|
How to Protect Yourself against a Buffer Overflow Attack with Gateway Antivirus |
|
|
From time to time people ask us about how to protect themselves against various vulnerabilities and hacker techniques currently in use. We pay attention to this
seedy underworld and hopefully, we are protecting our customers before they have a problem.
We believe that all users should have both a gateway and desktop solution for antivirus, antispyware, and firewall. Our testing indicates that a properly
configured and capable gateway solution should stop between 95-99% of all attacks, viruses, spyware, and vulnerabilities. The small amount of stuff that does get
through should be stopped by desktop software.
What is a Buffer Overflow?
The basic idea for a buffer overflow such as the JPG exploit (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx) is to provide a JPG file with an
invalid header, taking advantage of a bug in the JPG code that is not checking header values - they basically trust JPG images to be formatted properly. By
writing a buffer that is too long, the code that reads the buffer will overwrite a block of memory. If that buffer is stored on the stack, it can overwrite the
return address of the erroneous function. Since the code will execute the same way every time, and since the code is generally (but not always) located in the
same address space, you can predict precisely what is going to be overwritten, and you can write the offending code in such a way that you can take control of the
machine.
Similar attacks are documented with badly written HTTP response headers that cause browser buffer overflows that can be used to compromise a machine. Basically,
any time you can crash a piece of code with a buffer overflow that affects a buffer located on the stack, the machine can relatively easily be compromised. When I
say compromised, I mean that a remote attacker can gain full control over the machine.
There are several ways to compromise a computer with a buffer overflow. The most notable lately has been the JPG vulnerability. A similar vulnerability has been
documented in Linux & Windows with PNG files. Historically, both Nimda and CodeRed exploited buffer overflows to compromise a web server.
For this reason, it is very important for customers to use a solution like WinProxy that can scan ALL traffic, including images. WinProxy will detect the JPG
buffer overflow vulnerability and most other documented buffer overflow exploits, and can protect your customer from these types of attacks. Other vendors
recommend against scanning images, because their products will fall on their face if they are scanning everything. We have the performance and scalability to scan
all traffic, including images, and I highly recommend that each customer be configured to scan all traffic to protect them from precisely this type of attack.
Furthermore, when a buffer overflow is used, there is only a very limited amount of code that can be run during the exploit (usually a maximum of 100-200 bytes of
code). For this reason, the attacker typically uses the exploit to download additional code onto the machine, and that code will give the attacker full control of
the machine. To gain control over the machine without downloading additional code is practically (though not totally) impossible. For this reason, customers
should use a gateway device with anti-spyware capabilities like WinProxy, or at least enable executable blocking at the gateway, to prevent this type of attack.
Even if an attacker were to exploit a buffer overflow, they are unlikely to complete the attack without downloading additional executable code, and WinProxy
anti-spyware policies will typically thwart the second portion of this attack.
Antivirus scanning of the secondary download will not typically identify the malicious code, since antivirus engines only recognize known malicious code and
exploits. With this type of attack, it is unlikely a hacker would use known malicious code, as that would be detected by a desktop antivirus engine. By the way,
through the course of this attack, a desktop antivirus engine is unlikely to prevent the attack, since it happens entirely in memory, and antivirus engines
generally only monitor disk activity. A gateway solution may be the last and only line of defense. Gateway antivirus should be able to scan for viruses on: HTTP,
FTP, POP3, SMTP, SOCKS, NEWS and allow for configuration of the virus scanning policies. WinProxy has these capabilities and includes an anti-spyware solution
that represents a new approach to this growing problem. The WinProxy solution:
· Prevents spyware from reaching the desktop
· Blocks Spyware from 'phoning home'
· Allows users to use their computers again without obstacles
· Doesn't impede the business process.
The WinProxy anti-spyware solution is deployed at the gateway (the interconnection between your network and the Internet), eliminating the typical management and
deployment issues. WinProxy is the preferred high-performance software proxy platform for customers who need secure content management (e.g., Stealth Firewall,
Gateway Antivirus, Gateway Anti-Spam, Anti-Phishing, URL filtering). WinProxy has demonstrated one of the few network-viable solutions for controlling and
scanning Web traffic for viruses, spyware, spam, and inappropriate or dangerous web sites. Free Download at www.winproxy.com
|
|
|
 |
| "How to Protect Yourself against a Buffer Overflow Attack with Gateway Antivirus" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
