Threat of the month: Virtualized application vulnerabilities

Share this article:
Threat of the month: pdf.exe.zip files
Threat of the month: pdf.exe.zip files
What is it?

Application Virtualization technologies allow you to virtualize an individual application rather than an entire operating system. This can be very helpful to organizations that have legacy application needs or require running two different versions of the same software on an individual system. One example of such application virtualization software is VMware's ThinApp.

How does it work?

There are a variety of methods that can be employed to virtualize an application but the most common method is system level API hooking in order to intercept calls to things such as system registry and files access. A typically app virtualization technology will create a virtual sandbox for an app to live within so that app believes it has its own registry, file system, etc… This allows for two installations of the same product to co-exist without having collisions over the accessing of system resources. 

Should I be worried?

A lot of people believe that because of the “sandboxed” nature of virtualized applications that they are immune to standard exploits. The reality however is that virtualized applications are just as exploitable as non-virtualized applications. For example I have seen finance departments maintain two versions of Adobe, both old and new, in order to support backwards compatibility with document forms. What these companies do not know is that an older, vulnerable, virtualized version of something like Adobe Reader is just as exploitable as a non-virtualized version. 

How can I prevent it?

You can use some of the same techniques in preventing exploitation of virtualized applications as you could regular by employing things like endpoint security solutions and also vulnerability management solutions that can identity virtualized application vulnerabilities. You need to be careful when selecting such solutions as the fast majority of security solutions, particularly in the vulnerability management space, do not actually scan for virtualized application vulnerabilities. A virtualized application is typically self-contained in an executable and since it is not installed like a regular application the traditional approaches for application vulnerability assessment are simply blind to this risk. Ask your endpoint security and vulnerability management vendor if they support the protection and assessment of virtualized applications in the same way they do non-virtualized; and then actually test this scenario in a lab to prove it.

Source: Marc Maiffret, CSO, Beyond Trust

Share this article:
close

Next Article in Threat of the Month

Sign up to our newsletters

More in Threat of the Month

Threat of the month: Network deperimeterization

Threat of the month: Network deperimeterization

Security professionals should be aware of network deperimeterization, which decreases the usefulness of network edge security devices and increases the potential for device infection and data loss.

Threat of the month: Drive-by download

Threat of the month: Drive-by download

The pervasiveness of drive-by downloads has made it our threat of the month for May.

Threat of the month: Linksys router zero-day

Threat of the month: Linksys router zero-day

This month's vulnerability is currently being exploited by a worm known as "TheMoon."