AV – Protection Against Vulnerabilities ?

Last week, NSS Labs published a report on the efficiency of protection provided by 13 consumer endpoint protection (AV) products against attacks targeting recent critical Microsoft vulnerabilities. John Dunn wrote about this report in NetworkWorld, and as he pointed out, the products struggled to shield the endpoint systems. While protecting against exploits of vulnerabilities is usually not the primary focus of these products, but nevertheless all of the companies tested receive detailed vulnerability information from Microsoft under the MAPP program so that they can implement proactive protections wherever possible. NSSLabs took a look at MS12-037 (CVE-2012-1875) in Internet Explorer fixed in June 2012 and MS12-043 (CVE-2012-1889) in Microsoft XML Core Services addressed in July 2012 and updated again in August 2012. Both of the vulnerabilities were 0-days and have been under active attack before the patches were released.

Results

The results revealed that many AV products have problems detecting these two exploits. When the exploits were served over HTTP, eight products caught all of them, while the remaining five had problems detecting all variations. When the exploit was served over HTTPS, only four of the products continued to be able to protect against the exploit.

The results are not very surprising. Endpoint protection packages have a long tradition in finding infected files on the machine, i.e. they are good at telling you that malware has found its way onto the system and in many cases are able to remove the infection or at least to quarantine the infected files. Proactive protection is a newer area and requires distinctly different technology more akin to Host-based intrusion prevention systems (HIPS).

The report sums it up: “Consumers, who delay patching, or fail to patch more than their operating system alone are at an elevated risk of compromise” and recommends: “Users of products that fail to block these attacks should update/patch immediately or otherwise mitigate”

In other words patching is still the best way of neutralizing exploits and stopping malware before they even get to the system. Patching has the recommendation of both the US and Australian governments as the security measure that has the best ROI.

In addition, NSS Labs did not push the products and tested only basic evasion techniques such as Base 64, Unicode and JavaScript encoding, and did not invest any effort into modifying the exploits, using them as available in Exploit-DB or Metasploit. In contrast, sophisticated attackers are capable of modifying the publicly available exploits and will not use the standard exploits if they are detected by the common endpoint protection packages.

Overall an interesting and eye-opening report from NSSLabs; I am looking forward to the comprehensive test that they will publish later this year.