Author Topic: Windows Zero-day Vulnerability  (Read 4897 times)

0 Members and 1 Guest are viewing this topic.

Offline Ricard

  • Newbie
  • *
  • Posts: 19
Windows Zero-day Vulnerability
« on: July 19, 2010, 05:14:57 PM »
Hi!

Just a short question: Is Avast 5 able to prevent from the new zero-day exploit? Are there any definitions out yet? Or is it impossible to block such attacks generally because no special file has to be executed?

More information:
http://www.f-secure.com/weblog/archives/00001989.html
http://www.h-online.com/security/news/item/Exploit-demonstrates-critical-Windows-lnk-vulnerability-1040285.html

Best regards

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Windows Zero-day Vulnerability
« Reply #1 on: July 19, 2010, 05:18:40 PM »
Yes, the exploit is detected and blocked.

Offline Ricard

  • Newbie
  • *
  • Posts: 19
Re: Windows Zero-day Vulnerability
« Reply #2 on: July 19, 2010, 05:25:41 PM »
Lots of thanks for your fast reply, igor!

Well done, keep up the good work.

Best regards

Offline Fract504

  • Full Member
  • ***
  • Posts: 108
  • The Man-Machine
Re: Windows Zero-day Vulnerability
« Reply #3 on: July 23, 2010, 02:34:52 PM »
How is it blocked? Filescanner or behavior shield?
Are morphed variants also detected or do the patterns have to match exactly?

So, are we safe against unknown yet to be released variants?
Does Avast Community IQ come into play here?
« Last Edit: July 23, 2010, 02:36:54 PM by Fract504 »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9361
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Windows Zero-day Vulnerability
« Reply #4 on: July 23, 2010, 02:35:58 PM »
avast! was so far known to always cover all possible variants from day 1. So it's safe to assume they do here as well.
Visit my webpage Angry Sheep Blog

Offline Fract504

  • Full Member
  • ***
  • Posts: 108
  • The Man-Machine
Re: Windows Zero-day Vulnerability
« Reply #5 on: July 23, 2010, 02:42:27 PM »
I don't rely on assumptions, but on facts so I always like to hear it from the horses mouth in technical detail  ;)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Windows Zero-day Vulnerability
« Reply #6 on: July 23, 2010, 03:00:36 PM »
How is it blocked? Filescanner or behavior shield?

An ordinary detection, i.e. file scanner / mail scanner / web shield / ...

Are morphed variants also detected or do the patterns have to match exactly?

Well, some patterns always have to be matched - otherwise the exploit wouldn't work at all ;)
But yes, even currently unseen variants are detected.

So, are we safe against unknown yet to be released variants?

Nobody can say that, of course - it's impossible to say what modifications appear in the future.

Does Avast Community IQ come into play here?

Partially yes. The thing is that this whole "vulnerability" is not really a bug - but rather a feature. Some users have basically the same non-malicious link files on their disks; some printer/modem installers create them. So, we use the community submissions to (silently) check for false alarms before making the detection too general (i.e. covering more than we really want).

Offline Fract504

  • Full Member
  • ***
  • Posts: 108
  • The Man-Machine
Re: Windows Zero-day Vulnerability
« Reply #7 on: July 23, 2010, 03:02:03 PM »
Thanks igor for the reply! Fully satisfied!

Offline Fract504

  • Full Member
  • ***
  • Posts: 108
  • The Man-Machine
Re: Windows Zero-day Vulnerability
« Reply #8 on: July 27, 2010, 12:54:28 PM »
If anyone wants to protect their PCs against unknown new variants of the exploit until Microsoft releases a fix,
some AV vendors have released a tool that checks lnk-files for the exploit.

http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html
(This Tool ignores files on the local harddisk. So not really useful...)

or

http://www.gdatasoftware.co.uk/support/downloads/tools.html
« Last Edit: July 27, 2010, 03:10:26 PM by Fract504 »