit. And this one came out a few weeks ago. What is crazy though, is that Adobe has known about it for a couple weeks and has not released a patch for it yet. According to Security Focus, Adobe is not even planning on patching this until next month!

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com. The vendor plans to release updates to address this and other issues during the week of October 4, 2010.

Just wanted to give everyone a heads up on this. This exploit is readily available and I have tested it against a fully patched Windows 7 machine with the latest Adobe Reader version and it worked flawlessly. If you run an infected PDF, it WILL give the attacker a FULL ACCESS remote shell to your computer.

The only clue you will get that something is not right is that Adobe will open the file and then just sit there. I have heard some Anti-Virus companies are starting to block this, but not all of them.

So, what can we do? Well, until Adobe decides to patch it, do not click on any unknown or unexpected PDF links in e-mails, and do not open a PDF file on a website that you are not familiar with. I am stunned that in essence, if they do not patch it until October, this exploit will have been left unpatched for a whole month!

PDF’s Vulnerable to Worm Malware

Exploits not needed to attack via PDF files – On CNET.com. The problem is that PDF viewers allow programs to be executed from within the viewer. According to the article, to stop this type of attack:

“Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing the box ‘Allow opening of non-PDF file attachments with external applications.'”