Author Topic: New zero-day exploit in-the-wild, Catched by Avast?  (Read 19600 times)

0 Members and 1 Guest are viewing this topic.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
New zero-day exploit in-the-wild, Catched by Avast?
« on: March 18, 2006, 10:14:00 AM »
I hope Avast will take care of this one asap,
if it not already does? McAfee and Symantec do as I understand it.
 :)
Link to sans.org: http://isc.sans.org/diary.php?storyid=1198

Regards
Hannibal Lecter

Edit: Added excerpt from Sans.org:

Published: 2006-03-17,
Last Updated: 2006-03-17 22:13:17 UTC by John Bambenek (Version: 1)

There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE.  The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.  This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash.  Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

More as it develops...

« Last Edit: March 18, 2006, 12:54:34 PM by hlecter »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #1 on: March 18, 2006, 03:22:53 PM »
While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.
Won't a firewall or NetShield avast provider caught this one?  ::)
The best things in life are free.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #2 on: March 18, 2006, 03:23:16 PM »
I have to answer myself.

I assume the answer to my question is no.

Why dead silence around my question?

Isn't it polite to give an answer regardless what the answer is?  :'(

Hannibal

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #3 on: March 18, 2006, 03:30:46 PM »
Why dead silence around my question?
Maybe they do not follow the Forum in the last hours, maybe they're working for this and other changes... Who knows...
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #4 on: March 18, 2006, 03:31:31 PM »
One slight problem I tried the link and IE7 froze curious

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #5 on: March 18, 2006, 03:35:28 PM »
[Won't a firewall or NetShield avast provider caught this one? ::)

Tech, Sorry I was typing while you were answering me:

No, a firewall will NOT stop this. It's a vulnerability in Internet Explorer.
Mshtml.dll in IE. A fully patched IE6 SP2 is vulnerable.

I assume you mean Webshield and not Netshield.
But Webshield also requires signatures to stop this, but I am a grat fan of webshield.
It can't do miracles.

If you wish, I can point you to a POC-site with a picture that really hangs your Explorer.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #6 on: March 18, 2006, 03:41:06 PM »
I assume you mean Webshield and not Netshield.
No, I mean NetShield. It does not requires signatures to work.

Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System). Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don't infect files but instead  they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.
« Last Edit: March 18, 2006, 03:44:38 PM by Tech »
The best things in life are free.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #7 on: March 18, 2006, 03:52:27 PM »
Tech, do you really mean that the Netshield can take care of this?

I am on a stand-alone computer connected directly to the net. Using Standardshield, Webshield and ZA.

I do not even use the Netshield because from what I have read, in my configuration, it would not give any additional protection.

By the way, this is not a worm or something like that, but a flooding of Explorer so it crashes.

HL

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67273
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #8 on: March 18, 2006, 03:58:50 PM »
Tech, do you really mean that the Netshield can take care of this?
No, just guessing for what you've posted before...

By the way, this is not a worm or something like that, but a flooding of Explorer so it crashes.
In fact... NetShield is not designed for that.

Maybe Igor or Vlk could post something about with more technical knowledge  8)
The best things in life are free.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #9 on: March 18, 2006, 04:04:51 PM »
Talking to myself once again:

If it is like Tech says that Netshield take care of this, why not say so officially.

If this is not the case , why not inform the users that "we are working" on it, or something like that.

This reminds me of early in the WMF-exploit when I asked a similar question without any response.

I am aware that by now we are talking DOS-attempts, but as Sans says, it is just a matter of time before it get worse.

We (the users) deserve an answer.

EDIT: Tech, Sorry again, I have to type faster. :)
« Last Edit: March 18, 2006, 04:08:49 PM by hlecter »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82544
  • No support PMs thanks
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #10 on: March 18, 2006, 04:51:42 PM »
Quote
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
And behind the scenes avast was working and one of the first to pass all the known WMF exploits.

If you are so concerned about this vulnerability in IE, switch browsers, Opera, Firefox or any non-ie based browser. I would like to hope that MS are also working on a solution to this but I don't hear the screams about what they are doing about it.

Until MS totally remove IE from the OS integration I for one won't be using it as any vulnerability in the browser can lead to a vulnerability in the OS.

As for "Sans says, it is just a matter of time before it get worse." when these scripts are developed we will have to see if the web shield will detect and intercept them, until then it is speculative and you can't easily defend against speculation.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4257.552) UI-1.0.440/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #11 on: March 18, 2006, 05:45:57 PM »
I'll second that!

Even the bloke who discovered the expolit is pretty sarky about IE:

Quote
This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer (mshtml.dll).

http://www.securityfocus.com/archive/1/427904/30/0/threaded

Historically, IE has had more vulnerabilities, more serious vulnerabilities, and taken longer to fix them.

http://www.webdevout.net/security_summary.php

Why wait for your AV to protect you? Like David said, switch to Firefox or Opera and be less at risk.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #12 on: March 18, 2006, 05:52:14 PM »
Quote
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
And behind the scenes avast was working and one of the first to pass all the known WMF exploits.


Yes, fine.
And I just asked a question: Is this happening now,too? Dead silence about that.
Avast have declared to speed up their detection, and I want to be safe.
Nothing more, nothing less. I trust in Avast and I want to continue with that....

Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'.

Avast declared that they would speed up the detection and I am just following up.
One of the guys who tried the POC declared that Norton Internet Security saved him.

Yes, we can blame MS, but I don't think MS is the topic in this forum.
Personally I am not concerned about this at this point.
I just want to be sure that my antivirusprovider is catching up(with all the new virusanalysts installed)

"we will have to see if the web shield will detect and intercept them" you said.
But I have always believed that Webshield uses the same sigs as the rest of Avast.

I am not an enemy, just aking what I think is a legitimate question.
Silence is golden is no always the best.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82544
  • No support PMs thanks
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #13 on: March 18, 2006, 06:15:38 PM »
I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast.

Why suggesting another browser is off topic is because 80-90% use IE is neither here or there, the issue is about a 0-day exploit that directly effects IE users. So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem.

I know which I would choose, but you must decide for yourself.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4257.552) UI-1.0.440/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #14 on: March 18, 2006, 06:54:11 PM »
hlecter:
Quote
"...Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'."
I feel really the topic is that ; "80-90 % " of Internet users browse with IE. This makes it a huge target for malcreants . I'm sure Alwil is working at patching the exploit , maybe more so than MS .  ???
As DavidR says:
Quote
" I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast."

Quote
"So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem."
Patience is a virtue, so is common sense when an option to not use IE till " patched " is available.   :)
Safe Surfing .