Just last month, Microsoft released a relatively rare out-of-band patch to protect users from potentially active zero-day attacks against the way Windows handled cursors, animated cursors and icon formats.
The vulnerability was created because the operating system failed to properly check the size of animated cursor file headers within certain files. In short, it was a local (to the end user’s system) buffer overflow. And any users unfortunate enough to visit a maliciously designed website, or even look at the wrong email, could find their system completely owned.
What’s alarming about this vulnerability is that it’s the latest in a growing trend toward remotely exploitable local buffer overflow flaws. Beyond the animated cursor vulnerability (CVE-2007-0038), there has been the Microsoft help file buffer overflow (CVE-2007-1912), the SWF file code execution (CVE-2006-3587), and the WMF code execution vulnerability (CVE-2005-4560), to name a few.
Buffer overflow vulnerabilities have plagued IT security professionals for some time, and some of the most notorious worms — including Code Red, MSBlaster, SQL Slammer, and the infamous Morris worm that struck in 1988 — all were made possible by buffer overflows.
These flaws arise in software when developers fail to properly put in place checks for strings that are placed in memory. Without such checks, attackers can send data to the buffer that goes beyond the intended buffer length and causes instability.
The extra data then can overwrite nearby memory locations, which can be program data, variables, and other memory buffers. Attackers also can insert malicious applications into the system. That’s why buffer overflows are so sought after by attackers.
An application with a buffer overflow error vulnerability can be used to crash the application, produce false results, and enable the attacker to gain access to system resources, install malware, spyware, viruses, trojans, pop-up ads and even clandestinely steal information.
For many years, local vulnerabilities were considered to be less critical than remotely exploitable vulnerabilities. That’s because local vulnerabilities often require the end user or system to take some type of action to be successfully compromised.
But today, with nearly every computing device connected and interacting with the internet, it’s much easier to entice users to fall victim. They can be attacked via websites, email attachments, and instant messaging file exchanges.
And the problem means that common file formats, such as all Microsoft Office applications, Adobe PDF files, and other near ubiquitous formats, including those of many image and video files, can be used by attackers. This also presents a clear danger from core operating system components, as witnessed by the recent animated cursor and help file vulnerabilities.
If developers, and compilers, did a better job at making sure buffer boundaries were validated and enforced by applications, the software industry could make this type of attack extinct. That’s why the best long-term solution is for software vendors to test all of their code for buffer overflows by validating inputs during and after development. Maybe then, this scourge would go away.
But chances are that the problems associated with buffer overflows, local and remote, will remain for a long, long time. And the unfortunate reality for security professionals is that there often is no simple security workaround for local buffer overflows.
Unlike many other types of vulnerabilities, for which unnecessary services can be disabled and doable workarounds exist, with these types of problems, the vulnerable components can’t be uninstalled or disabled. No matter how high the risk, security departments can’t go around demanding that users uninstall their cursors. And there are no simple firewall rule-sets or other viable preventive measures that can be taken.
Thus, local buffer overflow vulnerabilities mean that end-user awareness is more crucial than ever. And as the events of last month show, users need to fully understand that simply visiting an untrusted website could result in attack — no matter how many security defenses they may have on their system.
Though it’s been said so many times already, it cannot be repeated too often: users must be warned of the risks of opening attachments from untrusted sources. It addition, click-through browsing, the process of hopping from one hyperlink to the next, should be discouraged.
In these days of zero-day vulnerabilities and local buffer overflows, it’s akin to recklessly speeding in a high-tech car equipped with all of the latest safety gear — no amount of security will protect the driver from his or her own carelessness.
As for enterprises defending their infrastructures from these attacks, in addition to keeping anti-malware signatures up to date, frequent vulnerability assessments, web content filters, and intrusion prevention systems can help keep users away from malicious sites, and block malicious activity should a system get infected.
One hope for a long-term solution is the No Execute, or NX technology, being built into Intel and AMD processors and the Windows operating system. But only time will tell if this technology can eradicate one of the longest standing and easily exploitable classes of vulnerabilities.
-Amol Sarwate is director of Qualys' vulnerability research lab.
Hot or not: Local buffer overflow vulnerabilities
By Amol Sarwate, on May 29, 2007 9:58AM