Winternals Software has announced that its Protection Manager security solution could have prevented damage caused by the recently discovered Microsoft Word zero-day threat. Protection Manager offers more comprehensive capabilities than conventional antivirus blacklist products, which can only block known threats.
The previously undocumented vulnerability in Microsoft Word has been exploited by malware designated the Backdoor.Ginwui Trojan, which affects Windows-based systems. Exploits such as this trojan are difficult to detect, because they represent a targeted attack on specific organizations, rather than a widespread attack. Targeted attacks can exist indefinitely before being discovered. Traditional antivirus products fail to protect against zero-day threats like this trojan because they operate by reactively detecting malicious code that has already been identified.
Other, as of yet unknown, malware may also be exploiting this Microsoft Word vulnerability during the lengthy window between the identification of the security hole and the distribution of an updated patch. This window creates a gap in enterprise security that can result in system downtime, lost data, and reduced productivity. In the case of the Backdoor.Ginwui exploit, and other undiscovered exploits of the same vulnerability, users must wait for Microsoft´s next “Patch Tuesday.” Updating virus definitions would not offer much protection because some exploits may remain undetected, especially attacks that target particular organizations rather than the Windows user community as a whole.
Protection Manager is a proactive Windows enterprise security solution that enables organizations to safeguard servers, desktops, and notebooks from unauthorized external and internal influences. It monitors and intercepts all applications prior to execution, and then blocks or permits each application based on centrally configured rules, while adjusting its security privileges as needed. Users who must run as local administrators can reduce the risk of high-exposure applications by running those applications with Limited User privileges. Users who run as Limited Users can still run legacy applications that require administrative rights by having Protection Manager elevate the permissions of the specific application. This capability stops current and future malicious software attacks and prevents harmful applications from being unintentionally installed by users.
If Protection Manager had been deployed to a network exposed to the Office vulnerability, the Backdoor.Ginwui´s Trojan would have been recognized as an untrusted application not on the white list; consequently, it would not have been allowed to load on protected systems. Likewise, if Protection Manager had been employed to help limit user privileges by running Microsoft Word with Limited User privileges, the trojan would not have been permitted to write to a protected machine´s registry or file system and as a result its payload would have been rendered largely ineffective.