Crash! Boom! Bang! Exploit!
The Windows Debugger plug-in explains all. Plus: IE 8 and Safari get taken down a notch; Conficker might be an April Fool's joke; Paladin rolls to the rescue.
To help developers identify mechanisms that lead to system crashes or have other security implications, Microsoft is rolling out the !exploitable (pronounced "bang exploitable") Crash Analyzer. The open source tool will be available as a free download at the Microsoft Security Engineering Center
's Web site. The !exploitable utility is designed to help developers classify, assess and ultimately prevent program crashes, especially as they relate to exploits running loose in enterprise processing environments. It runs as a plug-in for the Windows debugger that classifies different crash scenarios, grouping them into what it calls "hashes." Based on information discovered on "major" and "minor" hashes, the tool isolates crashes and correlates them with bugs to determine the frequency of bug-related crashes or shutdowns caused by the same exploit.
IE 8, Safari Go Down a Notch
Prior to IE 8's launch last week, hackers at a security confab in Vancouver shot down Redmond's notion that the browser is the most secure one yet. The hackers found a hole in a matter of minutes, which led Microsoft's Security Response Center to admit that it's heading back to the drawing board to replicate the hole in IE 8 discovered by a hacker named Nils at the recent Pwn2Own contest in Canada.
Nils ran an exploit against IE 8 that made short work of Microsoft's data execution prevention function in IE 8 as well as its address space layout randomization technology. Both of these functions are two untested but highly touted features that come with IE8. With that trick, Nils won a Sony VAIO PC and $5,000.
Not to be outdone, as predicted hacker and security gadfly Charlie Miller broke into Apple's Safari on Mac OS X in two minutes, becoming a repeat champion -- he did the same thing last year -- and winning a MacBook and five grand, to boot.
This raises concern because if $5,000 and the thrill of sticking it to browser programs of industry giants is enough motivation, imagine what the inclinations of those with malicious intentions are.
Sick of Conficker
Security pros are bracing for next week -- yes, April 1 -- when a host of replicated botnets are expected to contact Web servers owned by the authors of the world's most pervasive malicious worm, Conficker.
It could be a non-event, like Y2K or it could be the biggest worm replication in the history of computing. It will probably fall somewhere in between, but no one seems to be taking any chances.
Symantec states the obvious when it says it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. It advises IT pros that if their machines are already infected, those machines should be taken offline, with the work of deworming any workstation, server or whatever other hardware has been infected.
Meanwhile Redmond is currently collaborating with AOL, Verisign and Symantec, among others, to form a group to stop the self-replicating worm and has issued a reward of $250,000 for information leading to the wheareabouts and/or apprehension of the worm's authors.
Paladin Rolls to the Rescue
As Microsoft battles the worm on one front and a new IE exploit on another, the company's security researchers are in the lab working on defense mechanisms for future hacker attacks and outbreaks of automated bugs. Microsoft Malware Protection Center's security said it's working on an automated technology that quickens the analysis of vulnerabilities. The toolset is called Paladin, according to the software giant's Threat Research & Response Blog.
In the post, Redmond said the results of the new "technology are very positive on memory corruption vulnerabilities and allow our research team to decrease dramatically the amount of time spent analyzing those vulnerabilities."
Redmond admitted that there are vulnerabilities that Paladin is "not perfectly suited for today," but that it is nonetheless "working diligently to extend this capability towards even broader coverage and higher efficacy."
About the Author
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.