In his blog The Last Watchdog, Byron Acohido discusses the recent zero day attacks that exploit a flaw in the video Active X component of the Internet Explorer browser. Acohido goes on to discuss why Microsoft may not have a patch ready in time for the next Patch Tuesday on July 14. The exploits and associated problems described by Acohido are a perfect context for a very practical primer on what Triumfant can do for an organization.
First, we would detect the zero days that exploit the flaw, including the two attacks described that use a Trojan downloader and a rootkit. No signature required.
But of course we do not stop at detection. Triumfant Resolution Manager will build a remediation and remove the detected attacks. This includes ejecting the rootkit attack and cleaning up the various hooks it established, and repairing all of the collateral damage made by the Trojan downloader to configure the machine for subsequent incursions as described in the post. No humans needed to write the script, no re-imaging required.
Third, it would be a simple task to build a policy in Resolution Manager that would address the registry changes Microsoft has recommended as a stopgap for the problem until a patch is issued. The policy would be enforced on all machines and the organization would get an up-to-date report on what machines had been updated and what machines were still vulnerable until a patch is created. Given the length of time Acohido describes for Microsoft to build a patch and the well known time gaps in organization’s distributing the patch, the action by Triumfant would protect machines for the weeks and even months until the patch was in place.
This is not meant to be a sales pitch – this is a perfect and very practical example of how the unique functionality and capability of Triumfant would step into a gap not currently filled by any other product that I (or any industry expert or analyst or writer) am aware. As a new technology it is sometimes hard for people to get their heads around what Resolution Manager can do and the benefit it delivers. And exploits like this ActiveX IE exploit show up on an all-too-frequent basis.
Posted in Endpoint Security
