Windows 7’s Data Execution Prevention (DEP) would have prevented the hack, Branco, director of Qualys’ Vulnerability and Malware Research Labs, wrote in a blog. Unfortunately, the RSA employees who fell for the spear-phishing email earlier this year were using the much older XP (not even Vista!).
The spearphishing attack used a Microsoft Excel spreadsheet, which included an embedded Flash object that was configured to exploit a zero-day vulnerability in Adobe Flash Player. Once the Flash object ran, it installed the Point Ivy remote administration tool, which has key logging, scanning, and data exfiltration capabilities, Branco explained.
“DEP is a security technology that prevents applications from executing machine code stored in certain regions of memory that are marked as nonexecutable, a technique that is quite frequently used by exploits, for example during a buffer overflow attack….Once activated it prevents the exploit under analysis from running”, he wrote.
Branco warned that the “sheer number of software installed on modern machines in network environments opens the door for similar attacks. The complexities of typical software packages create a huge attack surface, a fact that has been repeatedly utilized by exploit writers.”
The Qualys analyst concluded: “There is a tremendous opportunity for IT pros to turn the tables on the attackers and increase the cost of the attack to a level where all but the most determined attackers will fail. This covers the great majority of attacks, including automated attacks and those re-using previously delivered exploit codes.”