Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Pawan Kinger (Director, Deep Security Labs)




    There are now less than two weeks left until Microsoft terminates support for the incredibly long-lived Windows XP. Rarely has a tech product lasted as long as XP has – from XP’s launch on  October 25, 2001 to its last Patch Tuesday on April 8, 2014 a total of 12 years, 5 months, and two weeks will have passed. Despite that, as of the month of February, StatCounter data indicated that almost one in five PCs still used Windows XP.

    There has been plenty of concern—and in some quarters, hysteria—over this event. When it would happen has been known for some time. Informed users also know that Windows XP was developed in very different circumstances—the famous Bill Gates trustworthy computing memo was sent after Windows XP had been developed and released to the public.

    The end of support for Windows XP concretely means two things: newly discovered vulnerabilities in Windows XP will not be patched anymore, nor will they be documented and acknowledged by Microsoft. This represents an increase in the risk of using Windows XP. Over time, this risk will increase as more issues are found and exploited –  although it may also fall, as the ever-decreasing numbers of Windows XP users means it will no longer be worthwhile to create exploits for an aging operating system.

    However, managing and mitigating risks is what security is all about. We will continue to provide our customers with the necessary tools to help manage the risks facing Windows XP systems. The most valuable tool in managing these risks is virtual patching/vulnerability shielding; products like Deep Security and OfficeScan with the Intrusion Defense  Firewall (IDF) module  scan and inspect network traffic before they reach the user’s applications, providing an opportunity to protect servers and endpoints from vulnerabilities.

    Another solution can be in hardening the endpoints. Endpoint security software will still protect users, if the security software vendor provides continued support for their products. (Trend Micro will continue to provide support for our endpoint software on Windows XP until 2017.) In addition, locking down these systems may be even more appropriate. For example, Trend Micro Endpoint Application Control can help lock down systems by preventing unwanted and unknown applications and processes from running.

    The underlying point is this: yes, Windows XP’s end of support is something that people should worry about—but it  is something that can be planned and prepared for. The tools and expertise are available for users to help protect their systems and networks as needed. We have prepared a primer titled Managing Your Legacy Systems to go into this topic in more detail.

     
    Posted in Vulnerabilities | Comments Off



    About two weeks ago, Oracle published a blog post describing – and promising – to improve the security of Java. Since then, I’ve been asked a few times: what exactly did they say, and what does it mean for end users?

    First, Oracle talked about how they’re now handling security patches. They pointed out how recent patches had, in fact, solved more security holes than previous patches. What’s more important to take away is that Java’s update schedule has been brought in line with other Oracle products: it will receive patches every three months, starting in October of this year. This should help get potential problems fixed more quickly before they are exploited by attackers. Of course, Oracle will continue to deliver out-of-band updates as needed for critical vulnerabilities.

    Java has also been brought under Oracle’s Software Security Assurance policies. As part of this, for example, Oracle will now use automated security testing tools to prevent regressions and new issues from showing up when a bug is fixed. This is welcome news, as it means that bugs will be patched more quickly in the future.

    Next, they discussed how they had been working to improve the security of Java as it is used in browsers. More important than the discussion of what was done in the past is what Oracle will implement soon: future Java versions will no longer allow unsigned or self-signed apps to run. It’s not clear when this will happen, but if it does, it will be a significant increase in Java security. It means that attackers will have to acquire or compromise a code signing key to get their Java applets to run: while this will not stop a truly determined attacker, less targeted attacks will fail.  In addition, Oracle is also working to improve how Java processes revoked signing signatures, so that this process can be turned on by default at a later time.

    For enterprise users, there’s good news too. Future versions will add support for security policies enforced by Windows itself, so that system administrators can set network-wide policies that can restrict or relax Java usage without having to set these per system. In addition, a new type of Java distribution – Server JRE – is being created specifically for servers running Java apps. This distribution will have several libraries removed to reduce the potential attack surfaces.

    All of these changes are for the better – Oracle is acknowledging that there have been challenges when it comes to Java security in the past, and they’re working hard to improve it moving forward. We appreciate these efforts and hope that they succeed in reducing the threat from Java exploits, which is completely in line with Trend Micro’s goal of creating a world safe for exchanging digital information.

