Dec
11
2008
This week contained the proverbial MSFT patch Tuesday, this set of patches contained 8 advisories patching items from Internet Explorer, MS Office Components, Windows Explorer, etc.. So in all this was a pretty heavy Black Tuesday for MSFT.
The Fail
As MSFT was releasing their patches another group of people were releasing their own little bug. On Tuesday morning as the patches from MSFT were being released several online publications starting reporting a new IE 0day exploit in the wild. All the publicity started here at PC World and from there it just rolls down hill.
The flaw was made public in Chinese language discussion forums two days ago by a security group called the Knownsec team. In tests, it worked on IE 7 running on Windows XP, Service Pack 2.
Since the initial report out of PC World the news starts to spiral out of other media outlets. However nothingĀ good gets published until HD Moore does some really good analysis on the exploit over at the Breaking Point Security blog.
Defenses
- Start off by switching browsers to FireFox. You can get it here.
- Enable DEP on your system,
Until MSFT releases a patch for this I would recommend switching to another browser.
Oct
23
2008
Caught your eye on that one. It seems there is a new vulnerability/exploit out there that MSFT so “bad” that they have resleased an out of band patch. How bad is it, well let’s just say you should patch all your windows system ASAP. I am not going to analyze this patch again, as many others have done so already.
Just 2 words for you – PATCH IT
As of 11:00 PM PST there is a known working Exploit in the wild in the form of a worm.
Read all about this in teh links below.
Microsoft Patch Notification
Microsoft TechNet Blog entry
Microsoft TechNet Blog Entry more about
The normal SANS Stuff
Exploit information links below
Good blog entry on the worm/exploit – ThreatExpert
Another Good Entry – Team Furry
Comment as you see fit.
Oct
14
2008
Today AV in it’s traditional form should be dead. It has taken me sometime to catch up on my RSS feeds but it was worth the time. As I got down toward the end I ran across this item from Secunia – Symantec beats the competition.., now since I am not a fan of Symantec I was very interested in what this had to say.
As it turns out Secunia did a test of 12 internet security suites and the results where lets say less than desireable. The test was to throw 300 exploits to known vulnerabilities at the 12 and see how well their detection rate was. Over all – one word FAIL. So does this mean that you are not safe well sort of.
Even the “high” score from Symantec was disappointing. Symantec detected a mere 64 out of 300 exploits, or less than one-fourth, leaving 236 exploits undetected!
Read more here http://secunia.com/blog/29/
and
here are the test results http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf
Stay tuned for What’s Next for AV
Jun
10
2008
Recently there has been some talk about a new “ransomware” that is out and infecting people. The virus is called Virus.Win32.Gpdoce.ak a little information can be found here. In short this virus once executed will search the users hard drive for files to encrypt.
Once your files are encrypted it places a text file in every directory that contains encrypted files.
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com
=== BEGIN ===
[key]
=== END ===
At this time Antivirus vendors are looking for looking for a solution at this time. Kapersky Lab’s seems to be leading the effort here. If you are a code breaker you can go here for more info.
Solutions to help (before this happens to you)
- Backup your data regularly
- Keep a fair amount of back ups
- And what ever you do to not store them on the PC that could become effected, keep them off line via CD/DVD or an external Hard Drive that you keep unplugged from your system
More information and references
http://isc.sans.org/diary.html?storyid=4544
http://blogs.zdnet.com/security/?p=1259
http://people.csail.mit.edu/tromer/gpcode/
http://usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000131
http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444
