iTnews

Hot or not: Local buffer overflow vulnerabilities

By Amol Sarwate, on May 29, 2007 9:58AM
Hot or not: Local buffer overflow vulnerabilities

Buffer overflows have long been a primary vector of attack against computer systems — and the rise of local buffer overflow vulnerabilities and zero-day attacks makes it a problem that's likely to grow more troublesome.

Just last month, Microsoft released a relatively rare out-of-band patch to protect users from potentially active zero-day attacks against the way Windows handled cursors, animated cursors and icon formats.

The vulnerability was created because the operating system failed to properly check the size of animated cursor file headers within certain files. In short, it was a local (to the end user’s system) buffer overflow. And any users unfortunate enough to visit a maliciously designed website, or even look at the wrong email, could find their system completely owned.

What’s alarming about this vulnerability is that it’s the latest in a growing trend toward remotely exploitable local buffer overflow flaws. Beyond the animated cursor vulnerability (CVE-2007-0038), there has been the Microsoft help file buffer overflow (CVE-2007-1912), the SWF file code execution (CVE-2006-3587), and the WMF code execution vulnerability (CVE-2005-4560), to name a few.

Buffer overflow vulnerabilities have plagued IT security professionals for some time, and some of the most notorious worms — including Code Red, MSBlaster, SQL Slammer, and the infamous Morris worm that struck in 1988 — all were made possible by buffer overflows.

These flaws arise in software when developers fail to properly put in place checks for strings that are placed in memory. Without such checks, attackers can send data to the buffer that goes beyond the intended buffer length and causes instability.

The extra data then can overwrite nearby memory locations, which can be program data, variables, and other memory buffers. Attackers also can insert malicious applications into the system. That’s why buffer overflows are so sought after by attackers.

An application with a buffer overflow error vulnerability can be used to crash the application, produce false results, and enable the attacker to gain access to system resources, install malware, spyware, viruses, trojans, pop-up ads and even clandestinely steal information.

For many years, local vulnerabilities were considered to be less critical than remotely exploitable vulnerabilities. That’s because local vulnerabilities often require the end user or system to take some type of action to be successfully compromised.

But today, with nearly every computing device connected and interacting with the internet, it’s much easier to entice users to fall victim. They can be attacked via websites, email attachments, and instant messaging file exchanges.

And the problem means that common file formats, such as all Microsoft Office applications, Adobe PDF files, and other near ubiquitous formats, including those of many image and video files, can be used by attackers. This also presents a clear danger from core operating system components, as witnessed by the recent animated cursor and help file vulnerabilities.

If developers, and compilers, did a better job at making sure buffer boundaries were validated and enforced by applications, the software industry could make this type of attack extinct. That’s why the best long-term solution is for software vendors to test all of their code for buffer overflows by validating inputs during and after development. Maybe then, this scourge would go away.

But chances are that the problems associated with buffer overflows, local and remote, will remain for a long, long time. And the unfortunate reality for security professionals is that there often is no simple security workaround for local buffer overflows.

Unlike many other types of vulnerabilities, for which unnecessary services can be disabled and doable workarounds exist, with these types of problems, the vulnerable components can’t be uninstalled or disabled. No matter how high the risk, security departments can’t go around demanding that users uninstall their cursors. And there are no simple firewall rule-sets or other viable preventive measures that can be taken.

Thus, local buffer overflow vulnerabilities mean that end-user awareness is more crucial than ever. And as the events of last month show, users need to fully understand that simply visiting an untrusted website could result in attack — no matter how many security defenses they may have on their system.

Though it’s been said so many times already, it cannot be repeated too often: users must be warned of the risks of opening attachments from untrusted sources. It addition, click-through browsing, the process of hopping from one hyperlink to the next, should be discouraged.

In these days of zero-day vulnerabilities and local buffer overflows, it’s akin to recklessly speeding in a high-tech car equipped with all of the latest safety gear — no amount of security will protect the driver from his or her own carelessness.

As for enterprises defending their infrastructures from these attacks, in addition to keeping anti-malware signatures up to date, frequent vulnerability assessments, web content filters, and intrusion prevention systems can help keep users away from malicious sites, and block malicious activity should a system get infected.

One hope for a long-term solution is the No Execute, or NX technology, being built into Intel and AMD processors and the Windows operating system. But only time will tell if this technology can eradicate one of the longest standing and easily exploitable classes of vulnerabilities.

-Amol Sarwate is director of Qualys' vulnerability research lab.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
bufferhotlocalnotoroverflowsecurityvulnerabilities

Partner Content

Vast majority of surveyed firms still rely on password authentication
Promoted Content Vast majority of surveyed firms still rely on password authentication
Teaching tech teams every step of implementing a machine learning project
Promoted Content Teaching tech teams every step of implementing a machine learning project
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Amol Sarwate,
May 29 2007
9:58AM
0 Comments

Related Articles

  • VMware admins asked to patch eight vulnerabilities
  • Microsoft pushes patch for exploited flaw in on-prem Exchange
  • Google must face shareholder lawsuit claiming it hid security risks
  • EU governments, lawmakers agree on tougher cyber security rules for key sectors
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform
Telstra to open its 5G network to wholesale customers

Telstra to open its 5G network to wholesale customers
Macquarie Bank creates a broker portal on Salesforce

Macquarie Bank creates a broker portal on Salesforce
Active Directory defaults lead to no-fix PrivEsc vulnerability

Active Directory defaults lead to no-fix PrivEsc vulnerability

Digital Nation

As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.