Endpoint

3/11/2010
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Only One In Seven Consumer AV Tools Catch New 'Aurora' Variants

NSS Labs says its new test shows emphasis on antivirus exploit detection flawed, but others disagree

Most antivirus products don't detect new variants of the exploit used in the so-called "Operation Aurora" attacks on Google, Adobe, and other U.S. companies, according to a new test conducted by NSS Labs.

NSS Labs created variants of the Aurora exploit and tested whether seven consumer AV packages would catch them. The exploits attacked the Internet Explorer vulnerability used in the Aurora attacks. Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were AVG Internet Security Version 9.0.733; ESET Smart Security 4 Version 4.0.474.0; Kaspersky Internet Security 2010 Version 9.0.0.736; Symantec Norton Internet Security 2010 Version 17.0.0.136; Sophos Endpoint Protection for Enterprise Anti-Virus Version 9.0.0; and Trend Micro Internet Security 2010 Version 17.50.1366.0000.

"Vendors need to put more focus on the vulnerability than on exploit protection," says Rick Moy, president of NSS Labs. "They pay more attention to the payload, and that's the problem."

Moy says vulnerability-based protection from AV companies basically serves as a way to plug the hole in the door. "And if you patch, the door goes away altogether," he says. He says he had expected that most, if not all, of the AV tools would have detected variants of the malware given the time that has elapsed since the attacks and the widely published information on the malware.

But Marc Maiffret, chief security architect for FireEye, says it's the reactive approach to catching malware that's all wrong. "The thinking on this [test] is very old-school: Vulnerability-based protection is stupid because you're saying you have to know about the vulnerability. The whole point of Aurora and most modern, significant attacks is that we don't know about the vulnerability," Maiffret says. "They should have been testing to see who actually would have stopped Aurora regardless of known vulnerability prevention. Reactive vulnerability signatures are just another losing battle."

Maiffret says it's a systemic problem. "One of the biggest farces in our industry recently is that all of these vendors are claiming zero-day protection, but what they are really saying is that they went from writing reactive signatures for exploits to writing reactive signatures for vulnerabilities."

Randy Abrams, director of technical education for ESET, says vulnerabilities must be patched by the vendor, not protected by the AV product. "We all detect some attempts to exploit vulnerabilities, but this isn't always feasible with every attempted exploit. In some cases, such scanning would bring systems to their knees," Abrams says. "In some cases, there would be false positives induced as some programmers do not realize they have found a vuln and write in-house programs that make use of the vuln," which sometimes happens, he says.

Abrams says it's all about defense-in-depth. "Right now one of the biggest battles is to simply get people to patch in a timely manner," he says. "Conficker showed how bad patch management is at the corporate and governmental levels. Aurora demonstrated that it really is important to use current Web browsers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3090
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3091
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3092
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3093
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3094
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...