How to mitigate zero-day threats like Windows ANI

Patching a flaw is still the most reliable protection, security experts say

The Windows animation bug (ANI) caused widespread concern because exploits against it became widely available before Microsoft could release a patch. But like other zero-day threats before it, there are measures companies can take to at least try to mitigate the risk from unpatched vulnerabilities, security experts said.

The measures are not a sure bet. And in the end, patching a flaw is still the most reliable way of protecting against exploits seeking to take advantage of it, they said. But deploying multiple layers of defenses is vital to dealing with threats for which no immediate fix is available.

Among them are the following:

Restrict e-mail attachments

One of the ways hackers hope to exploit the ANI flaw -- which Microsoft patched earlier Tuesday -- is by trying to get users to click on malicious attachments in spammed e-mails. One way of dealing with this sort of an attack vector is by having strict policies in place for filtering out e-mail attachments.

Security experts have for a long time now advised companies to filter out gif, JPEG, WMV and pretty much most attachment types they don't need from inbound and outbound e-mails. When deciding which attachments to allow and which to deny, it's a mistake to assume that only certain attachment types are maliciously used, said Russ Cooper, senior information security analyst with Cybertrust.

"Don't go on the basis of whether something is benign or not," Cooper said. After all, both gif and JPEG attachments were once considered benign until hackers started hiding malicious code in them. "Instead, look at what you need for your business," he said.

If there is a business need for accepting e-mails with attachments -- from a business partner, for example -- see if there's a way to restrict them to just that business partner. Or if you need to exchange zip files, for instance, consider the possibility of renaming the extension to something that just your company and your business partner knows -- and permit only attachments with that extension into your network, Cooper said. "Then you can put gif, JPEG and even animated cursors if you have a need for them into those attachments," he said. "If you say 'I only want to allow these attachments and nothing else,' you have eliminated every zero-day" threat via e-mail attachments, he said.

Disable HTML e-mail

Hackers and other bad guys like HTML e-mail because it allows them to more easily hide and deliver attack code to a desktop. For instance, several of Microsoft's e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML can help mitigate this risk, Cooper said. By doing so, you are also blunting a lot of the phishing attacks that attempt to get users to click on URL links to malicious sites, he said.

Keep an eye on the LAN

Consider tools that don't rely on virus signatures alone to detect infected systems. Instead, implement a way to quickly detect a compromised system by any anomalous behavior it might exhibit, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry.

Also have a way to limit the damage an infected system can do to other LAN-connected systems, he said. BT Radianz, for instance, uses a tool that allows it control over the connections a desktop makes with other systems within the LAN. "Under the previous model, you could go anywhere in the network once you are within the network," Hession said.

Now, there are rules that specify what parts of a network to which a system is allowed access. The rules also spell out what systems that same system can connect to based on the user's business requirements. Such control can help mitigate the risk of an infected computer spreading malicious code to other systems within a network. "You need to smarten the intelligence within the local network" to detect zero-day attacks faster, he said.

Filter outbound traffic

It's not enough just to inspect the traffic that's coming into your network; it's vital also to keep an eye on what's going out. Many Trojans or bot programs that get installed communicate with a remote system for further instructions on what to do next or what to download. Using outbound proxies or firewalls to look for and block such communications is one way to prevent Trojans and bots from calling home, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC).

Consider implementing a "default deny" capability at the perimeter, Cooper added. The idea is to permit only specific traffic in and out of a network gateway, while blocking everything else by default, Cooper said.

"What we are talking about is inbound and outbound rules on your router" to block, for example, outbound IRC attempts and SMTP requests, he said. To get an idea of what traffic to permit through the network, log all inbound and outbound router activity for a period of time and use that information to decide what's permissible and what's not, he said. "If you are worried about breaking functionality, allow everything that has been going through anyway and deny everything else," he said. "It's a great starting point."

Increasingly, Trojans and bot programs have begun using well-known ports such as Port 80 to communicate with the remote systems controlling them. That makes it harder to detect such traffic using outbound filtering, Hession said.

Turn off JavaScript; don't give users administrative privileges

Turning off JavaScript would have prevented some of the Web-embedded ANI exploits from reaching the user via the browser, Ullrich said. Restricting administrative privileges would have mitigated the fallout from an exploit by ensuring that a remote hacker wouldn't gain full administrative control of a system.

Ultimately, "you are less likely to go into emergency patch mode if you have other measures in place" for dealing with such threats, said Ken Dunham, director of Verisign's iDefense rapid response team.

Such measures include content filtering at the gateway for ANI files, using updated antivirus software, using snort signature to identify and initiate responses to possible attacks from remote sites and user education, Dunham said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?