Threat of the month: Virtualized application vulnerabilities
Threat of the month: pdf.exe.zip files
Application Virtualization technologies allow you to virtualize an individual application rather than an entire operating system. This can be very helpful to organizations that have legacy application needs or require running two different versions of the same software on an individual system. One example of such application virtualization software is VMware's ThinApp.
How does it work?
There are a variety of methods that can be employed to virtualize an application but the most common method is system level API hooking in order to intercept calls to things such as system registry and files access. A typically app virtualization technology will create a virtual sandbox for an app to live within so that app believes it has its own registry, file system, etc… This allows for two installations of the same product to co-exist without having collisions over the accessing of system resources.
Should I be worried?
A lot of people believe that because of the “sandboxed” nature of virtualized applications that they are immune to standard exploits. The reality however is that virtualized applications are just as exploitable as non-virtualized applications. For example I have seen finance departments maintain two versions of Adobe, both old and new, in order to support backwards compatibility with document forms. What these companies do not know is that an older, vulnerable, virtualized version of something like Adobe Reader is just as exploitable as a non-virtualized version.
How can I prevent it?
You can use some of the same techniques in preventing exploitation of virtualized applications as you could regular by employing things like endpoint security solutions and also vulnerability management solutions that can identity virtualized application vulnerabilities. You need to be careful when selecting such solutions as the fast majority of security solutions, particularly in the vulnerability management space, do not actually scan for virtualized application vulnerabilities. A virtualized application is typically self-contained in an executable and since it is not installed like a regular application the traditional approaches for application vulnerability assessment are simply blind to this risk. Ask your endpoint security and vulnerability management vendor if they support the protection and assessment of virtualized applications in the same way they do non-virtualized; and then actually test this scenario in a lab to prove it.
Source: Marc Maiffret, CSO, Beyond Trust