“Zero-day” attacks and using limited privilege


There have been a couple of credible sounding stories in the press in the past week or two about zero-day attacks – that is, the malicious exploitation of previously unknown vulnerabilities.  I think we’re going to start seeing more of these, as the bad guys better understand the economic value of finding and exploiting vulnerabilities. 


Hackers used to be satisfied just vandalizing web sites.  The next cool game was to find a bug and be the first to publicize it – and yourself for finding it.  Many of these “analysts” now play the game more responsibly, alerting the vendor first and not publicizing the vulnerability until the vendor releases a patch.  And of course there are the malware writers, releasing often poorly-written worms, trojans, etc. such as Sasser into the wild and getting big headlines.  The damage many of these have done, though, has often been limited to consumption of network bandwidth and the time of IT administrators.  Very few of these have exploited vulns for which there was no fix available.


In the past year or so, we’ve started seeing the increasing spread of malware with an economic purpose.  In particular I’m thinking of the ones that allow users’ computers to be controlled by spammers.  Many Internet domains and IP address ranges have become known for hosting spammers and end up on spam filter blacklists.  By turning your computer into a zombie and having their bulk mail originate from your DSL line, spammers bypass these filters.  Why do they go to all this trouble, and even break the law?  Because they make a lot of money doing it!  Spam still generates big revenue.  We’ve also seen increases in phishing and spyware – ways to get your private information for someone else’s illegal gain.


I think we can expect to see more cases where people who find new security vulnerabilities will not alert the vendor or otherwise publicize their findings, but instead use the information for financial gain, by installing spyware and spam engines on victims’ computers — particularly when the “researchers“ and/or the people they do business with live in places like Russia where the legal risks are relatively small.


So what does this have to do with running as a Limited User?  Will running as a Limited User rather than an Administrator keep you safe against these zero-day attacks?  Well, it depends on the attack.  If the exploit attacks an operating system service, as Sasser and Blaster do, then it doesn’t even matter whether anyone is logged on, let alone whether they are an admin.  (Use a firewall.)  But if the vulnerability is exploited through your web browser, email, IM, internet-connected game, etc., then the malicious code can do anything you can do.  See the “#1 reason” paragraph of Why you shouldn’t run as admin for why this matters so much.  Running as Limited User might block the attack completely, and in any case it will certainly limit what the attack can accomplish.


Running as Limited User does not by itself make you secure, but it is an important piece of defense in depth.  It is vitally important to use a firewall and to keep up-to-date on patches and anti-virus signatures.  These will block many of the bad things out there from affecting you.  But there are exploits that will bypass all of these.  In these cases, running as Limited User may be the only line of defense you’ll have left.


 

Comments (14)

  1. bilbo says:

    why are they called "zero-day" attacks?

    just curious

  2. It refers to the number of days from public disclosure of the vulnerability to exploitation of the vulnerability. "Zero-day" could be a malware author who manages to construct and launch a worm the same day that the patch came out, or that the discoverer launched an attack without publicly disclosing the vuln.

    Worm authors are getting faster, so it is becoming increasingly important to install patches quickly. My contention is that we’re going to be seeing more cases of the second variety.

  3. Your blog gave me an idea. If software development copanies like Microsoft gave more attention to individuals who privately revealed holes, then perhaps those attention-hungry hackers would choose the amiable way of capturing the public eye. They know they will get attention if they exploit the hole, but if they knew they would get attention if they revealed it responsibly, they may be more apt to.

  4. I agree completely, Jeremy. In fact, this has already been Microsoft’s policy for several years:

    http://www.microsoft.com/technet/security/bulletin/policy.mspx

  5. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  6. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  7. About a year ago I was reading something (blog, article, billboard, I

    don’t know what) that was talking…

  8. redxii says:

    "But if the vulnerability is exploited through your web browser, email, IM, internet-connected game, etc., then the malicious code can do anything you can do."

    I have seen the light, a limited account stopped, not mitigated damage of, the HTML Help exploit!

  9. E-dave says:

    Do programs like Prevx do anything incompatible with virus protection software or firewalls?

  10. Mike says:

    It is possible on a ocmputer to make another administrator account. In doing this if one gets hacked into or w/e then you can get on your back up one that should have all your main games and programs on it and clean the other account or even delete with your passworded permission of course.

  11. Jake Tobash says:

    OK, this all sound very good. I like the idea of having users use LUA or FUS in order to run their web apps ONLY in LUA mode. Then, they can switch back to admin for all the regular apps (OFFLINE only allowed at my co.) without any sort of restrictions on the SW. Many web apps have no sort of full Windows compatiblity (BAD programming), so I just tell them "If it accesses the net at all, it must be run in LUA mode). So far, everything has worked out.

  12. Table of Contents – blog posts on Aaron Margosis’ Non-Admin WebLog