Introducing Proactive Exploit Protection
Norton Security customers (and, in fact, anyone running Norton’s Windows client – 22.5.4 or newer) benefit from the introduction of a new protection framework called Protective Exploit Protection (PEP) that aims to better protect Windows devices from so-called “zero-day” attacks – attacks that attempt to exploit undiscovered and unpatched holes (or vulnerabilities) in Windows applications or in the operating system itself. PEP features three powerful protection techniques that will stop several types of prevalent zero-day attacks in their tracks.
A quick primer on the ‘zero-day’ ecosystem
Frequently, a security researcher or ethical hacker will discover a vulnerability in software they’re studying. They will then notify the affected software vendor and work with them to ensure a ‘patch’ is issued that resolves the underlying vulnerability. If, however, malicious attackers discover the vulnerability first, they may write code that can exploit the vulnerability in an attempt to gain unauthorized remote access to devices running the vulnerable software.
In the last couple years, we’ve seen a significant increase in the number of zero-day exploits being used in Internet attacks. There are a number of factors at play here, but our research leads us to believe that a significant driver of the recent uptick in zero-day exploits is due to an increasing level of cooperation and professionalization among attackers who are eager to exploit these vulnerabilities for profit.
Zero-day exploits: Increasing in frequency and impact
Number of zero-day vulnerabilities
Source: ISTR Internet Security Threat Report, Symantec 2015
How long are zero-day vulnerabilities typically exposed?
Our analysis shows that for the top five zero-day attacks that spread in 2014, it took software vendors an average of 59 days post-attack just to make a software fix available to their customers. That figure does not include either the time, up front, that those vulnerabilities stood undiscovered on people’s devices (typically months and even years in some cases), or the additional time necessary for people to actually apply the respective fixes.
Average Time to Patch Top 5 Zero-Day Vulnerabilities
Average patch time for top 5 zero day vulnerabilities in 2014 - 59 days
What can Proactive Exploit Protection do to protect against the threat of zero-day attacks?
Norton’s Proactive Exploit Protection technology works by recognizing a range of malicious behaviors that are common trademarks of zero-day attacks and subsequently blocking only software that exhibits those specific behaviors. One of the most exciting aspects of this approach is that it provides protection against attacks the moment vulnerable software is deployed, not if and when a vulnerability is eventually discovered or attacked. This is significant, because as it turns out, most zero-day attacks take advantage of vulnerabilities that have existed for many months and in some cases years without having been previously discovered.
How can Proactive Exploit Protection achieve better protection in the real-world?
Let’s take the example of a recent zero-day attack called Operation Pawn Storm that propagated earlier this year and which took advantage of a zero-day exploit in the widely deployed Java software environment.
To achieve its goal, the Operation Pawn Storm attack exploited a vulnerability in Java to disable a component known as the Java Security Manager. While Norton customers were protected relatively quickly in this case (about a day later), non-Norton customers running Java had to wait another two days until Oracle (the company that develops Java) issued a patch to protect Java customers from the Operation Pawn Storm attack. Unfortunately, many Java users remained unprotected even months later due to the somewhat hit-or-miss way in which people apply available software updates.
PEP’s Java protection technology aims not only to eliminate any lag time to protect our customers, but to further provide complete protection against the exploitation of Java zero-day attacks by blocking any code that attempts to disable the Java Security Manager, regardless of which novel vulnerabilities criminals discover in the future.
Operation Pawn Storm Timeline
Heap Sprays and Structured Exception Handlers
Beyond Java attacks, malware authors have focused on two other common attack categories in the past few years. Heap spraying refers to an attack that attempts to insert malicious code in pre-determined memory locations in the hope that it will be executed by a vulnerable application (typically a web browser or browser plug-in). Accordingly, PEP includes a heap spray prevention module that, in essence, pre-populates certain memory locations with benign code, effectively blocking such attacks from using those memory locations for nefarious purposes.
PEP also features a technique called Structured Exception Handler Overwrite Protection. As its name suggests, PEP will prevent malicious code from overwriting special Windows routines called Structured Exception Handlers, which are designed to tell a Windows PC what to do in case an exception (or unexpected event) crops up while running an application. An exception can be triggered by a number of irregular occurrences like a call to divide by zero or an attempt to access an invalid memory address. Windows maintains a set of unique ‘handler’ routines for each category. Unfortunately, clever attackers have figured out ways to hijack this exception handling mechanism by employing a three step approach:
- Write malicious code into a memory location.
- Overwrite Windows’ Structured Exception Handler routine for a particular exception (for example, an access violation) so that it now points to that malicious code.
- Trigger the appropriate exception so that Windows will reference the overwritten handler routine and be tricked into running the malicious code.
In this way, attackers in the past have been able to gain complete remote control of devices without the user doing anything more than navigating to a particular (hacked or malicious) website. PEP’s protection strategy here is simple: Watch for and prevent applications from overwriting Windows’ Structured Exception Handlers. In this way, PEP can protect against a large range of zero-day attacks that utilize this approach.
The promise that Proactive Exploit Protection holds
PEP is an exciting new framework that provides key advantages for Norton customers, enabling them to move from what could previously be deemed fast time-to-protection, to instant proactive protection that hardens a system, virtually patching underlying vulnerabilities even before they’ve been discovered. What’s more is that because of the nature of this behavior-based system, it does not rely on signature updates to remain effective. In a world where vulnerabilities sit unpatched and undiscovered for months or years and zero-day attacks are increasingly common, PEP is an important layer of protection that we believe will have a significant positive impact on our customers’ digital lives.