US firm Malwarebytes has announced a security product it believes can do something that has eluded even the best-resourced security firms in the business — block all zero-day attacks known and unknown against popular Windows applications.
Called Anti-Exploit, the new software is an application developed by a startup Malwarebytes acquired a year ago called ZeroVulnerabilityLabs, founded by ex-Panda Security software engineer, Pedro Bustamente. The germ of the development dated back to an early version of the software that appeared in 2012.
Let's be clear about how extraordinary this technology is on a conceptual level. It doesn't just claim to stop application exploits that are known but those that aren't too. If it works it will be the first product to implement 'zero-day defence'. And all without a signature in sight.
The free version protects against zero-day vulnerabilities in Java, Flash, Silverlight and various browsers — Internet Explorer, Mozilla, Chrome and Opera — while the $24.95 (£15) paid version adds to that list Adobe and Foxit's PDF reader, Microsoft's Office suite, and a range of media players such as Windows Media Player and QuickTime.
The paid software also allows the user to define custom applications, while a third track will be the business version that comes with centralised endpoint management.
The antivirus industry has a tendency to run on security hype from time to time so do the big claims being made for Anti-Exploit stand up?
Zero day attacks on applications — exploiting software flaws to take control of a target — are the bread and butter of today's cybercrime. Losing that avenue of attack would shut down something that is not so much of an attack path as an attack super-highway. Indeed, it is hard to think of a single significant piece if malware (including attacks traced to nation states) that hasn't depended on exploiting zero-day flaws at some point in their execution.
"It is install and forget," says Pedro Bustamente, who has spent the best part of three years since leaving Panda Software developing the technology behind it.
He agrees that recent versions of Windows have improved their integrated security, including innovations such as Address Space Layout Randomisation (ASLR), as well as Microsoft's own anti-exploit layer, the Enhanced Mitigation Experience Toolkit (EMET). The latter, he believed, had been simply too generic to be a useful defence against real-world attacks.
"Most of what antivirus does is protection of the binary; [with Anti-Exploit] we are looking at the actions of the shellcode and payload."
The difficulty of developing Anti-Exploit was that there was no one technique that could do it all, said Bustamente. It had been necessary to develop several layers of protection and fine tune them to defend real applications. Anti-Exploit used three layers of defence, guarding against OS bypasses, blocking exploit execution in memory and stopping the payload element from running.
Sign up for CIO Asia eNewsletters.