Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: hlecter on March 18, 2006, 10:14:00 AM
-
I hope Avast will take care of this one asap,
if it not already does? McAfee and Symantec do as I understand it.
:)
Link to sans.org: http://isc.sans.org/diary.php?storyid=1198
Regards
Hannibal Lecter
Edit: Added excerpt from Sans.org:
Published: 2006-03-17,
Last Updated: 2006-03-17 22:13:17 UTC by John Bambenek (Version: 1)
There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE. The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag. This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash. Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.
More as it develops...
-
While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.
Won't a firewall or NetShield avast provider caught this one? ::)
-
I have to answer myself.
I assume the answer to my question is no.
Why dead silence around my question?
Isn't it polite to give an answer regardless what the answer is? :'(
Hannibal
-
Why dead silence around my question?
Maybe they do not follow the Forum in the last hours, maybe they're working for this and other changes... Who knows...
-
One slight problem I tried the link and IE7 froze curious
-
[Won't a firewall or NetShield avast provider caught this one? ::)
Tech, Sorry I was typing while you were answering me:
No, a firewall will NOT stop this. It's a vulnerability in Internet Explorer.
Mshtml.dll in IE. A fully patched IE6 SP2 is vulnerable.
I assume you mean Webshield and not Netshield.
But Webshield also requires signatures to stop this, but I am a grat fan of webshield.
It can't do miracles.
If you wish, I can point you to a POC-site with a picture that really hangs your Explorer.
-
I assume you mean Webshield and not Netshield.
No, I mean NetShield. It does not requires signatures to work.
Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System). Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don't infect files but instead they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.
-
Tech, do you really mean that the Netshield can take care of this?
I am on a stand-alone computer connected directly to the net. Using Standardshield, Webshield and ZA.
I do not even use the Netshield because from what I have read, in my configuration, it would not give any additional protection.
By the way, this is not a worm or something like that, but a flooding of Explorer so it crashes.
HL
-
Tech, do you really mean that the Netshield can take care of this?
No, just guessing for what you've posted before...
By the way, this is not a worm or something like that, but a flooding of Explorer so it crashes.
In fact... NetShield is not designed for that.
Maybe Igor or Vlk could post something about with more technical knowledge 8)
-
Talking to myself once again:
If it is like Tech says that Netshield take care of this, why not say so officially.
If this is not the case , why not inform the users that "we are working" on it, or something like that.
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
I am aware that by now we are talking DOS-attempts, but as Sans says, it is just a matter of time before it get worse.
We (the users) deserve an answer.
EDIT: Tech, Sorry again, I have to type faster. :)
-
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
And behind the scenes avast was working and one of the first to pass all the known WMF exploits.
If you are so concerned about this vulnerability in IE, switch browsers, Opera, Firefox or any non-ie based browser. I would like to hope that MS are also working on a solution to this but I don't hear the screams about what they are doing about it.
Until MS totally remove IE from the OS integration I for one won't be using it as any vulnerability in the browser can lead to a vulnerability in the OS.
As for "Sans says, it is just a matter of time before it get worse." when these scripts are developed we will have to see if the web shield will detect and intercept them, until then it is speculative and you can't easily defend against speculation.
-
I'll second that!
Even the bloke who discovered the expolit is pretty sarky about IE:
This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer (mshtml.dll).
http://www.securityfocus.com/archive/1/427904/30/0/threaded
Historically, IE has had more vulnerabilities, more serious vulnerabilities, and taken longer to fix them.
http://www.webdevout.net/security_summary.php
Why wait for your AV to protect you? Like David said, switch to Firefox or Opera and be less at risk.
-
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
And behind the scenes avast was working and one of the first to pass all the known WMF exploits.
Yes, fine.
And I just asked a question: Is this happening now,too? Dead silence about that.
Avast have declared to speed up their detection, and I want to be safe.
Nothing more, nothing less. I trust in Avast and I want to continue with that....
Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'.
Avast declared that they would speed up the detection and I am just following up.
