Author Topic: New zero-day exploit in-the-wild, Catched by Avast?  (Read 20132 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84118
  • No support PMs thanks
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #15 on: March 18, 2006, 07:03:42 PM »
Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'.

Remember, I don't speak for avast, I'm just an avast user like yourself, so lets not put words in either my mouth or avast's mouth, after all you have said of their silence, "We (the users) deserve an answer."

So avast clearly haven't said for avast users to use a differen't browser, I suggested that.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.9.2437 (build 20.9.5758.0) UI-1.0.579/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #16 on: March 18, 2006, 07:10:55 PM »
My conclusions are:

1. I asked a simple question  :)

2. I got a lot of answers  ???

3. None of the answers matches my question.  :'(

I am positive considering Avast, but to say we are spoiled because of a good forum
is taking it too far. The problem is lack of information. I tried to get some information on behalf of myself and others and I didn't get it. (this time).

I can live with that. Me too, in fact, have tried to answer questions here. But I try to answer the question posted and not another. And I like to know what I am talking about so that's the reason for why that happens very seldom as you can see from my postcount.  :)

I see it this way:
To get well treated in this forum you have to ask the "right" questions and e.g. avoid mentioning tests where Avast is under pari or other negative aspects of Avast.
Or saying anything about low detection rates and the like.

This time I asked the "wrong" question.

But I will be back later to hopefully be able to help others or asking "correct" questions.

No hard feelings, but a lttle bit disappointment that I didn't get an official answer that e.g. we are working on it and hopefully it will be fixed by......
Bye for now. (Thread closed from my point of view, I mean I should never have started it   :).)

Postscriptum: Yes, I have Opera too, but that's still offtopic in my opinion

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #17 on: March 18, 2006, 07:12:30 PM »
***

Hannibal,

In an above post you stated you do not use Network Shield. Why not?    ???

Tech states it might be possible that Network Shield might help with this exploit. Wether it does or not, turning that shield on would do no harm and might help in some way. I do not think it would use many (little or none) resources if it is active but not doing anything.

I have always had Network Shield active yet it always has a zero count. As far as resources go, I can not even tell it is on. Still, it is on for me and if something comes along that Network Shield might protect against, then it is activated to do whatever it might do.

The old saying goes, "An ounce of prevention is worth a pound of cure."


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #18 on: March 18, 2006, 07:19:59 PM »
To get well treated in this forum you have to ask the "right" questions and e.g. avoid mentioning tests where Avast is under pari or other negative aspects of Avast
This is not true. You know that.
You don't have to ask the 'right' question. You just need to WAIT for the official answers.
You got a free antivirus software, free support, but you want it now, now, now... so, you get the dead silent...

Or saying anything about low detection rates and the like.
You're not being fair. I complain about this whatever I think I need/deserve.
You're not being fair...

This time I asked the "wrong" question.
No.

I didn't get an official answer that e.g. we are working on it and hopefully it will be fixed by......
Bye for now. (Thread closed from my point of view, I mean I should never have started it   :).)
I've asked them... but we're on the weekend and maybe this is not a priority issue.
The best things in life are free.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #19 on: March 18, 2006, 07:22:29 PM »
CharleyO,

I had finished the thread when I saw your question.
After what I have heard and read it's pointless in my configuration.

But I might be wrong. Generally speaking( not this exploit): For what reason should I use Network Shield.

I am not on a local network.

I am directly connected to the net.

I use ZA

Could you enlighten me; I would be very happy if you could.
The fact that it's light on resources is not enough by itself.

