Skip to main content

Microsoft Attack Surface Analyzer - Review

By
As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.

The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).

This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.

I decided to test this tool out with software that I had not previously installed to see what kind of value this could bring to the average security analyst.  The Google Cloud Connect for Microsoft Office is a new product that allows Google Apps collaboration within the Microsoft Office product suite.  Shouldn't be any security impacts from this combination right?


After installing the ASA tool itself and running it from the icon installed in the Windows 7 start menu.  The interface prompts the analyst to run the initial baseline scan and save the results to a .cab file.


The tool provides a progress report as it collects the information about your system.  This includes all of the expected types of data that this type of comparison would use.  It does take a few minutes as it includes scans of both the filesystem and registry.


With both baselines recorded now we generate a report by comparing the baseline scan with the post installation scan.  This is useful as you can create multiple scans with different installation options and compare them to each other and to the original baseline to determine what changes are made.

The resulting HTML (and javascript) report provides three tabs, the first summarizing the conditions of the analysis and tombstone information regarding the versions of tools, OS, etc.


There is a tab that summarizes the details of the security issues, and includes helpful explanations of each of the issues if you aren't already familiar with them.  In Google Cloud Connect's case, there were three security issues reported:
  • Directories With Weak ACLs - related to the use of NT SERVICE\TrustedInstaller (needs more investigation to see why this was reported)
  • Processes With NX Disabled - GoogleCrashHandler.exe included in the software does not use DEP security options (why not?)
  • Services Vulnerable To Tampering - The Google Update service that was installed is also susceptible to tampering by the NT SERVICE\TrustedInstaller account.




The Attack Surface tab describes each of the areas assessed in which changes were introduced and details regarding what changed in each area.  This is the most valuable component to me as it describes the specific changes to the operating environment that resulted from the installation of the software.

In our case here is what the Google Cloud Connect software changed:
  • New Service - Google Update Service
  • New Running Processes - google crash handler and a .NET framework utility
  • 113 New Registered COM Controls - IE mostly but controls used within the software.
  • 3 New Internet Explorer Silent Elevation Entries / Preapproved controls - Google Update plugin - This is interesting as it looks like this gets added to the list of approved protected mode controls - more investigation needed here.
  • 1 New TCP Port - Established outbound TCP port on 49336.  This is likely the port used by the google update service and checks for updates during the install.  Not sure more investigation likely here as well.
  • 6 New Named Pipes


Overall this tool is extremely helpful in understanding the changes made to the Windows OS environment from the installation of software.  It will detect things like new services being installed, such as the google update service that you might not have realized was being installed.  I recommend using ASA to analyze software that you intend to install and make sure you know what you're installing and what effect different installation options have.

Comments

Custom Software said…
I wonder, is this a custom software that monitors all incoming traffic or does it just monitor downloads initiated by the user? This could be a helpful tool, I may download it and play with it to see. Thanks for the post.
15 April 2011 at 14:12
Post a Comment

Popular posts from this blog

Anti-virus Statistics - Motivations

By
In a study completed and published by Avira ( http://www.avira.com/en/company_news/recognition_performance_virus_protection.html ) The results of the survey showed that for 34 percent (3,207 respondents) a long-established, trustworthy brand was key. Almost as many users, 33 percent (3,077 respondents), based their decision on the virus detection rates achieved in independent tests. Detection rates - lets call this effectiveness of the control - as this is the key metric used to measure effectiveness. This is a skewed metric as for the large majority of evaluations (ICSALabs, VB100, etc) use the "in-the-wild" or ITW list of viruses to perform the evaluations. There is no evaluation of these product's ability to respond or even detect newly released virus and malware. In all honesty really what we are dealing with here is preventative vulnerability management not virus detection and correction, and in my opinion there are four types of preventative protections required f
Post a Comment
Read more

Local Classified Penny Auction Scam

By
While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th
14 comments
Read more

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part II

By
In part I of this post, I looked at the simple steps required to setup a relatively simple storage solution using OpenSolaris, ZFS, iSCSI and OSX. This was about a month ago, and I've made some significant changes on how this is used for me. At the end of the last post I left off on the part dealing with configuration of the iSCSI initiator side of the solution. I stopped here because there were some issues related to the installation and use of the software. The iSCSI initiator that I was using was Studio Network Solutions GlobalSAN initiator (version 3.3.0.43) which is used to allow for connections to their products. This software will also allow for connections to ANY iSCSI target! After the configuration of the iSCSI target on the ZFS pool, and installation of the client it was trivial to get the connection established with the storage pool, and it showed up in OSX as a raw disk which had not been formatted. I proceeded to format the disk as HFS+ and it then mounted as a lo
1 comment
Read more