One of the guys who tried the POC declared that Norton Internet Security saved him.
Yes, we can blame MS, but I don't think MS is the topic in this forum.
Personally I am not concerned about this at this point.
I just want to be sure that my antivirusprovider is catching up(with all the new virusanalysts installed)
"we will have to see if the web shield will detect and intercept them" you said.
But I have always believed that Webshield uses the same sigs as the rest of Avast.
I am not an enemy, just aking what I think is a legitimate question.
Silence is golden is no always the best.
-
I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast.
Why suggesting another browser is off topic is because 80-90% use IE is neither here or there, the issue is about a 0-day exploit that directly effects IE users. So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem.
I know which I would choose, but you must decide for yourself.
-
hlecter:
"...Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'."
I feel really the topic is that ; "80-90 % " of Internet users browse with IE. This makes it a huge target for malcreants . I'm sure Alwil is working at patching the exploit , maybe more so than MS . ???
As DavidR says:
" I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast."
"So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem."
Patience is a virtue, so is common sense when an option to not use IE till " patched " is available. :)
Safe Surfing .
-
Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'.
Remember, I don't speak for avast, I'm just an avast user like yourself, so lets not put words in either my mouth or avast's mouth, after all you have said of their silence, "We (the users) deserve an answer."
So avast clearly haven't said for avast users to use a differen't browser, I suggested that.
-
My conclusions are:
1. I asked a simple question :)
2. I got a lot of answers ???
3. None of the answers matches my question. :'(
I am positive considering Avast, but to say we are spoiled because of a good forum
is taking it too far. The problem is lack of information. I tried to get some information on behalf of myself and others and I didn't get it. (this time).
I can live with that. Me too, in fact, have tried to answer questions here. But I try to answer the question posted and not another. And I like to know what I am talking about so that's the reason for why that happens very seldom as you can see from my postcount. :)
I see it this way:
To get well treated in this forum you have to ask the "right" questions and e.g. avoid mentioning tests where Avast is under pari or other negative aspects of Avast.
Or saying anything about low detection rates and the like.
This time I asked the "wrong" question.
But I will be back later to hopefully be able to help others or asking "correct" questions.
No hard feelings, but a lttle bit disappointment that I didn't get an official answer that e.g. we are working on it and hopefully it will be fixed by......
Bye for now. (Thread closed from my point of view, I mean I should never have started it :).)
Postscriptum: Yes, I have Opera too, but that's still offtopic in my opinion
-
***
Hannibal,
In an above post you stated you do not use Network Shield. Why not? ???
Tech states it might be possible that Network Shield might help with this exploit. Wether it does or not, turning that shield on would do no harm and might help in some way. I do not think it would use many (little or none) resources if it is active but not doing anything.
I have always had Network Shield active yet it always has a zero count. As far as resources go, I can not even tell it is on. Still, it is on for me and if something comes along that Network Shield might protect against, then it is activated to do whatever it might do.
The old saying goes, "An ounce of prevention is worth a pound of cure."
***
-
To get well treated in this forum you have to ask the "right" questions and e.g. avoid mentioning tests where Avast is under pari or other negative aspects of Avast
This is not true. You know that.
You don't have to ask the 'right' question. You just need to WAIT for the official answers.
You got a free antivirus software, free support, but you want it now, now, now... so, you get the dead silent...
Or saying anything about low detection rates and the like.
You're not being fair. I complain about this whatever I think I need/deserve.
You're not being fair...
This time I asked the "wrong" question.
No.
I didn't get an official answer that e.g. we are working on it and hopefully it will be fixed by......
Bye for now. (Thread closed from my point of view, I mean I should never have started it :).)
I've asked them... but we're on the weekend and maybe this is not a priority issue.
-
CharleyO,
I had finished the thread when I saw your question.
After what I have heard and read it's pointless in my configuration.
But I might be wrong. Generally speaking( not this exploit): For what reason should I use Network Shield.
I am not on a local network.
I am directly connected to the net.
I use ZA
Could you enlighten me; I would be very happy if you could.
