SCSPBP1: Generic Windows Interactive Protection

Article:TECH137392  |  Created: 2010-08-05  |  Updated: 2010-11-12  |  Article URL http://www.symantec.com/docs/TECH137392
Article Type
Technical Solution

Product(s)

Issue



SCSPBP1: Generic Windows Interactive Protection


Solution



 

These vulnerabilities are various methods of injecting code into programs or inducing a program to execute code already on the local system that it should not be executing.
 
The out-of-the-box CSP policies provide significant protection against these remote attacks, as they do against any type of injected code. No policy updates are necessary.
 
As soon as the attack attempts behavior that is not normal for the program, CSP blocks that behavior. Since the goal of most attacks is to use the program's privileges in unauthorized ways, most attacks will be blocked. Some specific examples:
 
  • The Strict CSP policy blocks Internet Explorer, Word, Excel and all other interactive programs from writing executable files anywhere on disk. So if the attack code tries to download a Trojan program, it won't be able to write the file. This is true whether the attack is made via a web page (IE or other browser), an email message (Outlook, Outlook Express or other email program), or some other program displaying web content.
  • The Strict CSP policy blocks Internet Explorer, Word, Excel and all other interactive programs from modifying critical Windows files or registry values. So if the attack code tries to damage the system, it won’t be able to.
  • The Strict CSP policy treats Administrators like all other users. Thus, remote code or other injected code is given no special privilege by CSP even if it is run by as an Administrator.
  • The Core CSP policy blocks Internet Explorer, Word, Excel from modifying critical Windows files or registry values, unless the program is run by an Administrator.
 
By default the CSP policies allow Internet Explorer, Word, Excel and all other interactive programs access to most of the file system except for the critical Windows resources mentioned above. Customers can configure the policy so these programs cannot modify, or even read certain files or folders. This would be appropriate for sensitive areas of the file system that are not normally accessed by the programs and would further limit the damage or information disclosure attacks could cause.




Article URL http://www.symantec.com/docs/TECH137392


Terms of use for this information are found in Legal Notices