I just had a very interesting telephone briefing by Exploit Prevention Labs (XPL) on the release of their new product SocketShield. The purpose of SocketShield is to defend PCs against \u201cexploits\u201d which are ways of gaining control over a computer system. \n\nThese hacking mechanisms now involve all sorts of techniques including the well-known buffer overflow problem along with heap overflow, integer overflow, return-to-libc attack, format string attack, race condition, code injection, SQL injection, cross-site scripting and cross-site request forgery (see Wikipedia for a discussion of exploits).\n\nThe difficulty in defending PCs against exploits is that the techniques currently used rely upon knowing about the exploit and patching the operating system against that specific attack or by detecting the results of an exploit. In either case, the solution is to repair damage that is already done. In theory this works but the practical issues of repairing the installation of a rootkit are enormous. Usually the only certain way to fix the problem may require scrubbing the computer clean and re-installing everything.\n\nTo make the whole problem even worse these exploits are no longer being created and used by the \u201cscript-kiddies\u201d. Professional hackers are now involved and making money by finding and selling what are called zero-day exploits \u2013 exploits that are found and used before the vulnerability is known \u2013 to profit-motivated gangs. \n\nGangs using these zero-day exploits are unlikely to be detected and if they are unlikely to be found and prosecuted. The result is that executing successful exploits is a low risk and very high reward business.\n\nFor example, on December 27, 2005, the CoolWebSearch gang launched the WMF zero-day exploit. Microsoft immediately acknowledged the vulnerability when an anonymous poster reported it on Bugtraq. \n\nOn December 28, 2005, Microsoft suggested disabling the vulnerable DLL and on December 31, 2005, a worm that used the WMF vulnerability was launched. Still no Microsoft patch.\n\nOn January 2, 2006, an unofficial (i.e. non Microsoft) third-party patch was issued with blessing of SANS and finally, on January 5, 2006, ten days after the Bugtraq announcement Microsoft issued an official patch.\n\nNow ten days may not seem a long time but when you\u2019re talking about worms that can potentially propagate across tens of thousands of machines and hundreds of networks per hour that risks are not to be underestimated.\n\nExploit Prevention Labs argues that current attempts to block exploits are not really up to the challenge of keeping our computers safe. They pointed out that vendor patches can take anything up to 6 months to appear, that third party patches create confusion in the market as well as potentially introduce new vulnerabilities, that anti-virus and anti-spyware engines detect risks only after exploits are successful, and that the focus is on deactivating payloads (that is the worm, virus, rootkit, or Trojan that gains access to via the exploit) after the are installed, not stopping exploits before they can do anything.\n\nXPL\u2019s product, SocketShield, approaches the problem of dealing with exploit attacks in a different way: As the major focus of exploits is currently on HTTP traffic SocketShield monitors port 80 traffic and attempts to detect exploits in real-time and stop them before they reach the application \u2013 typically a browser. \n\nXPL has deployed a number of \u201choneypots\u201d on the \u2018Net to find and characterize new exploits as well identify the sites that try to implement them (these honeypots are both passive and active \u2013 the latter actually go out and simulate a browser and then look for anomalous responses). \n\nA list of new exploits along with new sites found to be using any exploits are updated on all SocketShield clients within about five minutes of their discovery. This ensures that exploits attempted from both known and unknown \u201cbad\u201d sites will be blocked.\n\nThe current release of SocketShield will be followed in Q3 this year by an API that will allow third party integration. XPL also has plans for a whole range of services and product.\n\nSocketShield will be reviewed in a future Gearhead column.