The fact that it's light on resources is not enough by itself.
Thanks
-
Tech,
I had finished this thread and I will stop commenting on the "answers" with one exception:
Conclusion:
Points 1,2 and 3 stand as before
4. I hope the next virusoutbreak is not in a weekend. (vacation, you know.)
-
***
Hi Hannibal,
For me, it does not matter what reason but that Network Shield is active just in case something comes along that it can protect my computer from getting. I have had my share of problems in the past, learnt from those problems, and since then have done all I know possible to protect my computer. In the case of Network Shield, it may never do anything for me but it is an "once of prevention" that I mentioned above. :)
Like you, I am not on a local network, connect directly to the internet wirelessly, and also use ZA. I see Network Shield as something that might help and does no harm to have active. What can it hurt to activate Network Shield? It slows down nothing. And perhaps it someday prevents me from having to use a "pound of cure" to correct something that would not have happened otherwise. :)
I would rather have protection not ever needed than to someday need protection not ever used. ;)
***
-
At the moment this 'exploit code' consists only of an 'apparently very much exploitable overflow' in IE. The code *only* crashes IE.
This vulnerability can be triggered by specifying more than a couple thousand script action handlers.
The example page does indeed consist of thousand of instances of 'onclick=bork' following a single HTML tag. ('bork' being the 'language' of the Swedish chef from the Muppets.)
Currently this exploit doesn't seem to be 'in the wild' in the sense that nothing is yet using it as 'a vector for remote code execution.' Indeed, it is only a DoS vulnerability, found only (as far as I know) on the demonstration page written by the discoverer.
So the best advice for IE users would seem to be the words below.....
-
As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.
An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??
-
As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.
Vlk, first of all: Thank you for a very clear answer to my question. (at last)
Secondly, I have to quote Sans.org again:
Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.
I thougt Avast wanted to be proactive, i might be wrong?
An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??
Why on earth shouldn't avast protect its users in all possible ways??
For how long will this be limited to a bogus site?? A living POC is a good start for others.
I really don't understand your attitude .
-
was there ever an answer to this? I don't see a reply so am I to assume that if some hacker figures a why through the IE code through this error I'm open to attack?
-
was there ever an answer to this?
Vlk already answered:
As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.
An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??
When this become a threat, then...
-
I'm really trully sorry to hear that, in this day of needed zero day pervention, I fear I made a poor choice in avast...
-
***
I do not think you will find a faster response team than the one Avast has. The truth is, no anti-virus program has zero day prevention ... even if they say they do. If that were true, then there would be only one anti-virus program ... and no virii. What would be the point in writing a virus if there were zero day prevention?
***
-
I doubt that you made a bad choice in avast, but currently there is no threat to your system as Vlk said other than it crashing IE, which you can easily restart. Now if the situation changes where it is possible to execute remote code, then it becomes a threat then you can be reasonably certain avast (Alwil Software) will respond to that threat.
One thing for sure (IMHO) you are unlikely to get such an open answer from many of the other AVs out there.
However, it is your system and it is your choice to use avast or another AV as it is choice if you use IE that the exploit effects directly or use another browser that isn't effected, I now what my choice would be.
-
Secunia confirmed the vulnerability on a fully patched PC running IE 6 and WinXP SP2, but deemed the flaw 'not critical'.
Other than that this flaw crashes IE there is no report (as VLK said) that it allows remote code execution.
-
I'm really trully sorry to hear that, in this day of needed zero day pervention, I fear I made a poor choice in avast...
Not to be rude at all, just my opinion, by zero day prevention is more promisses than reality, crashes than security.
I've tried:
a) the buggy ProcessGuard.
b) the ex-freeware PrevX with a poor interface, update, etc.
c) the good, powerfull, but crash-maker with just common things, of System Safety Monitor.
d) other programs that promisse, promisse and know what? Nothing.
Just my opinion and experience.
I respect other opinions and experiences.
