Thursday, January 27

Microsoft Attack Surface Analyzer - Review

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.

The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).

This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.

I decided to test this tool out with software that I had not previously installed to see what kind of value this could bring to the average security analyst.  The Google Cloud Connect for Microsoft Office is a new product that allows Google Apps collaboration within the Microsoft Office product suite.  Shouldn't be any security impacts from this combination right?


After installing the ASA tool itself and running it from the icon installed in the Windows 7 start menu.  The interface prompts the analyst to run the initial baseline scan and save the results to a .cab file.


The tool provides a progress report as it collects the information about your system.  This includes all of the expected types of data that this type of comparison would use.  It does take a few minutes as it includes scans of both the filesystem and registry.


With both baselines recorded now we generate a report by comparing the baseline scan with the post installation scan.  This is useful as you can create multiple scans with different installation options and compare them to each other and to the original baseline to determine what changes are made.

The resulting HTML (and javascript) report provides three tabs, the first summarizing the conditions of the analysis and tombstone information regarding the versions of tools, OS, etc.


There is a tab that summarizes the details of the security issues, and includes helpful explanations of each of the issues if you aren't already familiar with them.  In Google Cloud Connect's case, there were three security issues reported:
  • Directories With Weak ACLs - related to the use of NT SERVICE\TrustedInstaller (needs more investigation to see why this was reported)
  • Processes With NX Disabled - GoogleCrashHandler.exe included in the software does not use DEP security options (why not?)
  • Services Vulnerable To Tampering - The Google Update service that was installed is also susceptible to tampering by the NT SERVICE\TrustedInstaller account.




The Attack Surface tab describes each of the areas assessed in which changes were introduced and details regarding what changed in each area.  This is the most valuable component to me as it describes the specific changes to the operating environment that resulted from the installation of the software.

In our case here is what the Google Cloud Connect software changed:
  • New Service - Google Update Service
  • New Running Processes - google crash handler and a .NET framework utility
  • 113 New Registered COM Controls - IE mostly but controls used within the software.
  • 3 New Internet Explorer Silent Elevation Entries / Preapproved controls - Google Update plugin - This is interesting as it looks like this gets added to the list of approved protected mode controls - more investigation needed here.
  • 1 New TCP Port - Established outbound TCP port on 49336.  This is likely the port used by the google update service and checks for updates during the install.  Not sure more investigation likely here as well.
  • 6 New Named Pipes


Overall this tool is extremely helpful in understanding the changes made to the Windows OS environment from the installation of software.  It will detect things like new services being installed, such as the google update service that you might not have realized was being installed.  I recommend using ASA to analyze software that you intend to install and make sure you know what you're installing and what effect different installation options have.
Post a Comment