Author Topic: Windows Zero-day Vulnerability (Read 5564 times)

Ricard · « **on:** July 19, 2010, 05:14:57 PM »

Hi!

Just a short question: Is Avast 5 able to prevent from the new zero-day exploit? Are there any definitions out yet? Or is it impossible to block such attacks generally because no special file has to be executed?

More information:
http://www.f-secure.com/weblog/archives/00001989.html
http://www.h-online.com/security/news/item/Exploit-demonstrates-critical-Windows-lnk-vulnerability-1040285.html

Best regards

igor · « **Reply #1 on:** July 19, 2010, 05:18:40 PM »

Yes, the exploit is detected and blocked.

Ricard · « **Reply #2 on:** July 19, 2010, 05:25:41 PM »

Lots of thanks for your fast reply, igor!

Well done, keep up the good work.

Best regards

Fract504 · « **Reply #3 on:** July 23, 2010, 02:34:52 PM »

How is it blocked? Filescanner or behavior shield?
Are morphed variants also detected or do the patterns have to match exactly?

So, are we safe against unknown yet to be released variants?
Does Avast Community IQ come into play here?

RejZoR · « **Reply #4 on:** July 23, 2010, 02:35:58 PM »

avast! was so far known to always cover all possible variants from day 1. So it's safe to assume they do here as well.

Fract504 · « **Reply #5 on:** July 23, 2010, 02:42:27 PM »

I don't rely on assumptions, but on facts so I always like to hear it from the horses mouth in technical detail

igor · « **Reply #6 on:** July 23, 2010, 03:00:36 PM »

Quote from: Fract504 on July 23, 2010, 02:34:52 PM

How is it blocked? Filescanner or behavior shield?

An ordinary detection, i.e. file scanner / mail scanner / web shield / ...

Quote from: Fract504 on July 23, 2010, 02:34:52 PM

Are morphed variants also detected or do the patterns have to match exactly?

Well, some patterns always have to be matched - otherwise the exploit wouldn't work at all

But yes, even currently unseen variants are detected.

Quote from: Fract504 on July 23, 2010, 02:34:52 PM

So, are we safe against unknown yet to be released variants?

Nobody can say that, of course - it's impossible to say what modifications appear in the future.

Quote from: Fract504 on July 23, 2010, 02:34:52 PM

Does Avast Community IQ come into play here?

Partially yes. The thing is that this whole "vulnerability" is not really a bug - but rather a feature. Some users have basically the same non-malicious link files on their disks; some printer/modem installers create them. So, we use the community submissions to (silently) check for false alarms before making the detection too general (i.e. covering more than we really want).

Fract504 · « **Reply #7 on:** July 23, 2010, 03:02:03 PM »

Thanks igor for the reply! Fully satisfied!

Fract504 · « **Reply #8 on:** July 27, 2010, 12:54:28 PM »

If anyone wants to protect their PCs against unknown new variants of the exploit until Microsoft releases a fix,
some AV vendors have released a tool that checks lnk-files for the exploit.

http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html
(This Tool ignores files on the local harddisk. So not really useful...)

or

http://www.gdatasoftware.co.uk/support/downloads/tools.html

Author Topic: Windows Zero-day Vulnerability (Read 5564 times)

Ricard

Windows Zero-day Vulnerability

igor

Re: Windows Zero-day Vulnerability

Ricard

Re: Windows Zero-day Vulnerability

Fract504

Re: Windows Zero-day Vulnerability

RejZoR

Re: Windows Zero-day Vulnerability

Fract504

Re: Windows Zero-day Vulnerability

igor

Re: Windows Zero-day Vulnerability

Fract504

Re: Windows Zero-day Vulnerability

Fract504

Re: Windows Zero-day Vulnerability