-
I'm not trying to make trouble just get a better handle on what's going on & how I can prevent exposure of my HD contents. You see my laptop is not just pleasure but I work for a bank & in the security dept. and have some sensitive info on here. It would look pretty silly if the assisant to the VP of security gets hacked?? I think someone should say more than if there's an attack we'll act. The prudent thing is to step forward & give an intelligent thought out answer to what steps will be taken & how fast we'll see an update 'if' the worse case senerio happens...I should mention that I'm already afraid of this happening on a weekend when the shop is closed for updates...
-
***
I do no think the shop is ever closed. Someone is always on duty at Avast. :)
And, though rare, there have been weekend updates when they were needed. :)
***
-
I'm not trying to make trouble just get a better handle on what's going on & how I can prevent exposure of my HD contents. You see my laptop is not just pleasure but I work for a bank & in the security dept. and have some sensitive info on here. It would look pretty silly if the assisant to the VP of security gets hacked?? I think someone should say more than if there's an attack we'll act. The prudent thing is to step forward & give an intelligent thought out answer to what steps will be taken & how fast we'll see an update 'if' the worse case senerio happens...I should mention that I'm already afraid of this happening on a weekend when the shop is closed for updates...
Well firstly this exploit only crashes IE and currently can't do anything to your HD. If there is any possibility that remote code could be executed then it could effect your HD, in which case avast would I'm sure be covering that threat.
Secondly I would stop using IE, the browser is an integral part of the OS so if that is exploited, effectively you have exploited the OS. ActiveX and BHOs are virtual magnets for adware and spyware, it is so simple for them to be installed with IE. Opera or firefox or any other non-ie based browser would be fine. Hopefully in the fullness of time MS will get around to patching this vulnerability (just in time for the next to replace it, ;D).
Anti-viruses by there nature are reactive, they react to threats but in order to do that they need samples of the code (0-day stuff). Some AVs use heuristic detection, that can be extremely complex in trying to first guess what might be harmful. That in itself can cause problems, so it is difficult to say anything other than they will act in light of newly detected threats.
The person behind the keyboard is a first line of defence before any AV ever gets a look in, this type of exploit would be unlikely on a web site with reasonable security as it too would first have to be hacked to implant the code, etc.
So how do you get to those sites that have either been hacked or faked to look like a valid site, clicking links in web pages or emails when you can't check the authenticity of the site.
You don't open attachments in unknown email, the same should be true of links in emails.
If your laptop is for work and home, surely the VP of security has some security policy relating to there use. If you have some sensitive information on it then that info should be in a folder which can be protected either by password or encrypted. You should also have a back-up/recovery strategy.
Most viruses inherit the user privileges so if you have admin privileges then it too has admin rights. Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
-
How I can prevent exposure of my HD contents.
A good outbound firewall. Kerio has applications monitor or code injection (including when started by another application or process) for free.
I should mention that I'm already afraid of this happening on a weekend when the shop is closed for updates...
This is simple especulation, more, it's not fair. It was already discussed... we're losing time about weekend updates issues...
If you want placebo updates, well, avast won't be for you.
-
sorry for causing trouble...
-
Your not causing any trouble, your obviously concerned and we are trying to give you information, that should help to protect your data and to alay those fears and hopefully reassure you that everything you read isn't as serious as it may seem.
-
thanks & yea I made too much of it. I like Avast & wouldn't consider removing it, thanks for your understanding, my combo of Avast!, kerio & ewido I feel will keep things tight, thanks again...
-
I 've just read this page and are dismayed, and thankful that lbubb has been given such knowledge as to secure 'sensitive' information.
Dismayed that the employer didn't have such information to train bank staff, and thankful that the volunteers here have stated clearly what procedures to take.
The responsibility shouldn't lie with Avast! Anti-virus and volunteers at this Forum .
I learn each day that the general community/ Media / Employers has no idea what common sense steps to take to protect their online security, especially in sensitive matters. I don't want to preach, or go off topic, but some of the things I read and hear on radio and T.V. only confuse and worry people .
Responsible Education on these matters is long overdue. Lucky such information is freely available here.