03 Dec Microsoft’s “Emergency Software Patches” Reveal the Absolute Inadequacy of Traditional and Nextgen Anti-virus and Endpoint Security Products.
On October 16, 2020, Microsoft published two out-of-band security updates or “patches” to address security issues in the Windows Codecs library and the Visual Studio Code application. These patches came almost immediately after Microsoft released their regular monthly batch of security updates (patching 87 vulnerabilities). Both of the vulnerabilities needing immediate response are remote code execution flaws that allow attackers to execute code on impacted systems. This means malicious code can run on your endpoint (physical, or virtual workstation and or server, inside or outside of container, etc.) and do damage before your current antivirus software can act. I suspect Microsoft acted because systems were being actively attacked. These leaks had to be plugged.
The first thing to understand is that this news regarding emergency and regular security patches is not unusual. It’s not even news. Patching security vulnerabilities is an essential part of your enterprise’s cybersecurity practices, in part because Microsoft and others have failed to deliver solutions built to STOP any attacker trying to leverage these application flaws. It’s this failure that is the news.
I used to be responsible for the most widely used endpoint security software in the world, at the largest security company in the world. In my opinion, Microsoft Defender is arguably the best AV/EDR (Anti-virus/Endpoint Detection and Response) software on the market today. But, if Microsoft believed their AV/EDR capabilities could and would STOP an attacker, regardless of how they tried to take advantage of these flaws, they wouldn’t have needed to resort to issuing emergency patches for their software. They would have simply said “yes, we see it, but we rendered it benign.” Turns out, they can’t say that, and in fact, none of the market leaders in the AV/EDR space can say that. They all suffer from the glaring hole of being blind to what is happening INSIDE OF APPLICATIONS, which is where the majority of today’s successful security attacks are occurring and thriving. As a customer of AV/EDR vendors, you are running multiple antivirus or EDR products on your organization’s endpoints but they ALL have this glaring hole. What you’re using today, regardless of the vendor you’ve chosen, while absolutely necessary, is unfortunately also absolutely insufficient, tragically insufficient.
Why haven’t the AV/EDR vendors been successful in closing this most important protection hole in their products? Because the technology required to stop these attacks is very complex and has not been a top priority for many of them. In addition, these antivirus companies derive much of their revenue by performing cleanup for their clients, after clients have suffered a cybersecurity event. They simply lack the incentive to solve the problem, but we’ve solved it!
None of the endpoint security products you are familiar with, or using today, provides adequate protection against well-known or benign-looking applications doing operations they should never be doing. Regardless of the AV/EDR claims, they DO NOT protect against:
- Software security flaws only visible from INSIDE of affected software.
- Hidden backdoors in good software.
- Hidden malicious code inside benign-looking software.
- Hidden malicious code inside trusted but compromised software.
- Hidden malicious code inside of trusted software that resides in open source or other code used by that software.
- General supply chain issues resulting from hidden malicious code inside of trusted software.
NOTE: THE MECHANISM THROUGH WHICH THE ABOVE MALICIOUS SOFTWARE WILL GET ON A SYSTEM IS NOT OF IMPORTANCE TO THIS DISCUSSION. Bad/misbehaving software could have gotten on the endpoint because of Phishing attacks, credential stealing, pictures, links, or other data files containing its bad payload, malicious Microsoft Office macros, or any other method. What is important, is to make sure that bad/misbehaving software CANNOT execute its damaging instructions no matter how hard it tries. This is the problem we have solved.
The concepts of self-defending and contained applications must be applied, now. Windows Endpoints (workstations, servers, physical, virtual, containerized or not) are the number one path through which sophisticated security products are fooled and bypassed today. The goal of any security system should be to STOP an attack at the earliest point instead of trying to, potentially, detect it and deal with it at some future time AFTER damage has been done. So, given that ALL Windows endpoints run one or more next-gen antivirus and/or Endpoint Detection and Response products, why are successful attacks on the rise? Why aren’t your vendors successfully defending your endpoints? The answer is found here: ALL current next/current-gen AV/EDR products have an Achilles heel. Their defenses are built based on:
- behavioral data of previously seen attacks
If they have not seen a particular attack mechanism or variation of it, they cannot contain a good application (e.g. white-listed, from reputable sources, etc.) if it has been compromised, or if it’s a bad one that may look benign but has bad intentions not visible outside of the application.
Does the above happen? YES. Everyday. And we are all left asking, again, “given that ALL Windows endpoints run one or more next gen antivirus and/or Endpoint Detection and Response products, why are successful attacks on the rise?” And remember, you don’t hear about most successful attacks. Many of them are simply not publicized.
Which applications are we talking about? ALL of them. EVERY good application on your system needs to self-defend and EVERY benign-looking application needs to be contained. A system that doesn’t do that will continue to suffer from this Achilles heel.
Most importantly any technology/product that claims to provide application self-defense and containment must have the highest level of self-protection, otherwise the protection it provides to applications can and will be defeated by attackers.
Is there such a product on the market? Only one: OnSystem Defender. OnSystem Defender does not duplicate the functionality of your current AV/EDR system. It simply removes the Achilles heel of ANY AV/EDR system that you may be running. It solves the problem! OnSystem Defender allows each good application to learn its own most important valid behaviors — behaviors attackers will try to misuse. OnSystem Defender contains each benign-looking application so that it cannot perform dangerous operations from inside of the application in ways not visible to your AV/EDR systems. It does this without any previous knowledge of the application, changes to the application, user-visible behavior, performance impact, or additional administrator workload. In short, it is totally transparent and frictionless.
OnSystem Defender does not care how an attacker does its initial compromise of a system. The attack could have been initiated from:
- Phishing email
- Social media
- Credential stealing
- Flaw inside of a good/known application
- Installation of a benign-looking application
- Hidden backdoors inside of an application
- Supply chain issue in the application code or one of its open-source libraries
- Any other mechanism
If the attack code cannot run, it cannot do damage. If it can run, it has the ability to:
- Steal your data (e.g. ransomware)
- Change your data
- Move laterally to other systems and infect them
- Hide in your system for months/years
- Do an infinite number of other damaging actions
Can we prove OnSystem Defender works? Yes, we can! OnSystem Defender has been successfully protecting early adopters for over 2 years. It is trivial to deploy and manage. It can run in detection or prevention mode with its complete self-protection always at work.
See for yourself what difference REAL endpoint PREVENTION can make in today’s WFH environments and the peace of mind that you can enjoy by deploying the most capable endpoint security enhancement product on the market today. Instead of adding more analysts to handle the load created by an endless number of events created by your current AV/EDR product, add a product that will make your systems an order of magnitude more secure and eliminate the false positives, or after the fact issues, that your current AV/EDR products have or cause for you.