Thursday, July 27, 2006

New Anti-Exploit Tools

Hi folks,

This has been an exceptionally busy month for us - fortunately not because of any specific new bad-guy activity. But we're making sure we're as ready as we can be for the next onslaught, with the release of (1) an SDK (Software Development Kit) that encapsulates our exploit scanner and (2) the first product to use the SDK, called LinkScanner.

The purpose of the SDK is to allow other software companies to incorporate our technology into their products with a minimum of fuss, and the purpose of LinkScanner is to allow people to test URLs for malicious content. LinkScanner is really simple. You just enter a URL into the entry box, and our server tests it.

Some services that offer this kind of thing rely on cached results in a database, which are only as good as the last time their spiders tested it, but LinkScanner works in real time and always delivers fresh and current results.

It's proving hugely popular. Give it a try at It's fun.


Tuesday, July 04, 2006

Stockpiling Browser Exploits

Hi folks,

A really interesting development this month is that security researcher HD Moore has been stockpiling browser exploits, and is intending to release one per day for the month of July... see . What this means is that he has been finding vulnerabilities in browsers, and then proving it by providing a proof of concept (PoC) exploit for each of them.

Most will be Internet Explorer/Windows, and most will be denial of service (that is IE crashers) as opposed to code-running exploits, but here's the potentially problematic part for users ... just about any application crash vulnerability can be turned into arbitrary code execution, if someone is determined enough to work at it. So there is an upside and a downside to what he's doing. The upside is that people can test their own browsers against his PoC, and can tell if they are vulnerable, and more importantly, they can also use the PoC to test their defenses, once they have a patch or some other form of defense in place. The downside is that the Bad Guys watch for these announcements too, and it provides, if not a roadmap for them, a really good clue about how to exploit the vulnerability. Should HD have released them this way? That's a matter for individuals to decide for themselves, but at least it will force a clean-up of a bunch of browser bugs.

It does, however, present Microsoft with a dilemma. They can't possibly patch and test them all (however many of the vulnerabilities are with Internet Explorer as opposed to some other browser) within the month, so which ones do they deal with first? And will the Bad Guys choose one, some or none, to turn into code executers? And if they do attempt something, how long will it take them? We're watching with bated breath.

In the meantime, our plan is to simply add detection for them all as they're released, and monitor the situation. That way our users will be protected, and if the exploits never make it into the wild, we'll just remove the signatures at an appropriate time in the future.