Linked by David Adams on Fri 23rd Apr 2010 15:58 UTC
Bugs & Viruses A version of the McAfee antivirus software used in the corporate and public sectors misidentified the svchost.exe file in Windows XP systems as malware, sending the affected machines into a loop of restarts. Only users of McAfee VirusScan Enterprise on Windows XP service pack 3 were affected, but the fallout was pretty severe, with hospital and police systems among those taken down.
Thread beginning with comment 420665
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: State of AV today
by moondino on Sat 24th Apr 2010 17:38 UTC in reply to "RE: State of AV today"
moondino
Member since:
2010-03-27

Well then, kudos to you guys! It's a refreshing and rare thing to see people care about sanitizing input.

I don't see Chrome's sandboxing preventing a PDF or SWF overflow from executing / accessing files, especially if the filesystem is FAT / FAT32. It all depends on how the PDF / SWF is written, and if UAC is enabled and the user is vigilant, etc.

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board. No prompts, just loaded a page with an advert and *BLAM* fake anti-virus pop-ups everywhere. Nothing that a roll-back can't cure, but it is possible and I'm not too surprised.

Open Adobe Reader RIGHT NOW and hit Edit -> Preferences. Under Internet, uncheck Display PDF in browser. Under Javascript, uncheck Enable Adobe Javascript. Congratulations, you are now much, much more secure than you were a minute ago. To go another step further, install Secunia PSI and scan your system occasionally; install any patches as needed.

I've seen every trick in the book: javascript functions that take in obfuscated text BACKWARDS to parse it into a URL, to hide the URL from AV / HIPS scanners. As soon as AV companies start to detect this kind of thing, the malware groups just add another layer. The rabbit hole goes deeper and deeper. There was one page that had functions written in ten different languages. ;)

malwaredomainlist is a great place for people to get their hands on this kind of code in the wild and experiment with it. Remember to lock your VM down if you do! I would even recommend running the Windows VM in a Linux host, just for absolute safety.

Edited 2010-04-24 17:46 UTC

Reply Parent Score: 1

RE[3]: State of AV today
by nt_jerkface on Sat 24th Apr 2010 19:30 in reply to "RE[2]: State of AV today"
nt_jerkface Member since:
2009-08-26

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board.


I can also provide a browser security anecdote:
http://arstechnica.com/security/news/2009/03/chrome-is-the-only-bro...

Disabling Javascript in Adobe Reader is good advice but I would go a step further and suggest an alternative like Foxit. Java should only be installed if absolutely needed. It's such a shame that so many websites still use Java when there are better alternatives.
http://krebsonsecurity.com/2010/04/unpatched-java-exploit-spotted-i...

Reply Parent Score: 2

RE[4]: State of AV today
by moondino on Sat 24th Apr 2010 21:52 in reply to "RE[3]: State of AV today"
moondino Member since:
2010-03-27

A quote from that link:

"the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks."

So basically, not a real world situation.

Every product has security flaws... the security software / anti-virus needs to look at the choke points and protect those, instead of stupid hash detection or proactive detection that hits almost as many false positives as it does legit malware. Choke points being, the registry keys that have to be changed for a program to survive a reboot, the installation of a device driver or service, etc.

In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.

To boot, FoxIt has it's own slew of security issues. There are PDFs out there that buffer overflow FoxIt as well, just scan Secunia or disclosure sites for a few examples. Security via obsecurity doesn't work in an age of targeted attacks.

I'm not trying to toot my own horn, but I used to work for a major AV security company and I'm only putting this kind of thing out there to help people be better protected. Google Chrome does have the ability to control javascript execution per site now, but you have to whitelist them manually, which is a huge pain. If you could simply right click the address bar and then choose allow top-level site, it would be manageable and I would switch from Firefox / NoScript almost immediately. With the current model, however, Firefox is easier to manage, although quite a bit slower. ;)

Edited 2010-04-24 21:59 UTC

Reply Parent Score: 1