Nozzle to Zozzle: Microsoft's Expanding Security Arsenal
; ?>/images/blank.gif)
Nozzle and Zozzle make a great-sounding duo. Little publicized and not yet launched, these two products mark something akin to a sea change in Microsoft Corp. (Nasdaq: MSFT)’s approach to security and could add a vital line of defense against most JavaScript and Web-based attacks.
Essentially, attackers had learned to circumvent the randomly generated base-addresses in the heap (data structure) on a PC by allocating, or "spraying," large quantities of exploit code into the PC’s memory base. Although an element of luck is involved, if done on a massive scale this tack eventually finds the right vulnerability. Thus the massive rise of drive-by-downloads launched on unsuspecting users through Web-based executable code exploits.
If it is a Web page, a PDF, or a Flash file, any form of data can be used for exploitation. Through steganographic techniques (hiding messages within other files) malware has been even found embedded in image file comment fields, documents, and dynamic-link libraries. From the attackers’ point of view, it actually only takes 10 lines of code to launch an onslaught, and, as an exploit, it is a dream to most hackers.
Nozzle was introduced to the world by its Microsoft Research team about a year ago. The rise of mass-scale attacks against static JavaScript applications -- for example, the attack on Adobe Reader -- led Microsoft to seek a solution.
Nozzle was Redmond’s first effort, but it used a high overhead of browser power. Hence the introduction of Zozzle, a low-overhead solution that can be used in-browser to detect and prevent JavaScript malware.
Zozzle’s test results from Microsoft’s research show a 59 percent improvement over current detection rates from Google's SafeBrowsing. According to Microsoft: “SafeBrowsing detects less than half of the URLs found by ZOZZLE,” and “ZOZZLE finds many more malware pages than NOZZLE.”
The advantage of Zozzle appears to be its detection of malicious code, as opposed to attack detection. Zozzle achieves de-obfuscation by using contextual information available in the program’s Abstract Syntax Tree (AST).
These are early days, though, and much of the JavaScript coding in Zozzle still remains to be refined in what is a difficult area of research, Microsoft’s researchers are keen to stress.
If we look at Microsoft overall, Zozzle would be the latest addition to a growing list of security products that are now all free. We have the Microsoft Windows Malicious Software Removal Tool, which checks computers running Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections of malicious software and helps remove any infection found. Microsoft estimates that its package has cleaned 46.5 million PCs, or 7.76 percent of 600 million PCs running Windows in 11 countries -- US, Brazil, China, France, Spain, UK, South Korea, Germany, Italy, Russia, and Mexico -- just in the first half of 2010.
Microsoft also provides a free download of Microsoft Security Essentials for real-time protection against viruses, spyware, and other malicious software. Also, the “Smart Screen Filter” in Internet Explorer 8 currently provides for a dynamically updated list of reported phishing and malware sites.
Presumably, Zozzle will be part of that whole Internet Explorer suite. However, the Zozzle technical paper provides a fairly extensive array of algorithms, so this may be a major change from Microsoft, potentially ushering in a new era of open-source Microsoft security technology.
With this, let us hope Microsoft allows Zozzle’s code to be used by other developers so it could eventually be available as a plug-in for other browsers, not just Microsoft’s.