Thanks

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #20 on: March 18, 2006, 07:30:37 PM »
Tech,

I had finished this thread and I will stop commenting on the "answers" with one exception:

Conclusion:

Points 1,2 and 3 stand as before

4. I hope the next virusoutbreak is not in a weekend. (vacation, you know.)

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #21 on: March 18, 2006, 07:35:44 PM »
***

Hi Hannibal,

For me, it does not matter what reason but that Network Shield is active just in case something comes along that it can protect my computer from getting. I have had my share of problems in the past, learnt from those problems, and since then have done all I know possible to protect my computer. In the case of Network Shield, it may never do anything for me but it is an "once of prevention" that I mentioned above.    :)

Like you, I am not on a local network, connect directly to the internet wirelessly, and also use ZA. I see Network Shield as something that might help and does no harm to have active. What can it hurt to activate Network Shield? It slows down nothing. And perhaps it someday prevents me from having to use a "pound of cure" to correct something that would not have happened otherwise.    :)

I would rather have protection not ever needed than to someday need protection not ever used.    ;)


***
« Last Edit: March 18, 2006, 07:39:41 PM by CharleyO »
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #22 on: March 18, 2006, 09:54:23 PM »
At the moment this 'exploit code' consists only of an 'apparently very much exploitable overflow' in IE. The code *only* crashes IE.

Quote
This vulnerability can be triggered by specifying more than a couple thousand script action handlers.

The example page does indeed consist of thousand of instances of 'onclick=bork' following a single HTML tag. ('bork' being the 'language' of the Swedish chef from the Muppets.)

Currently this exploit doesn't seem to be 'in the wild' in the sense that nothing is yet using it as 'a vector for remote code execution.' Indeed, it is only a DoS vulnerability, found only (as far as I know) on the demonstration page written by the discoverer.

So the best advice for IE users would seem to be the words below.....
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #23 on: March 19, 2006, 02:48:13 PM »
As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.

An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??
If at first you don't succeed, then skydiving's not for you.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #24 on: March 19, 2006, 05:53:30 PM »
As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.


Vlk, first of all: Thank you for a very clear answer to my question. (at last)

Secondly, I have to quote Sans.org again:

Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

I thougt Avast wanted to be proactive, i might be wrong?


An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??

Why on earth shouldn't avast protect its users in all possible ways??

For how long will this be limited to a bogus site?? A living POC is a good start for others.
I really don't understand your attitude .

Offline lbubb

  • Jr. Member
  • **
  • Posts: 43
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #25 on: March 21, 2006, 08:46:42 PM »
was there ever an answer to this? I don't see a reply so am I to assume that if some hacker figures a why through the IE code through this error I'm open to attack?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #26 on: March 21, 2006, 10:05:36 PM »
was there ever an answer to this?
Vlk already answered:

As a rule of thumb, we don't add signatures unless the exploit allows remote code execution. That is, if IE (or any other app) just crashes if it encounters some strange input data, it is unfortunate but there's IMHO absolutely not reason for an AV program to detect/prevent this.

An AV program should protect your machine against THREATS (attacks, infections, maybe even browser hijaks or adware popups) but why on earth should it prevent IE from crashing when rendering a bogus site??

When this become a threat, then...
The best things in life are free.

Offline lbubb

  • Jr. Member
  • **
  • Posts: 43
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #27 on: March 21, 2006, 10:52:11 PM »
I'm really trully sorry to hear that, in this day of needed zero day pervention, I fear I made a poor choice in avast...

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #28 on: March 21, 2006, 11:10:18 PM »
***

I do not think you will find a faster response team than the one Avast has. The truth is, no anti-virus program has zero day prevention ... even if they say they do. If that were true, then there would be only one anti-virus program ... and no virii. What would be the point in writing a virus if there were zero day prevention?


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84118
  • No support PMs thanks
Re: New zero-day exploit in-the-wild, Catched by Avast?
« Reply #29 on: March 21, 2006, 11:15:20 PM »
I doubt that you made a bad choice in avast, but currently there is no threat to your system as Vlk said other than it crashing IE, which you can easily restart. Now if the situation changes where it is possible to execute remote code, then it becomes a threat then you can be reasonably certain avast (Alwil Software) will respond to that threat.

One thing for sure (IMHO) you are unlikely to get such an open answer from many of the other AVs out there.

However, it is your system and it is your choice to use avast or another AV as it is choice if  you use IE that the exploit effects directly or use another browser that isn't effected, I now what my choice would be.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.9.2437 (build 20.9.5758.0) UI-1.0.579/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security