How to mitigate Drive-by-Downloads Attacks

24 January 2014

Bad news for Adobe Flash Player users. A new critical vulnerability (CVE-2015-0311) was found in Adobe Flash Player 16.0.0.28… Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

In the Adobe Security Bulletin we read ‘We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.’

Drive-by-download (DbD) attacks are a often used technology to exploit vulnerabilities in programs. In his post ‘How malware works: Anatomy of a drive-by download web attack’ John Zorabedian from SOPHOS gives a detailed description about how DbD attacks work.

The shocking fact is: It’s not even necessary to click a link on the malicious site. If you just load the site the malware download could start, automatically and silently in the background.

The good news is that we could almost completely deactivate this feature, namely without considerable comfort loss. The Security Technical Implementation Guide (STIG) for Internet Explorer 11 shows the direction.

STIG’s are primarily used to secure the information systems of the Departments of Defense, but this should not deter us from using STIGs to secure our systems at home, and of course in our businesses.

STIGs are available from http://www.stigviewer.com/stigs for operating systems, web servers, databases or applications. They are an excellent means to secure the devices that are connected to the internet against malicious attacks. But, be aware that 100% safety could not be achieved.

Applying STIGs to Microsoft operating systems and applications is very easy if you are familiar with the registry editor regedit.exe and the local group policy editor gpedit.msc. Since only standard windows security options are used the recommended settings could be applied to all computers.

Back to the Drive-by-Download attacks. To prevent DbD attacks we have to configure Internet Explorer such that downloads not consented by the user are blocked. Sound’s easy, doesn’t it? We have just to work through the STIG for Internet Explorer 11 and implement the relevant fixes:

Step 1: Block non user-initiated file downloads

The DoD requirements block unconsented downloads from the Restricted Sites Zone and the Internet Zone. Since I would not trust computers in local networks as well I would strongly recommend to block unconsented downloads from all zones.

Implement at least Fixes from Finding Ids V-46705 and V-46643

Step 2: Block non user-initiated file downloads for Internet Explorer Processes

Implement Fixes from Finding IDs V-46779 and V-46781

Step 3: Enforce Protected Mode

Protected Mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. I would recommend to enforce protected mode for all zones.

Implement at least Fixes from Finding IDs V-46685 and V-46681

Step 4: Enforce Enhanced Protected Mode on 64 bit Windows Systems

Implement Fix from Finding ID V-46987

That’s it for today. Please keep in mind that 100% safety could not be achieved, even if you implement the 155 fixes from the IE11 STIG.

Don’t Panic! And have a good weekend.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s