    In the meantime, we strongly urge that users do their part to keep their Java installs safe: update to the latest version of Java. We earlier discussed how to secure Java in the blog post How to Use Java – If You Must.

     
    Posted in Vulnerabilities | Comments Off



    In my previous blog post, I discussed some key takeaways that I got from the talks I attended in the recently concluded RSA 2013 in San Francisco, California. This time around, I want to share in length, some of these noteworthy sessions.

    Innovation Sandbox

    Innovation Sandbox was a packed session that Hugh Thompson ran quite deftly. Ten startups were selected and given three minutes to explain their technology, followed by a two-minute question-and-answer session, with questions coming from the judging panel, made up of industry experts.

    All the company representatives talked about what they were doing and had to prove why their solution would work and generate revenue in the future. A white board session followed where thoughts from the audience were taken and put on an online whiteboard. 

    The participants also had the opportunity to meet (or “date”, as they put it) with potential investors in an igloo-styled hut. Winners from previous years were also present to share their experiences and mingle with the participants.

    Panel discussion on future of end point security

    This panel discussed how changes in end-points are changing the security landscape. Bring Your Own Device (BYOD) and Virtual Desktop Infrastucture (VDI) are ensuring that enterprises no longer have the same control over theirs networks and devices that they had in the past. Solutions such as traffic filtering, network access control (NAC), software defined security (SDS) vs. traditional solutions were discussed. There was no definitive answer  – each technology has its uses, pros, and cons – but the points that came out from these discussions were quite insightful.

    Awareness Doesn’t Matter: A Behavior Design Approach to Securing Users

    This session talked about how user behavior could be used to trigger potential security alerts. This is an interesting area for research, but in actual usage is prone to false positives. However, in situations where security is an absolute must and false positives can be tolerated, this may be of use.

    Malware Hunting with Sysinternals

    Mark Russinovich, the author of the Sysinternals tools suite,  gave a brilliant talk about what’s new with Sysinternals tools and how these can used for malware analysis. His aim was to show how to carry out a quick analysis if there are any suspicious files on a system. He also discussed future developments, like more color coding for faster visualization of event. Russinovich kept the tone of his talk light, thanks to his wit and sense of humor.

    Read the rest of this entry »

     
    Posted in Targeted Attacks | Comments Off



    The annual RSA Conference is perhaps the biggest gathering of information security professionals from around the world. The topics that were discussed this year ranged from cloud security, mobile security to behavior based solutions.

    With 22,000 participants, this year’s conference had a huge turnout. RSA 2013 was the perfect venue to pick-up the latest information about varied security topics, gather thought-provoking insights, and network with other experts and colleagues.

    During the conference, I attended several interesting talks, which I will discuss in detail my next blog post. For now, I will share with you my high-level takeaways from these discussions:

    • There is an increased involvement and interest from the government, which was evident from the buzz generated by the recent White House executive order on cybersecurity. Both the government and security industry expressed the desire for tightening cybercrime laws. The government encouraged more participation from the private sector and work as one. The Department of Homeland Security (DHS) also announced its initiative to share real time classified threat information with security vendors.
    • Cloud Security was well discussed and generated a lot of interest from users.  A good part of the first day was dedicated to the Cloud Security Alliance Summit. There were some interesting keynotes from Mark Weatherford of DHS,  former American Express CEO Jim Robinson, and Trend Micro Vice President of Cloud Security Dave Asprey. Some of the key issues of cloud security were highlighted and best practices were discussed.

    Read the rest of this entry »

     
    Posted in Malware, Mobile, Targeted Attacks | Comments Off



    Much is being talked about the Oracle fix being incomplete for the recent Java 0-day for CVE-2013-0422. In this post, we would like to take this opportunity to clear a few items around it.

    Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete. There are two issues in this CVE. One is with the findclass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The other is with invokeWithArguments() method of the java.lang.invoke.MethodHandle class. Oracle has fixed the latter but findclass method can still be used to get a reference to restricted classes. To simplify, the issue in findclass method still leaves a hole that could be used with another new vulnerability.

    We would also like to clarify another point, this time concerning CVE-2012-3174. As opposed to some reports, it is NOT the issue with the Reflection API. The Reflection API issue is fixed as a part of CVE-2013-0422. To quote the National Vulnerabilities Database (NVD) verbatim “NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422.”

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice