eEye Digital Security Confirms New Class of Signature-less Threat with Discovery of Critical Security Flaw for Windows.ALISO VIEJO, Calif. -- WMF-like vulnerability discovered by security leader eEye represents a growing trend of signature-less flaws that use social engineering to target users eEye Digital Security eEye Digital Security is a company that specialises in analysis and prevention of security vulnerabilities in software. Founded by Firas Bushnaq and Marc Maiffret in 1997, the company has been credited by Microsoft with bringing a number of security vulnerabilities to their (R), the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced the discovery of a critical security vulnerability related to Microsoft (NASDAQ NASDAQ in full National Association of Securities Dealers Automated Quotations U.S. market for over-the-counter securities. Established in 1971 by the National Association of Securities Dealers (NASD), NASDAQ is an automated quotation system that reports on :MSFT MSFT Microsoft (stock symbol) MSFT Movimento Sociale Fiamma Tricolore (Italy) MSFT Multi-Stage Fitness Test MSFT Master of Science in Family Therapy MSFT Macalester Students for Fair Trade ) Windows(R). This flaw represents a rapidly growing class of client-side flaws that cannot be stopped by legacy security technologies and allow an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data. This vulnerability puts Internet users at risk when they visit a website that, unbeknownst to the user, has a malicious font file embedded in the web page. The unsuspecting user visiting the website is now exposed to attackers who could use this font file to run whatever commands they wish. "This type of 'signature-less' vulnerability represents a quickly spreading class of security flaws that are widespread and extremely difficult to guard against using legacy security technologies such as anti-virus and network-based intrusion prevention See IPS and IDS. tools," said Marc Maiffret Marc Maiffret is the co-founder of eEye Digital Security along with Firas Bushnaq. He is currently serving as Chief Technology Officer, where he is responsible for both high-level product strategy, as well as setting the eEye research agenda. , eEye's co-founder and chief hacking officer. "Socially engineered flaws like this one and last week's WMF (filename extension) wmf - The filename extension for a Windows Metafile. zero-day can be among the most damaging to businesses because of the ease with which they allow attackers to gain access to a company's internal network and resources. This growing class of threat underscores the increasing need for enterprises to deploy Blink or other comprehensive, non-signature-based HIPS solutions. This is the only way an enterprise will be able to make itself zero-day immune." In addition to legacy security technologies, attacks based on this flaw will also evade more recently introduced behavior-based intrusion prevention systems that "learn" the correct behavior of a system in order to detect attacks. More importantly, since this vulnerability has been socially engineered to fool a user into visiting a malicious website, it is likely that attackers will use this flaw to target specific institutions, masquerading as some type of official notification directing the user to a specific website. The vulnerability exists in the default method used by Microsoft to de-compress Embedded Open type fonts and affects all Windows operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. including legacy Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. , Windows 98 and Windows ME (Windows Millennium Edition) An upgrade to Windows 98 introduced in 2000. Windows ME added more support for digital cameras, multi-player Internet games and home networking. systems as well as Windows 2000, Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. , and Windows 2003. Many additional products leverage this Microsoft component as well, including Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. and other third-party browsers, Instant Messaging clients and applications that load web content directly. Any user that visits a website with the malicious file embedded within the text could allow an attacker to run code on the affected system. eEye Digital Security customers using Retina, the company's award-winning network security scanner Software that analyzes a network to determine its exposure to unwanted intruders. Also called "vulnerability scanners," such products check client PCs, servers, routers, firewalls, network appliances, system software and applications for vulnerabilities that include open ports, trapdoors, , can update their scanner to detect systems vulnerable to this issue and verify if this month's Microsoft patches are installed. Unlike signature-based solutions, such as anti-virus or behavior-based solutions, current Blink customers aren't required to do anything to realize protection from this flaw, as no updates or policy changes are required. For those interested in protecting corporate systems with Blink, an evaluation version is available for download on eEye's website: http://www.eEye.com/Blink. Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN (1) (Autonomous System Number) A unique identifier of an autonomous system on the Internet. Of the 65 thousand ASNs available, more than 30 thousand have been assigned to ISPs and NSPs. ISPs usually have only one ASN, but NSPs may have more than one. vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum web seminar during the second week of every month. These Vulnerability Expert Forums enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructure. To register for the January Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events. About Blink(R) Endpoint Vulnerability Prevention Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows organizations to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by "panic" patching. Additionally, Blink eliminates the problem of so-called "socially engineered" security threats in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks. eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's product portfolio also includes Retina(R) Network Security Scanner, REM(TM) Security Management Console A terminal or workstation used to monitor and control a network. See Microsoft Management Console. , Iris(R) Network Traffic Analyzer See network analyzer. and SecureIIS(TM) Web Server Protection. About eEye Digital Security eEye Digital Security(R), the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education. eEye's award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye's customers, Citigroup and the U.S. Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,500 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, Prudential, University of Miami This article is about the university in Coral Gables, Florida. For the university in Oxford, Ohio, see Miami University. The University of Miami (also known as Miami of Florida,[2] UM,[3] or just The U , Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California Orange County is a county in Southern California, United States. Its county seat is Santa Ana. According to the 2000 Census, its population was 2,846,289, making it the second most populous county in the state of California, and the fifth most populous in the United States. . For more information, please visit www.eEye.com. All trademarks contained within this press release are the sole property of their respective owners and are hereby acknowledged. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion